Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Tbgaz
Participant

AWS VPN Redundancy

Hi. I've been asked a question about setting up a VPN between our office and AWS but was hoping for some clarification as this is new to me. On-prem we use a FW cluster with a primary/backup external IP and because of this it's been suggested that we setup two tunnels between office and AWS, one using the backup IP and the other using the primary IP. If one fails then it would auto failover to the other.

I've had a read of sk100726 - do we have to use VTIs or can this be done with static routing? That's assuming that a failover VPN tunnel can be created. As I said, I've not done this before so am grateful for any help with this.

 

0 Kudos
Reply
2 Replies
PhoneBoy
Admin
Admin

If you're terminating with the AWS VPN endpoint (as opposed to a Check Point Gateway in AWS), then VTI (i.e. route-based VPNs) is generally the way to go here.

0 Kudos
Reply
Maarten_Sjouw
Champion
Champion

At the on-premise side you will always use the VIP that is assigned to the cluster, so at your end you already have a auto failover. At the AWS end they normally give you 2 IP's to build a tunnel against.

If you look at this post, it contains a template and instructions for configuring the dual VPN to AWS.

Regards, Maarten
0 Kudos
Reply