Skip to main content
Knowledge Base

How should I setup OpenVPN for multiple regions in the reference architecture?

Answer

In a multi-region setup, I will have multiple app VPCs. Should I deploy another OpenVPN server in that VPC? This can lead to collision of the IAM roles and global resources, so how should I handle that? --- <ins datetime="2022-05-11T21:25:46Z"> <p><a href="https://support.gruntwork.io/hc/requests/108580">Tracked in ticket #108580</a></p> </ins>

If you are adding a 2nd region, then it is recommended to deploy a `mgmt` VPC to act as the network gateway for the additional VPCs. In this setup, the `mgmt` VPC is configured with a one way peering connection into each of the `app` VPCs (see [this diagram](https://camo.githubusercontent.com/45ac939c7e1db13491a171dd65c0048f283e810dc72cf0da56cec8a09725d817/687474703a2f2f692e696d6775722e636f6d2f4b43304f4b5a4c2e706e67)). This allows the `mgmt` VPC to connect to resources in the `app` VPC, without having a direct network route between the `app` VPCs to each other. The steps to do this in the Reference Architecture are: 1. Decide on a primary region where the `mgmt` VPC will be deployed. 2. Deploy the `mgmt` VPC using the [vpc-mgmt module](https://docs.gruntwork.io/reference/services/networking/management-vpc). You can also reuse the existing one from the Reference Architecture if you can tolerate the network connectivity from the ECS Deploy Runner to your private resources. 3. Setup the peering connection. - If the `app` VPC is in the same region as the `mgmt` VPC, you can use the variables in the [vpc module](https://docs.gruntwork.io/reference/services/networking/virtual-private-cloud-vpc) to configure the peering connection. - For the `app` VPC in the alternative region, you will want to use the [vpc-peering-cross-accounts-requester](https://github.com/gruntwork-io/terraform-aws-vpc/tree/master/modules/vpc-peering-cross-accounts-requester) and [vpc-peering-cross-accounts-accepter](https://github.com/gruntwork-io/terraform-aws-vpc/tree/master/modules/vpc-peering-cross-accounts-accepter) modules directly. You want to deploy the requester in the `mgmt` VPC region, while the accepter should be deployed in the `app` VPC region. 4. Deploy the OpenVPN server in the mgmt VPC. 5. Update all the NACL and security group rules to accept connections from the OpenVPN server CIDR block. At the end of this, you should have VPN access to both `app` VPCs via the single OpenVPN server in the `mgmt` VPC, made possible by the peering connection.