How can two AWS VPCs using the same Customer Gateway for a VPN connection

vpn amazon-web-services amazon-vpc
7,554

In VPC, the external IP addresses of one of "your" virtual private gateways and one of "my" virtual private gateways could be the same -- the virtual private gateway (vgw) is the AWS side of the VPN connection, and has two public IP addresses. As long as your customer gateway and mine have different addresses, that's a unique source/destination address pair, so it works fine with IPSec, for my traffic and yours to hit the same AWS device on the same external IP.

But later, if we were trying to connect my customer gateway to your VPC, and your VPC's virtual gateway had the same external IP address as my VPC's external IP address, that wouldn't work, because the source address and destination address for two VPN connections would be the same.

Apparently, VPC can't handle this exception automatically, because at the time we give it the customer gateway address, the virtual private gateway address has already been assigned.

So the workaround -- brace yourself -- is apparently to "busy out" your vgw by declaring a dummy customer gateway and setting up a connection.

Then, go create a new vgw, which should have different external addresses... and a new customer gateway for your real IP address.

Repeat until you get a pair that is valid, then delete all the unneeded vpn connections and customer and virtual gateway objects.

https://aws.amazon.com/articles/5458758371599914#_Toc331767311

This seems a bit convoluted, but I suspect it's a fairly rare occurrence, since the simpler fix is to use a different external IP on the customer gateway where practical... the limit isn't really one per customer gateway, it's one per customer gateway external IP.

Share:
7,554

Related videos on Youtube

Max
Author by

Max

Trying to get back into the world of programming!

Updated on September 18, 2022

Comments

  • Max
    Max over 1 year

    If there are two vendors with seperate VPCs connecting to a single customer gateway for a VPN connection, what are possible configuration options to allow this?

    As it stands it seems that AWS only allows a customer gateway to be associated to one vpn connection per region. It's not possible for us to add an additional customer gateway nor change regions.

    It doesn't appear possible to route traffic via one VPCs to another.. http://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/invalid-peering-configurations.html#edge-to-edge-vgw

  • Max
    Max over 9 years
    Wow, how did you find that?! It wasn't mentioned in any of the aws forum responses I saw on the this problem. I will try it out and see if it works! Thank you

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Setting up a VPN connection to Amazon VPC - routing
Can you connect to Amazon VPC VPN from Windows 7 without a hardware VPN on your end?
Software VPN connection to Amazon AWS VPC private instance
How to make VPN connections to different networks which have the same CIDR?
AWS Cloudfront for VPC/VPN
Pre-configured EC2 VPN AMI
How to use IPSec / Openswan with Amazon's Virtual Private Cloud (VPC) and EC2?
AWS RDS Writer Endpoint vs Reader Endpoint
How to create your own VPN on an instance and route your other instance through this VPN?
Does VPC Peering Cost you in same region?