Flow-awareness is something from MPLS, not from standard IP routing. But I think I know what you mean:
The way that ECMP works is that a node distributes the traffic across the multiple path based on an algorithm. The two common ones are:
- 3-tuple: the protocol number in the IP header (i.e., TCP, UDP, ICMP, …) and the IP source and destination addresses
- 5-tuple: the protocol number, the IP addresses and the TCP or UDP source and destination port numbers
In the case here, the TGW will look at packets destined to the VPN ECMP and based on 5-tuple hash that packet to one of the path. Similarly the CGW/CPE will perform hashing on the packets destined for the TGW.
With this the response might not traverse the same path as a request. You will end up with asymmetric routing. That's perfectly fine as IP routing is stateless.
The problem starts if your VPN terminates on a stateful firewall and not a router. A stateful firewall will often be configured to allow established and related connections. For this to work, you must assure, that the firewall can "see" the "new" connection part as well as the "established" connection part. As written above with ECMP that's not the case.
AWS Transit Gateway Routing FeaturesAccepted Answerasked 3 years ago
Transit Gateway - Propagated route limit per Routing TableAccepted Answerasked 3 years ago
Transit Gateway ECMP Flow AwareAccepted Answerasked 3 years ago
Transit Gateway to Direct Connect Gateway to Transit GatewayAccepted Answerasked 2 years ago
AWS Transit Gateway through BGP propagation and routing behaviorAccepted Answerasked 2 years ago
Transit Gateway and SD-WANAccepted Answerasked 3 years ago
New VPC Subnets and Transit Gateway attachmentAccepted AnswerEXPERTasked 2 years ago
Security VPC is not working with Transit GatewayAccepted Answerasked 10 months ago
Secondary CIDR VPC block - Direct ConnectAccepted Answerasked 3 years ago
Migration from Transit VPC to AWS Transit GatewayAccepted Answerasked 2 years ago