VPN tunnel switching setting

Question

Local firewall and VPC set up VPN, 
the ip of tunnel 1 is first prority and ip of tunnel 2 is second prority in the Local firewall
When there is a problem with the ip of tunnel 1, 
AWS will failover to the tunnel 2 to keep communicate with local firewall.
But when tunnel 1 is restored, AWS will not switch back to tunnel 1 to communicate with the firewall, 
but will continue to remain in tunnel 2.
How to set up when tunnel 1 is restored, aws can also switch back to tunnel 1 to 
communicate with the local firewall

Accepted Answer

Hi,

Simply put, the VPN tunnel is randomly chosen by AWS and is called the preferred tunnel. If your AWS VPN connection (static route type) has an active/active configuration (both tunnels are up), you cannot configure your preferred specific tunnel in AWS to send traffic.

But, for dynamic AWS VPN connections (Active/Active), you can set the customer gateway device to prefer one VPN tunnel over the other by leveraging the order of preference criteria:
1. Advertising more specific prefix over preferred tunnel
2. Advertising shorter ASPATH over the preferred tunnel
3. Setting lower MED values over the preferred tunnel

Hope this helps

Answer

Hello,

See this Knowledge center article:

https://aws.amazon.com/premiumsupport/knowledge-center/vpn-configure-tunnel-preference/

Note also below from our [documentation](https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNRoutingTypes.html)

We recommend that you use BGP-capable devices, when available, because the BGP protocol offers robust liveness detection checks that can assist failover to the second VPN tunnel if the first tunnel goes down. Devices that don't support BGP may also perform health checks to assist failover to the second tunnel when needed.

VPN tunnel switching setting

관련 콘텐츠