Direct Connect + VPN + TGW with DX/VPN failover
0
Two of my customers want to use DX (with VPN) connected to a TGW with an additional VPN failover. They want to avoid routing traffic over that failover link unless the primary DX isn’t routing traffic.
All VPN connections seem to default to ECMP if you enable ECMP on the TGW, meaning all traffic is split across all VPN links all the time.
Could you do BGP route manipulation on the on-prem side to achieve this? A combination of advertising a lower-cost route for AWS->on-prem traffic, and AS path prepending for on-prem->AWS?
asked 2 years ago9 views
1 Answers
0
Accepted Answer
So you have multiple IPSec VPN terminating on the same TGW and want to prefer one over the other? Is that correct?
You can control this from the customer side (CGW)
- AWS->On-Prem: Use AS-Prepend or MED to control which path to take
- On-Prem->AWS: Use LOCAL_PREF to control which path to take
Relevant questions
TGW Route Table entries
Accepted Answerasked a year agoDirect Connect + VPN + TGW with DX/VPN failover
Accepted Answerasked 2 years agoMigrate VPN to Direct Connect+Transit Gateway
Accepted Answerasked 3 years agoIs it possible to set up a dynamic routing connection to AWS through a site-to-site VPN via a vendor?
Accepted Answerasked 2 years agoVPN over Direct Connect with Transit Gateway
Accepted Answerasked 3 years agoDirect Connect Failover with two Virtual Interfaces (VIFs)
Accepted Answerasked a year agoBusiness case for direct connect vs VPN
Accepted Answerasked 2 years agoWorking around AWS VPN MTU limits
Accepted Answerasked 2 years agoAWS Transit Gateway Site-to-Site VPN Dynamic routes limit of 100. Is it per Connection or Aggregate?
Accepted AnswerRouting to a prefix from TGW through a primary and secondary datacenter VPN connection path
Accepted Answerasked 2 years ago