I ran into an interesting conflict last week with AWS VPN (Virtual Private Network) Gateway. I know there is a limitation with your AWS account that you are not allowed to have multiple customer gateways within a region having the same IP address. This would be an extremely nice feature because we would be able to connect multiple VPCs (Virtual Private Cloud) inside the same region to a single VPN device outside of AWS. There are a lot of use cases for being able to have multiple VPCs within a region have a VPN connect to a single customer gateway device:
- Logical separation of Development and Production environments
- Logical separation of data at different classification levels for industry compliance and regulatory restrictions.
- Customer segregation
Based on this information, I thought I would be clever to create two customer gateways within the same region, but have them separated by two AWS accounts. I was able to successfully create the customer gateway and perform the VPN connection in the first AWS account. I then went into the second AWS account and was able to create the customer gateway successfully; however, when I went to create the VPN connection I received a conflict error with the customer gateway. Come to find out, regardless of AWS account separation you cannot successfully create VPN connections with AWS VPN gateway if the customer gateway address is being used somewhere else within a single AWS Region.
The way to work around this issue is to separate VPCs and customer gateways across different AWS regions regardless if you have one or multiple AWS accounts.