I'm experienced with setting up IPsec VPN connections from AWS to on-prem firewalls, but I've never set up an IPsec VPN connection between two AWS accounts for different customers. Is my understanding correct that the initial setup will require one side to configure a placeholder customer gateway, and then after creating the VPN, they'll need to share one of the external IPs with the other customer for their own config? After that, should the second customer provide one of their tunnel's external IPs to the first customer to create a new customer gateway, along with updating the CIDR range, BGP ASN, and pre-shared key accordingly?
3 Answers
Are you asking about a Client VPN or a Site-to-Site VPN here? It seems like you’re referring to Site-to-Site, connecting different customer VPCs, but just wanted to clarify!
Your approach sounds spot on! You can indeed set up Site-to-Site VPNs directly between two AWS accounts and bring one tunnel up. A couple of things to remember:
- You can only use static routing since BGP won’t work between AWS endpoints (it’ll always prefer the lower IP in the 169.254 range).
- Just one tunnel can be live at a time due to the single IP limitation for a customer gateway resource. To add redundancy, you might need to set up two more VPNs.
- It's best to use IKEv2 and ensure the startup action is set on one side; either can be set to start without an issue.
- Make sure the pre-shared key is the same on both ends, and consider keeping the local and remote CIDR to 0.0.0.0/0 initially for simplicity.
- Also, ensure that all other parameters match on both sides!
Using a Virtual Private Gateway is a great option since it's free, and setting static routes in the VPNs can help you manage traffic more efficiently.
It may not be the ideal way to link two VPCs, but it works for special requirements like this!
Thanks, that clarifies a lot! I was concerned about BGP, so it's good to know it won’t be an issue. I figured using two customer gateways wouldn't work, so I appreciate the confirmation. I’ll definitely check out if VPC peering is an option for us; if not, I’ll stick with Site-to-Site.
If you're looking for a smoother setup, consider using a Transit Gateway! It enables encryption and faster connections than traditional Site-to-Site VPNs. For cross-region needs, Transit Gateway Peering is a strong option. Just keep in mind that you'll need to set different CIDRs to get the routing right on both sides. Plus, you could attach an AWS Firewall to the TGW for packet inspection if required!
Yes, it's definitely Site-to-Site, connecting one VPC from one customer to another customer's VPC.