Im setting up our new office location with a Sophos UTM SG310 and I need to replicate my AWS VPN (and GCP) tunnels at the new location. The new location has all new non-conflicting subnets so not worried about that. What I am worried about is BGP propagation.
We use both AWS and GCP and I have tunnels connecting AWS to GCP as well as tunnels connecting each back to my office. Therein lies the problem. AWS uses BGP to propagate its routes and when I use the same AWS Virtual Private Gateway to add a new tunnel to my new office (new Customer Gateway) and check the routing table on the Sophos I see all of the GCP subnets that are on the other side of the AWS to GCP tunnels.
Now I want to add the GCP tunnels back to my new office but my concern is the routing table. The AWS VPC method hides all of the BGP implementation so there is no way for me to manage those routes (BGP remains disabled in the UI even though BGP happens behind the scenes with the Amazon VPC tool).
Now you may be wondering how it's working at my current office and I wonder too. I have even more tunnels setup here because we support two companies so the 2nd company is on another VPC and I have the their tunnel coming back here as well but that 2nd company does not use any GCP so I don't have a concern with that tunnel. I do have an issue with DNS Request Routing to my AWS DNS Proxy server as the Sophos has multiple BGP routes back to it (via AWS VPC - not me).
I was going to try to use a Static Route while building the new office tunnel to AWS but I don't get a nice downloadable configuration file from AWS to import into the Sophos. Instead, I would have to build out those (redundant) tunnels manually from the Generic VPN details.
I do see that I can edit the Route Propagation for that VPC but they all are attached to the same Virtual Private Gateway so I would risk breaking my tunnels by disabling the propagation on them. AWS does recommend using the same VGW for any tunnels to that VPC but wondering if creating a new VGW for each customer gateway would help. Maybe just using a different VGW for my AWS to GCP tunnels would be more appropriate.
Anyone here have any recommendations or advice? Am I being too anal about this?
One concern is that I see our production subnets at GCP in the routing table on the Sophos which could give all office users direct access to production (if firewall rules allow).
This thread was automatically locked due to age.
