AWS Logo
Menu

Site-to-Site VPN with AWS Global Accelerator and Cisco ASAv

Learn how AWS Global Accelerator and Cisco ASAv enhance site-to-site VPN connections for better performance and reduced latency across global clients.

vpnnetwork-security
Abdul Gani Khan
Amazon Employee
Published Apr 23, 2025
In today's globally distributed business environment, organizations need reliable and high-performance connectivity to AWS resources. While traditional Site-to-Site VPN connections work well, they can face challenges when dealing with global users and internet congestion. This blog post explores how to leverage AWS Global Accelerator together with Cisco ASAv to create an optimized site-to-site VPN solution.
The Challenge:
Organizations with global customers often face several connectivity challenges:
  • Variable performance over the public internet
  • Network congestion affecting VPN stability
  • Increased latency for geographically distant users
  • Inconsistent user experience across different regions
End-users face inconsistent performance and internet congestion, particularly when accessing applications from geographically distant locations. This issue becomes even more pronounced when global customers need to initiate site-to-site VPN connections to specific services within a region.
The Solution includes leveraging two powerful technologies: AWS Global Accelerator + Cisco ASAv.
1. AWS Global Accelerator is a networking service that improves application availability and performance using Amazon's global network infrastructure. It provides two static anycast IP addresses that serve as fixed entry points to your applications, routing users to the nearest AWS edge location and then optimizing the path to your application endpoints. The service automatically routes traffic to the closest healthy endpoint, reducing internet variability and latency by leveraging Amazon's private network backbone.
2. The Cisco Adaptive Security Appliance (ASA) virtual appliance, also known as Cisco ASAv, is a virtualized version of Cisco's popular firewall and VPN solution. A robust firewall solution that is used to terminate the VPN connections. It provides the same security features as the physical ASA hardware, including firewall protection, VPN capabilities, and advanced threat defense, but in a flexible, software-based format that can be deployed in cloud environments like AWS.
By combining these technologies, we can create a faster, more reliable connectivity solution for clients connecting from various locations across the globe.
 How It Works
  1. Global Accelerator provides two anycast IP addresses for clients to use in their firewalls for site-to-site VPN configuration.
  2. Traffic is routed to the nearest AWS edge location closest to the customer's gateway device.
  3. The VPN connection is terminated at Cisco ASA appliances deployed in an AWS region across two Availability Zones.
  4. A Network Load Balancer controls traffic routed to the Cisco ASA appliances.
Benefits of This Approach
  1. Improved Performance: By leveraging AWS's global network, we minimize latency and optimize routing.
  2. Flexibility: Supports multiple types of firewalls from on-premises sites from customer end and allows for various routing policies.
  3. Scalability: Ideal for scenarios with multiple customers accessing your service from their on-premises locations.
  4. Reliability: Utilizes multiple Availability Zones for high availability.
To implement this solution, you'll need:
  • Cisco ASAv appliances deployed in your AWS account
  • Create Network Load Balancer to add as endpoint to Global Accelerator.
  • Create Global Accelerator with the listeners on the correct port range.

Solution Architecture

Solution Architecture
In this setup:
  • Cisco ASAv appliances are deployed across two Availability Zones in an AWS region.
  • A Network Load Balancer distributes traffic to the Cisco ASA instances.
  • AWS Global Accelerator is configured to send traffic to the NLB endpoint.
  • Customers use the two anycast IP addresses provided by Global Accelerator to configure into their end of VPN configuration.

Conclusion

By combining AWS Global Accelerator with Cisco ASAv, organizations can provide their global customers with optimized Site-to-Site VPN connectivity. This solution addresses common connectivity challenges while offering the flexibility and security features needed in modern enterprise environments.
The architecture not only improves performance but also provides the scalability and reliability required for business-critical applications. Whether you're supporting multiple customer connections or looking to optimize your existing VPN infrastructure, this solution offers a robust framework for global connectivity.
 

Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.

Comments