With a Site-to-Site VPN, how can I set the neighbor remote-as BGP to something other than 65000?
Hi. We are in the process of setting up a Site-to-Site VPN between a TGW and a Customer Gateway . Having downloaded the configuration file, we have been advised by our networking partner that we need to amend the advertised remote-as BGP value.
Creating a new CGW only gives the option to change the 'router bgp' value. How can we change the remote-as value to 12345 (for example)?
As we are currently stuck with the IPSEC VPN up, but the overall status as DOWN.
#4: Border Gateway Protocol (BGP) Configuration
router bgp 65001
bgp log-neighbor-changes
bgp graceful-restart
address-family ipv4 unicast
neighbor 169.254.x.x remote-as 65000
Many Thanks.
AWS Console
Yes, you can change the remote-as by modify the customer gateway of your Site-to-Site VPN connection using the Amazon VPC console. Summarized steps listed below, please reference this document(1) for more details.
- Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
- In the navigation pane, choose Customer Gateways.
- Create a NEW Customer Gateway with desired NEW AS number.
- In the navigation pane, choose Site-to-Site VPN Connections.
- Select the Site-to-Site VPN connection and then choose Actions, Modify VPN Connection.
- For Target Type, choose Customer Gateway.
- For Target Customer Gateway ID, choose the ID for the customer gateway created in step3 with NEW AS number that you want to use for the connection.
Please keep in mind, after you change the customer gateway, your Site-to-Site VPN connection will be temporarily unavailable for a brief period while we provision the new endpoints.
Modify the remote-as which is found in the downloaded configuration file
Modify the remote-as which is found in the downloaded configuration file is not possible. To summarize, modifying ASN information for an existing Transit Gateway is not possible.
We need to create a new Transit Gateway with desired ASN, and attach the desired VPC to the newly created TGW.
Additionally, the VPN connection target type needs to be updated to the newly created TGW.
Once, the VPN connection target type is updated, it will be automatically associated with the NEW TGW route table .
On-prem routes learned via VPN BGP session will be propagated to the NEW TGW route table.
Lastly, we need to update the entry in the VPC subnet route table that contains the transit gateway ID to the new transit gateway ID. You can reference this document(1) for more details.
(1) Modifying a Site-to-Site VPN connection's target gateway https://docs.aws.amazon.com/vpn/latest/s2svpn/modify-vpn-target.htm (2) Quotas for your transit gateways https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-quotas.html
Relevant questions
With a Site-to-Site VPN, how can I set the neighbor remote-as BGP to something other than 65000?
asked 4 months agoIs possible to set up the BGP pass on a S2S VPN connection
Accepted Answerasked a month agoRoute table not routing to Site-to-Site VPN's Inside Ipv4 CIDR
asked 9 days agoAWS Transit Gateway Routing Features
Accepted Answerasked 3 years agoIs it possible to set up a dynamic routing connection to AWS through a site-to-site VPN via a vendor?
Accepted Answerasked 2 years agoControling BGP Route Propagation in Transit Gateway
Accepted Answerasked 2 years agosite to site VPN - Dynamic routes with BGP do not work.
asked 3 years agoRouting to a prefix from TGW through a primary and secondary datacenter VPN connection path
Accepted Answerasked 2 years agoAWS Transit Gateway Site-to-Site VPN Dynamic routes limit of 100. Is it per Connection or Aggregate?
Accepted AnswerRoute Selection in Transit Gateway
Accepted Answerasked 3 years ago
Thank you. Yes, the creation of a new Transit Gateway whilst setting the ASN appears to solve this issue
Though I suspect not, but is there any way to accommodate an ASN / BGP value outside of the ranges given in the console - i.e: 23456 - rather than entering a value in either the 64512-65534 or 4200000000-4294967294 range?
Many Thanks.