Your company’s office was just reallocated to another site. A Site-to-Site VPN was set up to connect the local server in the new site and the company’s AWS VPC in the AWS region ap-south-1. The VPN is working properly. However, the operation team lead is worried about the robustness of the connection and has consulted you if it is possible to provide more redundancy to the VPN. Which suggestion should you give to him?

Answer options:

A.No redundancy is required as the VPN connection is robust enough to provide auto failover ability. No single point failure exists for the existing solution.
B.Add 1 more tunnel between the customer gateway and virtual private gateway. So if the existing tunnel fails, the traffic can failover to the new one.
C.Add another virtual private gateway as it is a single point without redundancy.
D.Set up a second Site-to-Site VPN connection to the virtual private gateway by using a second customer gateway.

Correct Answer – D
Check out https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNConnections.html on how to provide redundant Site-to-Site VPN connections to provide failover.
Option A is incorrect because the customer gateway is a single point of failure in this case. If it fails, the whole VPN connection is influenced.
Option B is incorrect because there are already two lines between the customer gateway and the virtual private gateway. There is no need to add another tunnel.
Option C is incorrect because the customer gateway is a single point of failure instead of a virtual private gateway.
Option D is correct because adding another Site-to-Site VPN connection is a good redundancy plan. Even if one customer gateway does not work, there is still another path that works.