I ran into an interesting conflict last week with AWS VPN (Virtual
Private Network) Gateway. I know there
is a limitation with your AWS account that you are not allowed to have multiple
customer gateways within a region having the same IP address. This would be an extremely
nice feature because we would be able to connect multiple VPCs (Virtual Private
Cloud) inside the same region to a single VPN device outside of AWS. There are a lot of use cases for being able
to have multiple VPCs within a region have a VPN connect to a single customer
gateway device:
- Logical separation of Development and Production environments
- Logical separation of data at different classification levels for industry compliance and regulatory restrictions.
- Customer segregation
Based on this information, I thought I would be clever to create
two customer gateways within the same region, but have them separated by two
AWS accounts. I was able to successfully create the customer gateway and
perform the VPN connection in the first AWS account. I then went into the second AWS account and
was able to create the customer gateway successfully; however, when I went to
create the VPN connection I received a conflict error with the customer
gateway. Come to find out, regardless of
AWS account separation you cannot successfully create VPN connections with AWS
VPN gateway if the customer gateway address is being used somewhere else within
a single AWS Region.
The way to work around this issue is to separate VPCs and
customer gateways across different AWS regions regardless if you have one or
multiple AWS accounts.
James Hirmas is the CEO for JHC Technology. He can be reached at jhirmas(at)jhctechnology.com,@JHC_JamesHirmas, or connect with him on LinkedIn.
