By using AWS re:Post, you agree to the Terms of Use
/Routing to a prefix from TGW through a primary and secondary datacenter VPN connection path/

Routing to a prefix from TGW through a primary and secondary datacenter VPN connection path

0

A customer who is setting up a TGW which will route to an on-prem prefix. For resiliency, the plan is to have a primary route to the prefix through a primary datacenter connected by a VPN tunnel, and a secondary route to the same prefix through a secondary datacenter connected by a VPN tunnel.

The thought is that if for some reason both VPN tunnels drop for the connection between the TGW and the primary datacenter, that traffic can still be routed to the prefix through the VPN connection to the secondary datacenter. I know this behavior can be achieved by using more specific prefixes with BGP or by using static routes when defining the route through the primary datacenter.

However, I was wondering if there is something more elegant that can be done similar to using local preference BGP communities if we were working with two direct connects. I had also considered using AS Path prepending for this, but in the docs this is discouraged so that the MED value is honored when performing maintenance and need to switch primary and secondary tunnels.

Suggestions or confirmation that the above options are the best we can do would be appreciated

1 Answers
0
Accepted Answer

The discouragement in the AWS documents against overriding MED with Local_Pref or AS path prepending is for use cases where the IPSec VPN terminates on a VGW. In that case only one of the two tunnels is active and via MED we effectively indicate which of the two that is. With Transit Gateway you are not facing that issue and you can safely consider this guidance out of scope.

AWS Site-to-Site VPN terminating on TGW supports ECMP and Multi-Exit-Discriminator across tunnels in the same and different connections. Therefore you have multiple options:

  • MED: Use MED to indicate your preference for traffic from AWS to on-prem over the primary VPN tunnel(s) (lower MED value) vs. the secondary VPN tunnel(s) (higher MED value) towards AWS. This assumes the same prefix is announced over all tunnels. In the opposite traffic direction (On-Prem -> AWS) use Local_Pref.
  • AS Path Prepending: Use AS Path Prepending to artificially lengthen the path over the secondary VPN tunnels for traffic from AWS to on-prem. In the opposite traffic direction (On-Prem -> AWS) use Local_Pref.
EXPERT
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions