Routing to a prefix from TGW through a primary and secondary datacenter VPN connection path
A customer who is setting up a TGW which will route to an on-prem prefix. For resiliency, the plan is to have a primary route to the prefix through a primary datacenter connected by a VPN tunnel, and a secondary route to the same prefix through a secondary datacenter connected by a VPN tunnel.
The thought is that if for some reason both VPN tunnels drop for the connection between the TGW and the primary datacenter, that traffic can still be routed to the prefix through the VPN connection to the secondary datacenter. I know this behavior can be achieved by using more specific prefixes with BGP or by using static routes when defining the route through the primary datacenter.
However, I was wondering if there is something more elegant that can be done similar to using local preference BGP communities if we were working with two direct connects. I had also considered using AS Path prepending for this, but in the docs this is discouraged so that the MED value is honored when performing maintenance and need to switch primary and secondary tunnels.
Suggestions or confirmation that the above options are the best we can do would be appreciated
The discouragement in the AWS documents against overriding MED with Local_Pref or AS path prepending is for use cases where the IPSec VPN terminates on a VGW. In that case only one of the two tunnels is active and via MED we effectively indicate which of the two that is. With Transit Gateway you are not facing that issue and you can safely consider this guidance out of scope.
AWS Site-to-Site VPN terminating on TGW supports ECMP and Multi-Exit-Discriminator across tunnels in the same and different connections. Therefore you have multiple options:
- MED: Use MED to indicate your preference for traffic from AWS to on-prem over the primary VPN tunnel(s) (lower MED value) vs. the secondary VPN tunnel(s) (higher MED value) towards AWS. This assumes the same prefix is announced over all tunnels. In the opposite traffic direction (On-Prem -> AWS) use Local_Pref.
- AS Path Prepending: Use AS Path Prepending to artificially lengthen the path over the secondary VPN tunnels for traffic from AWS to on-prem. In the opposite traffic direction (On-Prem -> AWS) use Local_Pref.
TGW Route Table entriesAccepted Answerasked a year ago
Direct Connect + VPN + TGW with DX/VPN failoverAccepted Answerasked 2 years ago
Controling BGP Route Propagation in Transit GatewayAccepted Answerasked 2 years ago
Is it possible to set up a dynamic routing connection to AWS through a site-to-site VPN via a vendor?Accepted Answerasked 2 years ago
On-premise datacentre accessing the internet via Direct ConnectAccepted Answerasked 3 years ago
Transit Gateway/DX route propagation to VPC route tablesAccepted Answerasked 3 years ago
Routing VPC to VPC traffic through an on-prem firewall via Transit GatewayAccepted Answerasked a year ago
AWS Transit Gateway Site-to-Site VPN Dynamic routes limit of 100. Is it per Connection or Aggregate?Accepted AnswerEXPERTasked 2 years ago
DX Public VIF vs. Internet Path SelectionAccepted Answerasked 3 years ago
Routing to a prefix from TGW through a primary and secondary datacenter VPN connection pathAccepted Answerasked 2 years ago