Hi Steve,
Thanks for your response.
I'm still not having much luck, for further clarification all the VPN's are route based.
From within AWS I deleted the existing VPN tunnel to China is it has been down for quite some time and I put a route to our China network (10.47.0.0/16) pointing to the virtual gateway which the VPN from Malaysia connects to. There is a similar entry here for the Malaysia (10.3.0.0/16) network which is propogated from BGP I assume - and since Malaysia can reach AWS I assume this is where the change on AWS side needs to be made.
From China I have included a route for all traffic to AWS (10.2.0.0/16) to go via Malaysia-China tunnel interface and give it the gateway for the Malaysia side, I assume this is working as when I run a trace-route from a domain controller in China to a domain controller in AWS and I can see first hop is switch, then the China firewall and third hop reaches this gateway with some latency which I would expect given the physical distance between the two. Then it times out.
I've made sure that route maps we have setup which are attached to various interfaces on Malaysia firewall (for example the BGP route to AWS) allow for 10.3.x.x and 10.47.x.x and I am pretty sure I am not missing something here.
Trying to map it out logically, I still cant understand how the SSG in Malaysia differentiates between traffic between it and China and traffic from China meant for AWS and I assume that this is why the traceroute times out, it just doesnt know where to send it? Do I need to configure something to allow this? You mentioned I could probably do it via policy, however as these are route-based there isnt a policy assigned to them?
Thanks again for your response, and your patience, after this I fully intend to go back over some networking basics because I am drawing blanks when it comes to this!