Setup VPN Site to Site backup DirectConnect

Q. Which routes will take precedence by default in Virtual Private Gateway ( BGP DX propagated route or static VPN propagated route) ? How we can change this if they have same prefix?

A. See below from the documentation

When a virtual private gateway receives routing information, it uses path selection to determine how to route traffic. Longest prefix match applies. If the prefixes are the same, then the virtual private gateway prioritizes routes as follows, from most preferred to least preferred:

• BGP propagated routes from an AWS Direct Connect connection
• Manually added static routes for a Site-to-Site VPN connection
• BGP propagated routes from a Site-to-Site VPN connection
• For matching prefixes where each Site-to-Site VPN connection uses BGP, the AS PATH is compared and the prefix with the shortest AS PATH is preferred.

Q. If DX down, it will be automatic failover to VPN in Virtual Private Gateway or we need config more?

A. You can have more specific prefixes advertised and propagated via DX and add less specific static prefix via VPN connection; with below setup DX route will be prioritized (Longest Prefix Match)

Example:

10.0.0.0/8 --> Static VPN Route Entry

10.0.0.0/24 --> DX Propagated

10.1.0.0/24 --> DX Propagated etc.

If DX goes down, the Propagated routes will be removed and traffic will take VPN connection route.