The all depends on what type of design and throughput you are looking for?
For example if you use AWS Native IPsec then you will need to setup a VGW which has a limit of 1.25 Gbps throughput
if you setup VM-Series to Device your limit is only the bandwidth and the performance capabilities of the devices you are using for VPN. That will probably be the main thing to consider but I am sure there is more.
It would be best to do the VPN to AWS and let the VM firewall deal with inspection. After all, why bog down the VM firewall with the extra overhead of doing encryption/decryption? AWS VPN is also pretty easy to set up, even with BGP for dynamic routing for failover.
Without knowing more about your use case, the decision around where to decrypt will come down to routing. In general, if you terminate on the VGW, there are very limited options to have the traffic route through the Firewalls due to routing limitations within the VPC. AWS typical recommends "Transit VPC" designs where remote traffic and/or spoke VPC traffic can route through multiple Firewalls in a fault tolerant fashion. You can find both manual and automated Transit VPC Options here.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!