Saturday, September 12, 2020

Automatic VPN failover when I am only allowed one tunnel

I have a vendor that has a strict one-VPN tunnel policy: they allow me to have a single VPN from their Amazon cloud presence to my network, no more, end of discussion. Why? I don't know why, they just won't budge, they say it is more secure and easier to manage that way. The contract was signed with them before I joined the company, it cannot be renegotiated or terminated for at least another 7-8 years, so they are the ones I have to work with.

At my site I have two internet connections - one Comcast business, one local fiber provider. The VPN to the vendor routes over the fiber connection, and if that goes down I lose the tunnel even though I still have internet access across the other provider.

Let's say my public Comcast IP is 192.168.1.1 and my public fiber IP is 192.168.10.1

What options do I have to provide a single IP address of, say, 192.168.50.1 that will serve as my endpoint for the tunnel (complying with the vendor's requirements) and from there route over the fiber connection if available or the Comcast connection if not?

I've dabbled looking at SD-WAN, but can't find even a ballpark price for service beyond some companies saying $15,000/month and other companies saying $150,000/month but those numbers just don't seem right to me, and have no idea if it would even help me out in this situation.

A variety of options would be helpful so I can compare advantages/disadvantages and, of course, cost.



No comments:

Post a Comment