Connecting a Single Router to Multiple Amazon VPCs

Overview

Amazon Virtual Private Cloud (Amazon VPC) provides customers with huge flexibility in how corporate networks can be connected to one or more VPCs. Here we will describe two approaches when connecting a single customer router to multiple VPCs, as shown in the diagram to the right.

Amazon VPC Network Components

Customer Gateway (CGW)

A CGW is the anchor on the customer's side of the VPN connection. It can be a physical or software appliance.

VPN Connection

A VPN connection is used to describe the network connectivity that is established between a single CGW and a single VGW. You must establish additional VPN connections for each unique CGW and VGW combination (e.g. a single CGW connecting to multiple VPCs, multiple CGWs connecting to a single VPC, or multiple CGWs connecting to multiple VPCs).

AWS VPN Tunnels

AWS VPN consists of two services: AWS Site-to-Site VPN and AWS Client VPN.

Additional Considerations

There is a potential issue only when a customer is connecting a single customer gateway to multiple VPCs and chooses not to follow the Virtual Routing and Forwarding (VRF)approach recommended below. This specific scenario, along with a workaround, is covered in the Alternative Approach section.

VRF Approach (Recommended)

Virtual Routing and Forwarding (VRF) is a technology which allows user to use multiple instances of a routing table to co-exist within the same router at the same time. Because the routing instances are independent, the same or overlapping IP addresses can be used without conflicting with each other.[1] AWS recommends using VRFs when connecting a single customer multiple VPCs.

When using VRFs, we must follow the standard Amazon VPC  creating VPCs, customer gateways, virtual private gateways, and VPN connections. Each VPN connection provides configuration details that can be included in the customer's network and VRF configuration.

Alternative Approach

When implementing multiple VPC connections from a single customer gateway without VRFs, customers must be aware that VPC does not guarantee a unique tunnel and Border Gateway Protocol (BGP) peer IP addresses. As a result, it is possible that these addresses automatically generated for one VPC may be duplicated when creating connections to another VPC. Although AWS does not currently support manual VPC connection address assignments, it is possible to implement a workaround to ensure unique addresses are eventually created for each connection.

VPC Automated IP Generation Workaround

High-Level Steps

Customers who do not choose to use VRFs must be aware of this behavior and use the following workaround in the event they receive duplicate tunnel IP addresses when attempting to connect a single customer gateway to multiple VPCs:

1. Create two VPCs and use the wizard or manual steps to create a virtual private gateway, customer gateway, and VPN connection in each VPC.

2. Compare the resulting VPN connection configuration files to determine whether the tunnel and BGP neighbor IP addresses are unique (sections 3 & 4 of the configuration files). If the IP addresses are unique, no workaround is required. Otherwise, proceed to step 3 (choose one of the VPCs and perform all steps with this VPC).

3. Delete the VPC connection with the duplicate tunnel IP addresses and wait for the state to change to deleted.

4. Create a new "dummy" customer gateway using a "dummy" IP address (e.g. use an AWS Elastic IP that you have been assigned).

5. Create a new "dummy" connection between the virtual private gateway and this new, "dummy" customer gateway and wait for the connection state to change to available.

6. Recreate the VPC connection between the virtual private gateway and the original customer gateway.

7. Wait for the connection state to change to available and verify that the new configuration is, indeed, unique.

8. Delete the "dummy" connection and "dummy" customer gateway.

Step 1 assumes a customer is connecting a single customer gateway to two VPCs. If a connection to more than two VPCs is required, the customer can recurse through steps 3-7, creating as many "dummy" connections as needed until each VPC connection is associated with a unique tunnel and BGP neighbor IP addresses.

When using these new tunnel IP addresses, make sure you also follow the instructions in the IPSec Key Pair and Profile Binding section.

Workaround Walkthrough

This section walks a user through the steps required to work around duplicate VPN connection tunnels and BGP peer IP addresses. To illustrate the work around, the following customer and virtual private gateway IDs will be used in the accompanying screenshots:

IPSec Key Pair and Profile Binding

The VPC configuration template currently does not explicitly bind each IPSec keyring and profile to a specific VPC connection. When implementing multiple VPC connections, an explicit mapping is required to ensure the appropriate IPSec keys are used and the VPC tunnels function properly.