I have a primary connection Direct Connect gateway with a backup VPN connection. Why is traffic prioritizing the backup connection?

3 minute read

I have an AWS Direct Connect gateway with my primary connection set to on-premises. I also have a backup VPN connection for failover with my AWS Direct Connect connection. The traffic from my on-premises connection to AWS is prioritizing the backup connection (VPN connection) and not the primary connection (Direct Connect connection). Why is this happening, and how can I fix it?

Short description

Customer gateways prefer the most specific route to Amazon Virtual Private Cloud (Amazon VPC). If the VPN connection has the most specific route, then it's preferred over the Direct Connect connection.


AWS Site-to-Site VPN supports two types of deployment: static and dynamic. Based on your use case, see the related resolution.

Static VPN:

Configure your customer gateway with less specific routes for the VPN connection than the Direct Connect connection.

Dynamic VPN:

Confirm that you're advertising the same routes over the VPN connection and Direct Connect connection.

If the customer gateway receives the same routes over the VPN and Direct Connect connections, it always prefers Direct Connect.

However, if your customer gateway has a more specific route over the VPN than the Direct Connect connection, then VPN is preferred. For example, Direct Connect has a maximum of 20 allowed prefixes. If you add summarized routes to cover all the prefixes, then the CIDRs advertised over VPN become more specific than the CIDRs advertised over Direct Connect. As a result, the customer gateway prioritizes the VPN over the Direct Connect connection.

To resolve this issue, follow these steps:

  1. Add the same route associated with Direct Connect to the Site-to-Site VPN routing table. This results in the Site-to-Site VPN advertising the specific routes and the route that you added.
  2. In the customer gateway, filter out the specific routes advertised by the Site-to-Site VPN. The customer gateway then has the same routes over both connections and prefers the Direct Connect connection.

Traffic from AWS to the customer gateway

If traffic is coming from an AWS connection to your customer gateway, the more specific route is preferred. If the routes are the same, then AWS prefers a Direct Connect connection over a VPN connection for the same on-premises subnet.

To set your AWS connection to prefer VPN over Direct Connect:

  • For a static VPN, add a more specific route in the static VPN route table.
  • For a Border Gateway Protocol (BGP) VPN, advertise a less specific route over the Direct Connect connection. As the most specific route is preferred, the VPN connection is then preferred.

Related information

Route tables and VPN route priority

Route priority

AWS OFFICIALUpdated 2 years ago