AWS VPN to Third Party AWS Cloud

I’ve recently worked on a piece of work, which involves establishing a VPN connectivity from AWS hosted applications to web services hosted in another third party AWS cloud.

It is interesting to find out that AWS Managed VPN connection works quite differently from a typical VPN connection to a remote host.  It is actually expecting the remote host to initiate connection.  With all the work done on remote site to accept VPN connection request and all firewall rules updated, we are stuck with this issue.

Several options available:

• Switch to soft VPN to establish connection.  This involves setting up of soft VPN, additional NAT servers (as AWS NAT server doesn’t work with soft VPN), and then there is a challenge of redundancies and fallback options to different availability zones.
• Making changes to destination to continuously send keep-alive signal to initiate VPN connection and make sure that VPN connection stays open.  But this is a silly way, as there is so many ways that this can go wrong.  On top of that, responsibility lies with the remote host, which can be a challenge.  It is also possible for source system in AWS to ensure traffic flows through to ensure that the VPN connection never time-out to minimise the risk.  However, the risk is still significant.
• VPC Peering is another option.  However, I’m pretty sure that remote site security team will say “hell no”, since they have less control over it.
• Finally, PrivateLink Endpoint option.  … more to come