We have roughly 30-40 VPN tunnels built to AWS from on-prem, each being used by a different business unit for development. What happens though, is during their process they are forced to blow away their EC2 instance and create a new one. AWS then assigns new public IPs to them. Is there any way for us to pull that information in and have our PANs update dynamically for the IPsec peer address? Right now we manually update them which is very time consuimg.
The only thing I've thought of but haven't explore too much assigning each vpn tunnel a DNS record and having an external vendor or AWS provide the updated IP, using FQDN on our PANs.
Your DNS idea should work. Another option is to create an address object that gets updated via our API when there is a change but I think the DNS option is cleaner.
Or, better yet, can you change the EC2 instance to use an EIP? When the EC2 instances gets blown away the EIP gets disassociated but not released. Then you can re-associate the same EIP to the new EC2 instance. Then the firewall config won't need to change at all.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The Live Community thanks you for your participation!