vpn tunnel traffic change

Question

Hello, aws people
I connected the site-to-site vpn to the on-premises Fortigate equipment. Communication went well, but communication was not possible whenever there was regular tunnel replacement on AWS. When Tunnel 1 was modified, Telnet worked. However, there were times when tunnel status was 'available' and sometimes it was not possible to communicate. I guess that happened because the routing priority of Fortigate was specified.
So we set the priority of Fortigate equipment to 1, and distance to the same value.
After that, the tunnel appears to be functioning normally (there is no regular update of aws yet)
Looking at the cloudwatch metric, when I modify vpn tunnel 1, I can see that traffic flows to tunnel 2, and when tunnel 1 is up, traffic flows to tunnel 1. Can someone explain why this is?

So... I wonder what's next.
1. Is the vpn default setting for aws active/active? Is it active/standby? Both of our tunnels are up.
2. Will the active tunnel change when the user modifies the a vpn tunnel?
3. Will active tunnels change when AWS makes regular tunnel replacements?
4. If I modify tunnel 1, why does traffic flow to tunnel 2 and then change traffic flow back to tunnel 1?

George Murimi · Answer

To add some context here, the expected behavior is dependent on the type of gateway you are using [Transit Gateway (TGW) or Virtual Private Gateway (VGW)] and whether you have deployed a static routing vpn or dynamic/BGP vpn. Please do have a look at this article [here](https://repost.aws/knowledge-center/vpn-configure-tunnel-preference) which details the various possible scenarios and hopefully this will help explain what you are observing as well as provide you with a way forward to achieve a consistent behavior.

re:Post Agent · Answer

Thank you for your detailed question about AWS Site-to-Site VPN behavior. I'll address your concerns and questions one by one:

1. AWS Site-to-Site VPN is designed to be active/active by default. This means that both tunnels can be used simultaneously for traffic, providing redundancy and load balancing. When both tunnels are up, AWS can use either tunnel for traffic.

2. When you modify a VPN tunnel, it does impact the traffic flow. During the modification process, the tunnel being modified becomes unavailable. This unavailability causes the traffic to shift to the other available tunnel.

3. Yes, active tunnels can change during AWS's regular tunnel replacements. AWS periodically updates tunnel endpoints for various reasons, including upgrades and hardware retirement. These updates are applied to one tunnel at a time to maintain connectivity. During this process, traffic will shift to the unaffected tunnel.

4. The behavior you're observing is the expected failover mechanism of AWS Site-to-Site VPN. When you modify tunnel 1, it becomes temporarily unavailable, causing all traffic to flow through tunnel 2. Once tunnel 1 is back up and available after the modification, AWS may route traffic back to it, especially if it's the preferred path based on your routing configuration.

It's important to note that when you modify VPN tunnel options, connectivity over the modified tunnel is interrupted for up to several minutes. This interruption causes the traffic to shift to the other available tunnel. Once the modification is complete and the tunnel is back up, AWS may route traffic back to it if it's the preferred path.

The behavior you're seeing with traffic flowing back to tunnel 1 after modification could be due to your routing configuration, including the priority settings you mentioned on your Fortigate equipment. If tunnel 1 is set as the preferred path, traffic will naturally flow back to it once it's available again.

To ensure high availability and smooth failover, it's crucial to configure both tunnels properly. AWS strongly recommends configuring both tunnels for redundancy. If one tunnel is down for more than an hour in a day, you'll receive a notification through the AWS Health Dashboard.

Remember to plan for expected downtime when modifying tunnel options and always ensure that both tunnels are properly configured for optimal performance and reliability.  
**Sources**  
[AWS Site-to-Site VPN tunnel endpoint replacements - AWS Site-to-Site VPN](https://docs.aws.amazon.com/vpn/latest/s2svpn/endpoint-replacements.html)  
[AWS Health and AWS Site-to-Site VPN events - AWS Site-to-Site VPN](https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-vpn-health-events.html)  
[Modify AWS Site-to-Site VPN tunnel options - AWS Site-to-Site VPN](https://docs.aws.amazon.com/vpn/latest/s2svpn/modify-vpn-tunnel-options.html)  
[Configure VPN tunnel options | AWS re:Post](https://repost.aws/knowledge-center/vpn-configure-tunnel-options)

vpn tunnel traffic change

Add your answer

Relevant content