Create a Post
Showing results for 
Search instead for 
Did you mean: 

AWS VPN Redundancy

Hi. I've been asked a question about setting up a VPN between our office and AWS but was hoping for some clarification as this is new to me. On-prem we use a FW cluster with a primary/backup external IP and because of this it's been suggested that we setup two tunnels between office and AWS, one using the backup IP and the other using the primary IP. If one fails then it would auto failover to the other.

I've had a read of sk100726 - do we have to use VTIs or can this be done with static routing? That's assuming that a failover VPN tunnel can be created. As I said, I've not done this before so am grateful for any help with this.


0 Kudos
2 Replies

If you're terminating with the AWS VPN endpoint (as opposed to a Check Point Gateway in AWS), then VTI (i.e. route-based VPNs) is generally the way to go here.

0 Kudos

At the on-premise side you will always use the VIP that is assigned to the cluster, so at your end you already have a auto failover. At the AWS end they normally give you 2 IP's to build a tunnel against.

If you look at this post, it contains a template and instructions for configuring the dual VPN to AWS.

Regards, Maarten
0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events