By using AWS re:Post, you agree to the Terms of Use
/Transit Gateway ECMP Flow Aware/

Transit Gateway ECMP Flow Aware


Is a Transit Gateway, configured with ECMP and multiple VPNs advertising the same CIDR range, flow aware to prevent asynchronous routing?

1 Answers
Accepted Answer

Flow-awareness is something from MPLS, not from standard IP routing. But I think I know what you mean:

The way that ECMP works is that a node distributes the traffic across the multiple path based on an algorithm. The two common ones are:

  • 3-tuple: the protocol number in the IP header (i.e., TCP, UDP, ICMP, …) and the IP source and destination addresses
  • 5-tuple: the protocol number, the IP addresses and the TCP or UDP source and destination port numbers

In the case here, the TGW will look at packets destined to the VPN ECMP and based on 5-tuple hash that packet to one of the path. Similarly the CGW/CPE will perform hashing on the packets destined for the TGW.
With this the response might not traverse the same path as a request. You will end up with asymmetric routing. That's perfectly fine as IP routing is stateless.

The problem starts if your VPN terminates on a stateful firewall and not a router. A stateful firewall will often be configured to allow established and related connections. For this to work, you must assure, that the firewall can "see" the "new" connection part as well as the "established" connection part. As written above with ECMP that's not the case.

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions