problem with private ip vpn over direct connect with CGW IP is the same as dxgw BGP peer ip


I am trying to connect a private ip vpn. It only works, when I advertise both local prefixes (CGW IP) via bgp to the dxgw.

For the vpn my CGW IP is the same as the dxgw bgp peer ip (local router). CGW is a single box and is the same box as the direct connect bgp peer (local router).

first connection: (BGP peering between <>

(CGW) -----transit-vif------- attachement------

second connection: (BGP peering between <>

(CGW) -----transit-vif------- attachement------

VPN tunnels between: <> <> <> <>

All VPN tunnels get only connected/up, when I advertise and at least via 1 BGP peering. (I don't need to advertise via both peers, also strange)

Usually I only want to advertise one prefix per connection. to and to

so tgw vpn endpoint will get reachability information to CGW via the correct single 1 Path/transit-vif per CGW IP.

Can anyone describe the reason for this behavior ?

Is there some special prefix filtering done on dxgw ?

2 Answers

The behavior you described is expected when using Direct Connect with a transit gateway.

When you establish BGP peering between the Direct Connect gateway and on-premises devices, the routes advertised depend on the allowed prefix lists configured on the transit gateway attachment. Even though each Direct Connect BGP session is peering with a separate on-premises device, they are both using the same transit gateway. So the allowed prefixes apply to both BGP sessions collectively. If you only configure one VPC CIDR in the allowed prefix list, then only that CIDR will be advertised to the on-premises devices, even if there are multiple BGP peers. To advertise routes for each CIDR over the corresponding BGP peer link, you need to include both CIDRs in the allowed prefix list. Then the transit gateway will advertise each CIDR appropriately over the BGP session attached to that CIDR's Direct Connect gateway.

profile picture
answered 2 months ago

thanks for the feedback. You mean the "Allowed prefixes" on the DxGW-to-TGW association can cause the problem ? Unfortunately I can't check this parameter by myself again, but I remember, my aws counterpart added both CIDRs to the "Allowed prefixes" as we provisioned the connections. Maybe the DxGW does not forward the CIDR of the local connected VIF to the TGW, even if both CIDRs and are allowed. But this does not describe the behavior (all VPN tunnels up) if I advertise both CIDRs only via 1 BGP-Peer not not via both. e.g. advertise and to and advertise only to

answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions