How do I configure my Site-to-Site VPN connection to prefer tunnel A over tunnel B?

Resolution

Configure a Site-to-Site VPN to prefer a certain tunnel with either static or dynamic VPNs.

Static VPNs between a customer gateway and either a virtual private gateway or transit gateway

With static VPNs, the virtual private gateway or transit gateway sends traffic from AWS to the on-premises network on a single VPN tunnel. The Site-to-Site VPN chooses a preferred tunnel. To configure a Site-to-Site VPN to prefer a specific tunnel, use an active/passive configuration where tunnel A is UP but tunnel B is DOWN. Because tunnel A is UP, traffic from Site-to-Site VPN to the on-premises network traverses tunnel A.

If the static routing connection has an active/active configuration where both tunnels are UP, then you can't configure Site-to-Site VPN to prefer a specific tunnel. For example, the Site-to-Site VPN might randomly choose tunnel A as the preferred VPN tunnel to send traffic from AWS to the on-premises network. If tunnel A goes down, then traffic from the Site-to-Site VPN automatically fails over to tunnel B.

Dynamic VPNs between a customer gateway and either a virtual private gateway or transit gateway

Virtual private gateway or transit gateway configurations with ECMP routing deactivated

If you deactivate Equal Cost Multipath (ECMP) routing, then the Site-to-Site VPN sends traffic to the on-premises network over tunnel A when the following conditions are both true:

• The Site-to-Site VPN connection has an active/active configuration (both tunnels are UP).
• The Site-to-Site VPN connection advertises the same prefixes to the virtual private gateway or transit gateway with the same Border Gateway Protocol (BGP) attributes.

Note: With an active/active configuration, you must activate asymmetric routing on your customer gateway virtual tunnel interfaces.

The result of an active/passive configuration is the same for dynamic routing as for passive routing. Because tunnel A is UP, traffic from Site-to-Site VPN to the on-premises network traverses tunnel A.

Transit gateway configurations with ECMP routing activated

If you activate ECMP routing, then the transit gateway load balances traffic between the VPN tunnels when the following conditions are both true:

• The customer gateway device advertises the same prefixes over the tunnels.
• BGP attributes for the prefixes advertised from the customer gateway device are identical on the VPN tunnels. These BGP attributes include the AS-Path prepend, the first Autonomous System (AS) in the AS_SEQUENCE, and the Multi-Exit Discriminator (MED).

For more information, see How can I achieve ECMP routing with multiple Site-to-Site VPN tunnels that are associated with a transit gateway?

For restrictions on the use of ECMP with Transit Gateway, see Equal Cost Multipath routing.

Customer gateway configurations

Set your customer gateway device to prefer one Site-to-Site VPN tunnel over the other. To do this, take any of the following actions:

• Advertise a more specific prefix to the virtual private gateway or transit gateway on the preferred tunnel.
• Shorten the AS PATH value. If the prefixes match, and each VPN connection uses BGP, then the customer gateway prefers the prefix with the shortest AS PATH.
• Lower the MED value. If AS PATH values are the same length, and the first AS value in the AS_SEQUENCE is the same across paths, then the customer gateway compares MED values. The customer gateway prefers the path with the lowest MED value.

Note: It's a best practice to not prepend AS PATH values so that both tunnels have an equal AS PATH value. With an equal AS PATH value, the MED value that AWS sets on the tunnel during VPN tunnel endpoint updates determines tunnel priority.

Note: AWS VPN doesn't support ECMP for Site-to-Site VPN connections on a virtual private gateway. AWS VPN supports ECMP for Site-to-Site VPN connections on a transit gateway.