How do I set an Active/Passive AWS Direct Connect connection to AWS?
When using Direct Connect to transport production workloads to and from AWS, it's a best practice to use dual Direct Connect connections using different data centers or providers.
Configure the following:
- Two routers to terminate the primary and secondary Direct Connect connections to avoid a single point of device failure.
- A private virtual interface on each of the Direct Connect routers that terminate to the same Amazon Virtual Private Cloud (Amazon VPC).
- High availability routing protocols (such as HSRP, VRRP, and GLBP) on two routers to allow local servers to use multiple routers that act as a single virtual router. This configuration helps you to maintain connectivity even if the primary router fails.
Run an internal routing protocol (such as Border Gateway Protocol (BGP) that learns routes from Direct Connect external BGP gateways and distributes prefixes to internal BGP gateways.
- Active/Passive (failover). In this scenario, one connection handles traffic, and the other is on standby. If the active connection becomes unavailable, all traffic is routed through the passive connection. You must use Autonomous System (AS) prepending for the routes on one of your links to set it as the passive link.
For more information, see Configure redundant connections.
Note: Check your vendor documentation for commands that are specific to your network device.
Influencing outbound traffic from on premises using local preference
The local preference attribute is used to prefer an exit point from the local AS. If there are multiple exit points from the AS, the local preference attribute is used to select the exit point for a specific route. The highest local preference attribute is selected.
Influencing inbound traffic to on premises using AS PATH prepending when the Direct Connect connections are located in the same AWS Region as the VPC
BGP prefers the shortest AS PATH to get to the destination. Traffic from the VPC to on premises uses the primary router. This is because the secondary router advertises a longer AS PATH.
Note: AS PATH prepending doesn’t work when the Direct Connect connections are in different
AWS Regions than the VPC.
Influencing inbound traffic to on premises using local preference BGP community tags when the Direct Connect connections aren't located in the same AWS Region as the VPC
You can use
local preference BGP community tags to achieve load balancing and route preference for incoming traffic to your network. These local preference BGP community tags are supported:
- 7224:7100 = Low preference
- 7224:7200 = Medium preference
- 7224:7300 = High preference
To support Active/Passive functionality across multiple Direct Connect connections, apply a community tag with a higher preference to the prefixes for the primary or active virtual interface. Apply a community tag with a lower preference to the prefixes for the secondary or passive virtual interface.
For example, set the BGP community tags for your primary or active virtual interfaces to 7224:7300 (high preference). Then, set your secondary or passive virtual interfaces to 7224:7100 (low preference).
How can I use BGP communities to influence the preferred routing path on Direct Connect links from AWS to my network?
How can I use BGP communities to control the routes advertised and received over the AWS public virtual interface with Direct Connect?