- Newest
- Most votes
- Most comments
Flow-awareness is something from MPLS, not from standard IP routing. But I think I know what you mean:
The way that ECMP works is that a node distributes the traffic across the multiple path based on an algorithm. The two common ones are:
- 3-tuple: the protocol number in the IP header (i.e., TCP, UDP, ICMP, …) and the IP source and destination addresses
- 5-tuple: the protocol number, the IP addresses and the TCP or UDP source and destination port numbers
In the case here, the TGW will look at packets destined to the VPN ECMP and based on 5-tuple hash that packet to one of the path. Similarly the CGW/CPE will perform hashing on the packets destined for the TGW.
With this the response might not traverse the same path as a request. You will end up with asymmetric routing. That's perfectly fine as IP routing is stateless.
The problem starts if your VPN terminates on a stateful firewall and not a router. A stateful firewall will often be configured to allow established and related connections. For this to work, you must assure, that the firewall can "see" the "new" connection part as well as the "established" connection part. As written above with ECMP that's not the case.
Relevant content
- Accepted Answerasked 4 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated a year ago