AdministratorJanuary 24, 2024 at 6:31 pm
Hello AWSPro21 and sac,
There are different architectures recommended by AWS for designing centralized egress traffic to the internet. The first option is to use a NAT Gateway (if you have resources in private subnets) along with a Transit Gateway. The second option is to provision a virtual appliance on an EC2 instance (in place of the NAT Gateway) and Transit Gateway. Typically, this setup is done when you want to have Intrusion Prevention/Detection System (IPS/IDS) capabilities. However, this setup has some drawbacks, such as a lack of support for failure detection (depends on the vendor you’re using), difficulty in horizontal scaling, and bandwidth limit. As a workaround, AWS used to recommend attaching an IPsec VPN to TGW instead of a VPN attachment. IPsec VPN leverages the failure detection capabilities of BGP and makes scaling a bit easier to manage. This is what the question is referring to regarding the VPN attachment.
However, please note that this type of design is quite outdated, and AWS now actually recommends using Gateway Load Balancer in place of the IPsec VPN attachments. We’ll make sure to update this question to correct the issue.
Carlo @ Tutorials Dojo