VPN and Amazon AWS
Recently I have worked on few VPN projects where my customers requested VPN connections to their Amazon VPCs (Virtual Private Cloud). As you probably know, today’s companies are very complex and in the same building there can be many organizations, contractors, etc. In my project I had to set up VPN tunnels for three different organizations located behind the same VPN concentrator. One of them had their VPC in US, the second one in Europe. The project was completed without any issues. The problems appeared when third organization, located behind the same VPN concentrator. They requested a new tunnel to their VPC located in Europe. Let’s sum up all requirements:
- Customer “A” has a tunnel to the VPC “A” in US DC
- Customer “B” has a tunnel to the VPC “B” in Europe DC Above ones already configured and both are working fine.
- Customer “C” requires a new tunnel to the VPC “C” in Europe DC.
<---customer site--->| |<-----Amazon sites----->
/----\
|Cust-A|
\----/ /----\
| --[US DC]-----| VPC-A|
| / \----/
| /
| /
/----\ ----- / /----\
|Cust-B|-------| ASA |--------[EMEA DC]---| VPC-B|
\----/ ----- \ \----/
| \
| \
| \ /----\
| | VPC-C|
| \----/
/----\
|Cust-C|
\----/
When I installed ASA I configured one outside interface with one public IP. Then when I started to work on first two VPNs I received two files (one per each customer) with configuration generated by VPCs. The config files contained all settings together with peers IPs (public). As I mentioned before the both tunnels were set up with no issues. When I asked for the third tunnel settings (Customer “C” -> VPC-C) I found the peer IP was the same as for the customer “B” tunnel. It meant Amazon didn’t allocate the public IP for each my customers VPCs. Amazon has only one public IP per region and in my case I couldn’t set up the tunnel for the customer “C” with the current configuration. The easiest way is to have only one tunnel for VPC-B and VPC-C but from security reasons the customer “B” can’t have access to “VPC-C” and vice versa. One of the proposed solutions was a new design of ASA and implementation of sub-interfaces on the outside interface with more public IPs. Of course for such solution you need to have more public IPs what can be expensive depends on the number of IP addresses. The second option is using a BGP protocol, accepted by Amazon, but the ASA doesn’t support it.
/----\
|Cust-A|
\----/ /----\
| --[US DC]-----| VPC-A|
| / \----/
| /
| / /----\
/----\ ----- gig0/0.1 ------ [EMEA DC]--| VPC-B|
|Cust-B|-------| ASA |gig0/0.2 -------[EMEA DC] \----/
\----/ ----- gig0/0.3 \
| \
| \
| /----\
| | VPC-C|
| \----/
/----\
|Cust-C|
\----/
If you planning to work with Amazon products like VPC , take into account this one huge limitation because if your environment requires 99.999% availability, every big change in your design can be painful.