Direct Connect + VPN + TGW with DX/VPN failover


Two of my customers want to use DX (with VPN) connected to a TGW with an additional VPN failover. They want to avoid routing traffic over that failover link unless the primary DX isn’t routing traffic.

All VPN connections seem to default to ECMP if you enable ECMP on the TGW, meaning all traffic is split across all VPN links all the time.

Could you do BGP route manipulation on the on-prem side to achieve this? A combination of advertising a lower-cost route for AWS->on-prem traffic, and AS path prepending for on-prem->AWS?

asked 4 years ago774 views
1 Answer
Accepted Answer

So you have multiple IPSec VPN terminating on the same TGW and want to prefer one over the other? Is that correct?

You can control this from the customer side (CGW)

  • AWS->On-Prem: Use AS-Prepend or MED to control which path to take
  • On-Prem->AWS: Use LOCAL_PREF to control which path to take
profile pictureAWS
answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions