For AWS newbie vpc peering works only from vpc in the same region, you can connect different vpc belong to different accounts but ONLY IF they are in the same region.
I have read many articles from different website and I can split this page with 3 kind of solutions.
A. Articles with solutions with Single point of faiure
A.1 CloudAcademy
- OpenVPN: Connecting VPCs between regions http://cloudacademy.com/blog/openvpn-aws-vpc/ , it is a solution with single instances using the commercial openvpn from marketplace , the HA topic is not mention in the article.
A2. FortyCloud
- INTERCONNECTING TWO AWS VPC REGIONS http://fortycloud.com/interconnecting-two-aws-vpc-regions/ OpenSwan connection very well documented but no HA , it seems an hook to lead people to their commercial solution
B. Articles with single single point of failures but with some ideas to implement HA
B1. From Amazon blog
There are 2 interesting articles with single point of failure and some ideas not so much clear to how extend HA
- Connecting Multiple VPCs with EC2 Instances (SSL) https://aws.amazon.com/articles/0639686206802544 the configuration using openssl and linux ami
- Connecting Multiple VPCs with EC2 Instances (IPSec) https://aws.amazon.com/articles/5472675506466066 there is the same solution of the previous point but using the ipsec protocol
C. Good articles with possible HA implementations
C.1 FortyCloud
the same company sponsor their solution to buy http://fortycloud.com/solution-overview/
At the moment they have 1 product Cloud Network Firewall on the marketplace https://aws.amazon.com/marketplace/seller-profile/ref=dtl_pcp_sold_by?ie=UTF8&id=2b9c97d3-34b1-457d-9057-bf14be37be40 with 3 different types Business Edition, Enterprise Ediction and BYOL
From this datasheet http://fortycloud.com/wp-content/uploads/2016/01/FC_AWS_Datasheet.pdf if we ignore the markeing bullshit seems to have interesting:
- webconsole
- api engine
- active directory and radius integration
- HA , it is written "with its single and dual gateway ha setups forty cloud provides fast and automatic recovery"
- connect multiple regions there is some number limits
- connect users
not all the features are available in all the licenses
C.2 Rackspace AWS consulting
There is a very good architecture analysis in 3 pages
- http://blog.rackspace.com/how-to-build-fault-tolerant-cross-region-aws-virtual-private-cloud-communication-part-1-setup
- http://blog.rackspace.com/build-fault-tolerant-cross-region-aws-virtual-private-cloud-communication-part-2-monitoring
- http://blog.rackspace.com/part-3-how-to-build-fault-tolerant-cross-region-aws-virtual-private-cloud-communication
It describe the 3 possible architectures
- based on installation of ec2 instances , you can see in the section A and B of the article
- based on AWS VPN service and your corporate router.
- based on vpn service in one region and a ec2 vpn machines on the other region
to use the rackspace solution provided you can use this guide for the routing part
- Software Astaro and AWS VPN service (see D1 section below)
https://aws.amazon.com/articles/1909971399457482
C.3 Cisco Solution
- in this video from minute 53 https://www.youtube.com/watch?v=ykmqjgLdmL4&feature=youtu.be multiple vpc comunications using the a Cisco machine
C.4 PSense Netgate
- Announce here https://blog.pfsense.org/?p=1132
- Marketplace the page is here https://aws.amazon.com/marketplace/pp/B00G6P8CVW/ref=srh_res_product_title?ie=UTF8&sr=0-2&qid=1385067602051
- Features list https://www.pfsense.org/about-pfsense/features.html
- documentation http://www.netgate.com/docs/aws-vpn-appliance/quick-start-guide.html
it seems to have HA
D implementation
D1. Astaro testing
I successfully implemented the Astaro solution following the article https://aws.amazon.com/articles/1909971399457482
There are only two small changes to keep in mind to avoid to waste time
- the astaro configuration is not present anymore but you need to download the generic conf like it is written in this post https://forums.aws.amazon.com/thread.jspa?threadID=104477
- when you add a firewall rules you need to enable later has look this image, otherwise will not work