topic Re: Routing in Firewall with DirectConnect AWS and IPVPN connections in Cloud Firewall

Routing in Firewall with DirectConnect AWS and IPVPN connections

Micha — Mon, 27 Jan 2025 08:28:35 GMT

Hi,

Maybe someone can point me in the direction of a solution.
A customer has two main sites connected to AWS with Direct Connect.
Routing to AWS is via BGP. (i.e. all the user subnets in the main sites and in the remote sites will access AWS through one of the main sites, with priority given to Site A.)

How can I configure the Checkpoint firewall routing, so that when a Direct Connect connection goes down, users at site A, will access AWS via Site B? The same would apply for remote sites who also will need to go through Site A or Site B to reach AWS.

Since I have no way to configure anything within the IPVPN cloud, we thought to create S2S VPNs. Site A would try to route via DirectConnect, but if it is down, then it will route packets to AWS via S2S VPN to Site B whose DirectConnect connection is still up. And vice versa.

I am not sure how it would work for the remote sites. We could create a S2S VPN to Site A and Site B, but the remote site would need know how to route a packet towards AWS based on priority (Site A has higher priority) and on Site A Direct Connect being up. I am not sure how that would work. Maybe I would need to use some routing protocol over the S2S VPN (or IPVPN) between Site A firewall and Remote Site Firewall to let the remote site know if it is possible to reach AWS through it.

If anyone has any tips for such a solution I would appreciate it.

Re: Routing in Firewall with DirectConnect AWS and IPVPN connections

G_W_Albrecht — Mon, 27 Jan 2025 10:04:57 GMT

Can you move this to Cloud network security, @PhoneBoy ?

Re: Routing in Firewall with DirectConnect AWS and IPVPN connections

PhoneBoy — Mon, 27 Jan 2025 23:28:48 GMT

Done

Re: Routing in Firewall with DirectConnect AWS and IPVPN connections

Nir_Shamir — Tue, 28 Jan 2025 05:18:40 GMT

You already mentioned you are connected to AWS via DirectConnect lines using BGP.

Why can't you configure the your on-premise hardware that already uses BGP to route traffic to the 2nd site if the 2st one fails using BGP ?

That's what usually is done (if it's a router of another Firewall).

Usually the Firewalls in the cloud are not being used to do this kind of routing decision, unless you are connecting directly to them via VPN + BGP, and even then the decision is made on the on-premise devices.