topic Re: AWS VPN Redundancy in Firewall and Security Management

AWS VPN Redundancy

Wyman — Tue, 29 Sep 2020 09:43:44 GMT

Hi. I've been asked a question about setting up a VPN between our office and AWS but was hoping for some clarification as this is new to me. On-prem we use a FW cluster with a primary/backup external IP and because of this it's been suggested that we setup two tunnels between office and AWS, one using the backup IP and the other using the primary IP. If one fails then it would auto failover to the other.

I've had a read of sk100726 - do we have to use VTIs or can this be done with static routing? That's assuming that a failover VPN tunnel can be created. As I said, I've not done this before so am grateful for any help with this.

Re: AWS VPN Redundancy

PhoneBoy — Thu, 01 Oct 2020 16:18:42 GMT

If you're terminating with the AWS VPN endpoint (as opposed to a Check Point Gateway in AWS), then VTI (i.e. route-based VPNs) is generally the way to go here.

Re: AWS VPN Redundancy

Maarten_Sjouw — Sat, 03 Oct 2020 07:24:19 GMT

At the on-premise side you will always use the VIP that is assigned to the cluster, so at your end you already have a auto failover. At the AWS end they normally give you 2 IP's to build a tunnel against.

If you look at this post, it contains a template and instructions for configuring the dual VPN to AWS.