Complete a 3 Question Survey and Earn a re:Post Badge

Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!

Why is Transit Gateway prioritizing my backup VPN connection over my primary Direct Connect gateway?

2 minute read

I have an AWS Direct Connect gateway with a primary connection to my on-premises network, and a backup VPN connection for failover. However, traffic routes through the backup VPN connection instead of the primary AWS Direct Connect connection.

Resolution

Traffic from customer gateway to AWS

For VPN connections with a static route, configure your customer gateway to use routes that are less specific than your Direct Connect connection.

VPN connections with a dynamic route must be the same or less specific than the Direct Connect gateway's allowed prefixes. Direct Connect has a maximum of 200 allowed prefixes. The customer gateway prefers the path with the most specific route. If you add summarized routes to cover all prefixes, then your VPN routes might be more specific than the Direct Connect transit virtual interface. When you advertise the same routes through VPN and Direct Connect, the customer gateway prefers the Direct Connect connection.

If you have a dynamic route, then take the following actions:

Check the routes in the transit gateway route table for your VPN attachment.
Filter out specific routes that the AWS Site-to-Site VPN advertises in your customer gateway.
Verify that the route table for the Site-to-Site VPN attachment matches the allowed prefixes on the Direct Connect gateway to transit gateway association.

Traffic from AWS to the customer gateway

Verify that the transit gateway route table displays the correct preferred route. AWS Transit Gateway selects routes in the following order:

The most specific route for the destination address
Routes with the same CIDR block and from different attachment types

For routes with the same CIDR block and different attachment types, Transit Gateway prioritizes routes in the following order:

Static routes
Prefix list referenced routes
Direct Connect gateways with propagated routes
Private IP Site-to-Site VPN connections
Site-to-Site VPN connections

Note: Transit Gateway shows only preferred routes. When you advertise the same routes through Direct Connect gateway and Site-to-Site VPN, Transit Gateway shows only the Direct Connect gateway route as preferred. The Site-to-Site VPN route appears only when Direct Connect gateway stops advertising the route.

Related information

How Amazon VPC Transit Gateways work

How do I configure Direct Connect and VPN failover with Transit Gateway?

Topics

Networking & Content Delivery

Relevant content

VPN over Direct Connect with Transit Gateway
Accepted Answer
corymhall
asked 6 years ago
Setup VPN Site to Site backup DirectConnect
rePost-User-2684239
asked 2 years ago
VPN over Direct Connect with Direct Connect Gateway
Accepted Answer
AWS-User-5823424
asked 4 years ago
Direct Connect + VPN + TGW with DX/VPN failover
Accepted Answer
AWS-User-7705521
asked 5 years ago
Migrate VPN to Direct Connect+Transit Gateway
Accepted Answer
corymhall
asked 6 years ago
How can I resolve asymmetric routing issues when I create a VPN as a backup to a Direct Connect connection in a transit gateway?
AWS OFFICIALUpdated 2 years ago
How do I configure Direct Connect and VPN failover with Transit Gateway?
AWS OFFICIALUpdated 3 years ago
How do I troubleshoot Direct Connect and VPN failover issues?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot a failed BGP connection between Site-to-Site VPN and Direct Connect?
AWS OFFICIALUpdated 8 months ago
How to troubleshoot connectivity issues between AWS VPC and On-premises via Transit Gateway based AWS Site to Site VPN.
EXPERT
Narinder Singh Kharbanda
published 2 years ago