By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Transit Gateway: can't connect 2nd TGW BGP IP

0

Hi,

I setup a lab with a Cisco C8000v appliance in a VPC connected to a TGW via a Connect Attachment (over a VPC Transport Attachment). I added a peer on this Connect Attachment with the inside CIDR 169.254.100.0/29. The router (169.254.100.1) can ping and activate a BGP session (over GRE) with 169.254.100.2 (1st TGW inside IP). Everything works smoothly (BGP routes sent and received).

But the router can't ping or activate a BGP session with 169.254.100.3 (the 2nd TGW inside IP).

Is this an expected behavior or should I be able to activate the 2 BGP sessions simultaneously ?

BR, Damien.

2 Answers
1

Hi Damien,

The AI-generated answer is unfortunately not correct in this instance. Both BGP sessions on the connect peer should be established in order to ensure fault tolerance. That is very clearly stated in the Transit Gateway documentation. I have a similar lab setup and both BGP peers are in fact established. I was going to suggest that you may need to enable multi-hop peering as I ran into that issue myself. However, that wouldn't explain why you can't ping the second peer through the tunnel. The only thing I can think of is to double check the mask on your router's tunnel interface. If that were incorrectly set to /30, it might explain why you can reach the 169.254.100.2 peer but not the 169.254.100.3.

AWS
answered a month ago
  • Thanks for this update. I kept my Terraform scripts. I'll try to relaunch them to make sure I can setup a BGP session with both IPs.

0

The behavior you're experiencing is expected. In a Transit Gateway Connect attachment, you can establish a BGP session with only one of the Transit Gateway's inside IP addresses, not both simultaneously.

When you create a Connect peer on a Transit Gateway Connect attachment, you specify an inside CIDR block (in your case, 169.254.100.0/29). The Transit Gateway automatically assigns two IP addresses from this range for its own use. However, only one of these addresses (typically the first one, 169.254.100.2 in your scenario) is actively used for the BGP session.

The second IP address (169.254.100.3 in your case) is essentially a backup or standby address. It's not meant to be used for an active BGP session simultaneously with the first address. This design provides redundancy in case of issues with the primary IP, but it doesn't support concurrent BGP sessions to both addresses.

Your setup, where you have successfully established a BGP session with 169.254.100.2 and are able to exchange routes, is functioning as intended. The inability to ping or establish a BGP session with 169.254.100.3 is not an issue, but rather the expected behavior of the Transit Gateway Connect feature.

If you need to establish multiple BGP sessions for increased redundancy or bandwidth, you would typically create additional Connect peers within the same Connect attachment, each with its own inside CIDR block. Each of these peers would then establish a BGP session with one of the Transit Gateway's assigned IP addresses from their respective CIDR blocks.

Sources
Transit Gateway Connect attachments and Transit Gateway Connect peers in Amazon VPC Transit Gateways - Amazon VPC
AWS Transit Gateway features - Amazon Web Services
TransitGatewayConnectPeerConfiguration - Amazon Elastic Compute Cloud

profile picture
answered a month ago
  • I'm not satisfied with this answer : one of the sources mentions: "The routing information received from both BGP sessions is accumulated for the given Connect peer." So I suppose that at some point I should be able to activate 2 BGP sessions at the same time !?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions