How do I set up an Active/Passive Direct Connect connection to AWS?

3 minute read

I want to set up an Active/Passive AWS Direct Connect connection to AWS using private virtual interfaces (VIF).


Note: It's a best practice to use dual Direct Connect connections through different data centers or providers to transport production workloads to and from AWS.

Configure the following:

  • Two routers on an on-premises location to terminate the primary and secondary Direct Connect connections to avoid a single point of device failure.
  • A private VIF on each of the Direct Connect routers that terminate to the same Amazon Virtual Private Cloud (Amazon VPC).
  • High availability routing protocols (such as HSRP, VRRP, and GLBP) on two routers. This allows local servers to use multiple routers that act as a single virtual router. This configuration helps maintain connectivity even if the primary router fails. You can also run an internal routing protocol such as Border Gateway Protocol (BGP).
  • In an Active/Passive Direct Connect setup (failover), an active connection handles traffic and a passive connection is on standby. If the active connection becomes unavailable, then all traffic must be routed through the passive connection. Use Autonomous System (AS) prepending for the routes on one of your links to set the link as passive.

Note: Check your vendor documentation for commands that are specific to your network device.

For more information on configuring redundant Direct Connect connections on AWS, see Configure redundant connections.

Influencing outbound traffic from an on-premises location to AWS

The BGP local preference attribute can be used on the on-premises routers to prefer an exit point from the local AS. If there are multiple exit points from the AS, then the local preference attribute is used to select the exit point for a specific route. The link with the highest local preference attribute is selected.

Influencing inbound traffic to an on-premises location from AWS

For an Active/Passive configuration of Direct Connect connections:

  • Apply the local preference BGP community tag. Set a higher preference to the advertised prefixes for the primary or active connection. Then, set a medium or lower preference for the passive connection.
  • AS Path prepend using a shorter AS path on the active connection and a longer AS path on the passive connection.
  • Advertise the most specific route using BGP on the active connection.

Note: AS Path prepending can't be used to configure Active/Passive connections in the following scenarios:

  • Connection A (virtual interface VIF-A) is in Region 1.
  • Connection B (virtual interface VIF-B) is in Region 2.
  • Both virtual interfaces connect to a VPC in Region 1 using a Direct Connect gateway.
  • Both virtual interfaces advertise the same prefixes with the same BGP attributes (such as AS Path and MED) on both connections from the on-premises location.

For these scenarios, outbound traffic from the VPC to the on-premises location prefers Connection A due to being in the same Region as the VPC. To setup Active/Passive Direct Connect connections in this scenario, apply a local preference BGP community tag. Also, you can advertise a more specific route on an active connection.

Related information

How can I use BGP communities to influence the preferred routing path on Direct Connect links from AWS to my network?

How can I use BGP communities to control the routes advertised and received over the AWS public virtual interface with Direct Connect?

AWS OFFICIALUpdated a year ago