I have a primary connection Direct Connect gateway with a backup VPN connection. Why is traffic prioritizing the backup connection?

3 minute read

I have an AWS Direct Connect gateway with my primary connection set to on-premises. I also have a backup VPN connection for failover with my AWS Direct Connect connection. The traffic from my on-premises connection to AWS is prioritizing the backup connection (VPN connection) and not the primary connection (Direct Connect connection). Why is this happening, and how can I fix it?

Short description

Customer gateways prefer the most specific route to Amazon Virtual Private Cloud (Amazon VPC). If the VPN connection has the most specific route, then it's preferred over the Direct Connect connection.

Resolution

AWS Site-to-Site VPN supports two types of deployment: static and dynamic. Based on your use case, see the related resolution.

Static VPN:

Configure your customer gateway with less specific routes for the VPN connection than the Direct Connect connection.

Dynamic VPN:

Confirm that you're advertising the same routes over the VPN connection and Direct Connect connection.

If the customer gateway receives the same routes over the VPN and Direct Connect connections, it always prefers Direct Connect.

However, if your customer gateway has a more specific route over the VPN than the Direct Connect connection, then VPN is preferred. For example, Direct Connect has a maximum of 20 allowed prefixes. If you add summarized routes to cover all the prefixes, then the CIDRs advertised over VPN become more specific than the CIDRs advertised over Direct Connect. As a result, the customer gateway prioritizes the VPN over the Direct Connect connection.

To resolve this issue, follow these steps:

Add the same route associated with Direct Connect to the Site-to-Site VPN routing table. This results in the Site-to-Site VPN advertising the specific routes and the route that you added.
In the customer gateway, filter out the specific routes advertised by the Site-to-Site VPN. The customer gateway then has the same routes over both connections and prefers the Direct Connect connection.

Traffic from AWS to the customer gateway

If traffic is coming from an AWS connection to your customer gateway, the more specific route is preferred. If the routes are the same, then AWS prefers a Direct Connect connection over a VPN connection for the same on-premises subnet.

To set your AWS connection to prefer VPN over Direct Connect:

For a static VPN, add a more specific route in the static VPN route table.
For a Border Gateway Protocol (BGP) VPN, advertise a less specific route over the Direct Connect connection. As the most specific route is preferred, the VPN connection is then preferred.

Related information

Route tables and VPN route priority

Route priority

Topics

Networking & Content Delivery

Relevant content

VPN over Direct Connect with Direct Connect Gateway
Accepted Answer
AWS-User-5823424
asked 3 years ago
Routing to a prefix from TGW through a primary and secondary datacenter VPN connection path
Accepted Answer
AWS-User-7026455
asked 3 years ago
Is it better to have a single Direct Connect Gateway or multiple Direct Connect Gateways?
Accepted Answer
EXPERT
iwasa
asked a year ago
Is there a way to disable a VPN connection instead of deleting it?
Accepted Answer
MNW
asked a month ago
Setup VPN Site to Site backup DirectConnect
rePost-User-2684239
asked 6 months ago
How do I create a backup VPN for my AWS Site-to-Site VPN connection using the same transit gateway?
AWS OFFICIALUpdated 2 years ago
How do I prepare for maintenance on my Direct Connect connection?
AWS OFFICIALUpdated a month ago
How can I resolve asymmetric routing issues when I create a VPN as a backup to Direct Connect in a transit gateway?
AWS OFFICIALUpdated 2 years ago
How can I troubleshoot packet loss for my Direct Connect connection?
AWS OFFICIALUpdated a month ago
Recovering a VMware Cloud on AWS VM backup to EC2 using AWS Backup
EXPERT
apylnev
published 22 days ago