1

I have some complicated question:

I have connected multiple VPCs with EC2 Instances (IPSec) for routing traffic between VPC's across regions, I have VPN connection to each aws region, and everything is working fine.

Traffic from my office to 10.20.*.* go to ->
VPN connection LINE 1 in AWS eu-west-1 ->
vpc_ireland - CIDR 10.20.0.0/16
here I have ipsec instance that route the traffic from 10.60.0.0/16 to vpc_viriginia

Traffic from my office to 10.60.*.* go to ->
VPN connection LINE 2 in AWS us-east-1 ->
vpc_viriginia - CIDR 10.60.0.0/16
in AWS us-east-1 I have ipsec instance that route the traffic from 10.20.0.0/16 to vpc_ireland

I want to make sure that if one of the vpn connections/lines goes down, I will still be able to access the aws region via the other VPN in the other aws region.

For example if VPN connection LINE 2 (virginia) goes down, automatically all the traffic from my office to 10.60.*.* will go to VPN connection LINE 1 (vpc_ireland) and from there it will route to vpc_viriginia with my IPSec instance, like nothing happen.

example: if VPN connection LINE 2 goes down: myoffice -> 10.60.203.11 -> VPN connection LINE 1 -> vpc_ireland -> ipsec instance in ireland -> vpc_viriginia

As I said I have connection between my regions with IPSec instances.

My question is, if VPN connection LINE 2 goes down, all the traffic to 10.60.*.* will route automatically from my office to vpc_ireland - CIDR 10.20.0.0/16, but I guess the vpc_ireland will reject them because the IPs 10.60.*.* are not in the same network of vpc_ireland - CIDR 10.20.0.0/16.

So I wonder what are my options (without removing my current AWS VPN) ?

To be more specific, how I can route traffic from IPs (lets say for example 10.60.111.9) via Ireland VPN connection (when Virginia VPN connection goes down), to vpc_ireland, but the IPs that I route are not in the same network CIDR 10.20.0.0/16 ?

The question refers only to AWS side, after I route the traffic from my office.

I will be happy to answer any questions if my question is not understandable.

Thanks in advance!!

UPDATE - I will try to be more specific with my question:

  1. AWS VPN in Virginia goes down.
  2. All the traffic from my office 10.60.*.* route to AWS VPN connection LINE 1 in AWS eu-west-1.
  3. So if I ping now from my office to 10.60.100.13 it will be route to Ireland VPN. 4.but the VPC in Ireland with CIDR block 10.20.0.0/16.

If I will be able to route somehow the traffic that goes to Ireland VPN from IPs in CIDR block 10.60.*.* to my current VPC in Ireland with CIDR block 10.20.0.0/16, I could use my routing table and my IPSEC instance to route it back to Virginia VPC.

Is it possible at all to route traffic from different subnet to another CIDR block in VPC ? IP 10.60.100.13 to CIDR block 10.20.0.0/16?

Berlin
  • 402
  • 1
  • 7
  • 14
  • 1
    When you say region is this an AWS region, or a region that your offices are in? Perhaps clarify your question. A diagram would make this far easier to understand - https://cloudcraft.co/app – Tim Oct 08 '16 at 01:56
  • @Tim thanks, I will try to make something, yes it is AWS region – Berlin Oct 08 '16 at 01:59
  • @Tim, can you please help me :) ? – Berlin Oct 08 '16 at 02:01
  • If you clarify your question people will help. Insufficient or unclear information makes it less likely you'll get help. Diagrams aid understanding. There are some good AWS people on here who know a lot more about routing than I do, I'm not sure I can help. – Tim Oct 08 '16 at 02:06
  • It's fairly clear that you will need routing changes in your offices. After that you will probably need a transit or shared services VPC in each AWS region https://aws.amazon.com/answers/networking/aws-multiple-vpc-vpn-connection-sharing/ – Tim Oct 08 '16 at 02:19
  • thanks @Tim, yep I know I should change the routes from my office if one of the lines goes down, basically I want to understand if there is other solution instead of creating new vpc with the same CIDR like the other region. – Berlin Oct 08 '16 at 02:33

1 Answers1

1

You can try to do something like this

eu-west-1 - VPC1 - VPNGatewway1  -- office  (direct route)
eu-west-1 - VPC1 - VPNGatewway1  -- office  (via VPC2 route)
             | 
            peer
             |
eu-west-1 - VPC2 - VPNGatewway2  -- office  (direct route)
eu-west-1 - VPC2 - VPNGatewway2  -- office  (via VPC1 route)

But before you do anything FYI the vpn gateway has two entry points so is redundancy built already.

