How do I create a backup VPN for my AWS Site-to-Site VPN connection?

2 minute read

I want to create a backup AWS Virtual Private Network (AWS VPN) for my AWS Site-to-Site connection.

Short description

If you use dynamic routing, then use Border Gateway Protocol (BGP) parameters such as local preference, AS_Path, and multi-exit discriminator (MED) values with your VPN connection. If primary AWS VPN tunnels are down, then a backup AWS Site-to-Site VPN connection is preferred.

Note: The AWS Site-to-Site VPN connection must be dynamic, not static. This is because you can't use the same LAN routes in the routing table for more than one transit gateway attachment. Static routes are then blocked in the transit gateway routing table.


To create a backup AWS VPN that uses a transit gateway, complete the following steps:

Note: Equal Cost Multipath (ECMP) doesn't need to be turned on or off for the transit gateway. The BGP attribute values that you configure for the prefixes determine the tunnel for the ingress and egress direction.

  1. Create a transit gateway attachment to a VPN.
  2. For Customer Gateway, choose Existing, and then choose the primary AWS VPN gateway ID.
  3. For Routing options, choose Dynamic.
  4. View your VPN attachments, and note the new VPN attachment.
  5. Associate a transit gateway route table with the new VPN attachment.

Confirm that the preferred tunnel sends traffic from AWS to an on-premises network. See How do I configure my Site-to-Site VPN connection to prefer tunnel A over tunnel B?

Related information

Example customer gateway device configurations for dynamic routing (BGP)

AWS OFFICIALUpdated 6 months ago