How do I create a backup VPN for my AWS Site-to-Site VPN connection using the same transit gateway?

Short description

With dynamic routing, you can use the Border Gateway Protocol (BGP) parameters such as local preference, AS_Path, and multi-exit discriminator (MED) values with your VPN connection. A backup AWS Site-to-Site VPN connection is preferred when primary AWS VPN tunnels are down.

Note: The AWS Site-to-Site VPN connection must be dynamic, not static. This is because you can't use the same LAN routes in the routing table for more than one transit gateway attachment. Static routes are then blocked in the transit gateway routing table.

Resolution

Follow these instructions to create a backup AWS VPN using transit gateway:

Note: Equal Cost Multipath (ECMP) doesn't need to be enabled or disabled on the transit gateway. The BGP attribute values that's configured for the prefixes determine the tunnel for the ingress and egress direction.

1.    Follow the instructions to create a transit gateway attachment to a VPN.

2.    For Customer Gateway, choose Existing, and then select the primary AWS VPN gateway ID.

3.    For Routing options, choose Dynamic.

4.    Follow the instructions to view your VPN attachments and note the new VPN attachment.

5.    Follow the instructions to associate a transit gateway route table with the new VPN attachment.

To be sure that the preferred tunnel sends traffic from AWS to an on-premises network, see How do I configure my Site-to-Site VPN connection to prefer tunnel A over tunnel B?

Related information

Example customer gateway device configurations for dynamic routing (BGP)