Building/Updating IPsec Tunnels Dynamically

nicford — Sat, 05 Aug 2017 00:12:01 GMT

Hi,

We have roughly 30-40 VPN tunnels built to AWS from on-prem, each being used by a different business unit for development. What happens though, is during their process they are forced to blow away their EC2 instance and create a new one. AWS then assigns new public IPs to them. Is there any way for us to pull that information in and have our PANs update dynamically for the IPsec peer address? Right now we manually update them which is very time consuimg.

The only thing I've thought of but haven't explore too much assigning each vpn tunnel a DNS record and having an external vendor or AWS provide the updated IP, using FQDN on our PANs.

Re: Building/Updating IPsec Tunnels Dynamically

Warby — Sat, 05 Aug 2017 22:00:23 GMT

Your DNS idea should work. Another option is to create an address object that gets updated via our API when there is a change but I think the DNS option is cleaner.

Or, better yet, can you change the EC2 instance to use an EIP? When the EC2 instances gets blown away the EIP gets disassociated but not released. Then you can re-associate the same EIP to the new EC2 instance. Then the firewall config won't need to change at all.

topic Re: Building/Updating IPsec Tunnels Dynamically in VM-Series in the Public Cloud

Building/Updating IPsec Tunnels Dynamically

Re: Building/Updating IPsec Tunnels Dynamically