There is one thing you need to consider, the route tables even though they have entries for both office and the other VPC will send traffic to the default route for your office (vpn gateways). For this you need to make a small script that changes the route priority, so if VPNGateway1 can't connect to your office than you give this a lower priority and route office_space/netmask via VPC2.

silviud
  • 2,687
  • 2
  • 18
  • 19
  • thank you for the answer, I am not sure I understand your diagram, so you suggest to make another VPC with CIDR block `10.60.*.*` ? – Berlin Oct 08 '16 at 18:28
  • and what about the VPN? it is connected only with my current VPC `CIDR block 10.20.0.0/16` – Berlin Oct 08 '16 at 18:30
  • That is for traffic originating from AWS to your office. To have redundancy for your office it depends by what equipment you have (router/vpn etc.). It will use the same principle two routes with different priorities. For VPC2 you need a different ip space such as 10.10.0.0/16 – silviud Oct 08 '16 at 18:41
  • thank you, so you suggest to create another VPC and VPC for this purpose, I wonder is it possible maybe to connect the current VPN with another VPC? because I saw there is only 1 VPNGATEWAY per VPN. – Berlin Oct 08 '16 at 19:01
  • also I guess by your answer it is not possible at all to route traffic from different subnet to another CIDR block in VPC ? IP 10.60.100.13 to CIDR block 10.20.0.0/16? and because of that I need a different VPC ? – Berlin Oct 08 '16 at 19:03
  • I have VPN connection with tunnels that I am using to connect from my office – Berlin Oct 08 '16 at 19:11
  • in a vpc you can make multiple subnets. your goal is to have redundancy for your vpn gateway ?! FYI the VPN gateway can have two end points (ip addresses) so is redundant. not sure you can share a vpn gateway from two or more vpc. – silviud Oct 08 '16 at 19:39
  • I have multiple subnet but my current `VPC in CIDR block 10.20.0.0/16`, and if I will send traffic via the VPN to IP `10.60.100.13` it will be rejected by the VPC ? – Berlin Oct 08 '16 at 19:51
  • the goal is to make redundancy for the vpn between regions and not in the same region, right now i have only 1 vpn per region, so if I route the traffic to another region in a case that 1 line goes down, the IP will be different from the cidr block – Berlin Oct 08 '16 at 19:54
  • Ok ... one VPC can contain multiple subnets from _different_ AZ meaning you can have a subnet per AZ that you subnet from your VPC. The VPN gateway will connect your VPC (including subnets) to your office. – silviud Oct 08 '16 at 19:55
  • but the problem is not in the same region, if one line goes down, I route the traffic from my office to another region, but the IP not in the same subnet like my `VPC CIDR block 10.20.0.0/16` so lets say I ping 10.60.100.13 it will be routed to the vpn in Ireland from my office, then it will goes to the VPC, and will be rejected, because the IP is not in the same subnet, right? – Berlin Oct 08 '16 at 19:59
  • AWS VPC peering doesn't support multi region. If you want to connect two VPC located into two regions you can do it via a ipsec tunnel (sort of peering) - you can use the diagram that I made. – silviud Oct 08 '16 at 20:13
  • thank you for all your help, i have already connections between my regions, as i wrote it in my question, I think it maybe too complicated to explain what I need, maybe I will try to contact aws, if the vpn connection goes down in one of the region i route the traffic to the other region, but because the IP is in different subnet then my VPC cidr block it will be reject. `MY OFFICE -> VPN IR -> VPC -> IPSEC INSTANCE -> VPC Virginia ` – Berlin Oct 08 '16 at 20:19
  • `vpc_ireland - CIDR 10.20.0.0/16` can get requested to ip in the same subnet, but not the IPs of `vpc_viriginia - CIDR 10.60.0.0/16` while the line goes down and i route them to `ireland vpn`, and I think its because they are not in the same subnet – Berlin Oct 08 '16 at 20:23
  • that you can solve by adding a route entry into each region to be route via your interconnection. – silviud Oct 08 '16 at 20:23
  • what do you mean with route entry ? because my current vpn automatically move all the traffic to my current VPC, and the current VPC is not in the same subnet like the IPs in virginia – Berlin Oct 08 '16 at 20:25
  • but is it correct that the VPC will reject IPs that route from VPN that are not in the same subnet like the VPC CIDR block? – Berlin Oct 08 '16 at 20:27
  • into your vpc you do have a route table so you need look into that. see http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Introduction.html#Overview for more info – silviud Oct 08 '16 at 20:27
  • yes, I know, for example if I connect to one of my instances in `Ireland` I can ping to one of the instances in `Virginia`, because I have IPSEC instance, but if I ping from my office its first goes to the VPN and then to the VPC and from there it will route by the routing table, so how I can route IP that are not in the same subnet like the VPC CIDR block, the ping goes to the routing table via the VPC, right? – Berlin Oct 08 '16 at 20:30
  • i think all the issue is, when I route IP via VPN to a VPC that are not in the same CIDR block like the VPC, it will reject, because when I ping from my office to IP in the same subnet like my VPC CIDR, everything works – Berlin Oct 08 '16 at 20:33