How to setup a VPN for 3 different VPC's in 3 different regions in different AWS accounts?

Question

I wanted to create a VPN for 3 different AWS accounts. All these 3 accounts are running different application but for the same client, as a service provider, we want to set up a VPN connection to these environments so that we can access the environment from our premises.

I came to know that Transit VPC can be used across different regions and/or different accounts. If transit VPC is the solution for this requirement could you let me know how do we integrate the same to the existing environment?

If not what can we do to achieve this requirement?

Answer 1

You have two options (I am assuming site-to-site always on VPNs and not client-to-site):

1) Setup Direct Connect. The three AWS accounts can share one Direct Connect setup. This is the best solution but is expensive.

2) Setup three VPNs from the customer's site. Most enterprise class routers can handle this with ease. This is cheaper as it uses the Internet for connectivity.

In all cases, make sure that the VPCs do not have overlapping CIDR blocks.

If you also need VPC <-> VPC networking add VPC Peering for those routes. VPC Peering is not transitive so you cannot route traffic thru a VPC (just between). You will need on VPC Peering connection for each pair of VPCs that want to network with each other. This can quickly become a spider's web.

Make sure that you work with someone that is very experienced with routers. It is easy to make routing configuration mistakes that will direct Internet traffic thru the VPNs to AWS and you will be billed for Internet traffic.