Hello all,
We currently have 2 VPCs for AWS. We have 2 datacenters in 2 different cities that are connected to eachother via 1 gig circuit which we run EIGRP over. We have a total of 8 ipsec tunnels.
drawing of scenario:
2 tunnels from DC1 to VPC 1
2 tunnels from DC1 to VPC 2
2 tunnels from DC2 to VPC 1
2 tunnels from DC2 to VPC 2
These tunnels are terminated to our 2 ASAs at the 2 different DCs. we plan on turning to route based VPNs to use VTIs to peer with VPCs via BGP for route exchange. DC1 is our default route DC where we would like our DC1 firewall to advertise the default route so the default traffic comes to DC1. DC1 firewall has a default route to outside interface (internet 1) and has static routes to all the LAN subnets. DC2 on the other hand needs to advertise a few subnets so that traffic bound to DC2 goes straight there instead of being routed through DC1 then back to DC2. DC2 firewall also has a default route pointing outside(internet 2) so in case a situation came where DC1 tunnels goes down, the VPCs have a way to get to a default route from DC2...which brings me to my question. So the good thing here is that both my firewalls have all the static routes to each Datacenters LAN subnets: So DC1 Firewall has all the LAN routes necessary to get to DC2 via the 1 gig link and DC2 firewall has all the LAN routes necessary to get to DC1 via the 1gig link. So my question is what is best way to advertise all these routes to be redundant like how I explained. If DC1 tunnels goes down, all the routes necessary to get to DC1 need to be advertised via DC2 firewall, then use the 1 gig link to get there. So I guess I would need to have both the firewalls to advertise all the same routes to the VPCs and just put weights on the routes correct? Such as maybe prepend configs on the DC side?
For the sake of making this a little easier to explain, for this question, all I care about is traffic coming from the VPC to my datacenters; not the other way around....so just inbound traffic; not outbound.
My apologies if this sounds like a confusing question. Please let me know if you have questions. can't thank you enough
No comments:
Post a Comment