By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

problem with private ip vpn over direct connect with CGW IP is the same as dxgw BGP peer ip

0

I am trying to connect a private ip vpn. It only works, when I advertise both local prefixes (CGW IP) via bgp to the dxgw.

For the vpn my CGW IP is the same as the dxgw bgp peer ip (local router). CGW is a single box and is the same box as the direct connect bgp peer (local router).

first connection: (BGP peering between 192.168.1.1 <> 192.168.1.2)

(CGW)192.168.1.1/30 -----transit-vif-------192.168.1.2/30(dxgw)------dxgwToTgw attachement------10.0.0.0(tgw-vpn-endpoint)

second connection: (BGP peering between 192.168.2.1 <> 192.168.2.2)

(CGW)192.168.2.1/30 -----transit-vif-------192.168.2.2/30(dxgw)------dxgwToTgw attachement------10.0.0.1(tgw-vpn-endpoint)

VPN tunnels between:

10.0.0.0 <> 192.168.1.1

10.0.0.1 <> 192.168.2.1

10.0.0.2 <> 192.168.1.1

10.0.0.3 <> 192.168.2.1

All VPN tunnels get only connected/up, when I advertise 192.168.1.0/30 and 192.168.2.0/30 at least via 1 BGP peering. (I don't need to advertise via both peers, also strange)

Usually I only want to advertise one prefix per connection.

192.168.1.0/30 to 192.168.1.2 and 192.168.2.0/30 to 192.168.2.2

so tgw vpn endpoint will get reachability information to CGW via the correct single 1 Path/transit-vif per CGW IP.

Can anyone describe the reason for this behavior ?

Is there some special prefix filtering done on dxgw ?

Topics
Networking & Content Delivery
Tags
AWS Direct ConnectNetworking & Content DeliveryAWS Virtual Private Network (VPN)
Language
English
ah-sso
asked 7 months ago201 views
2 Answers
0

The behavior you described is expected when using Direct Connect with a transit gateway.

When you establish BGP peering between the Direct Connect gateway and on-premises devices, the routes advertised depend on the allowed prefix lists configured on the transit gateway attachment. Even though each Direct Connect BGP session is peering with a separate on-premises device, they are both using the same transit gateway. So the allowed prefixes apply to both BGP sessions collectively. If you only configure one VPC CIDR in the allowed prefix list, then only that CIDR will be advertised to the on-premises devices, even if there are multiple BGP peers. To advertise routes for each CIDR over the corresponding BGP peer link, you need to include both CIDRs in the allowed prefix list. Then the transit gateway will advertise each CIDR appropriately over the BGP session attached to that CIDR's Direct Connect gateway.

profile picture
EXPERT
Giovanni Lauria
answered 3 months ago
0

thanks for the feedback. You mean the "Allowed prefixes" on the DxGW-to-TGW association can cause the problem ? Unfortunately I can't check this parameter by myself again, but I remember, my aws counterpart added both CIDRs to the "Allowed prefixes" as we provisioned the connections. Maybe the DxGW does not forward the CIDR of the local connected VIF to the TGW, even if both CIDRs 192.168.1.0/30 and 192.168.2.0/30 are allowed. But this does not describe the behavior (all VPN tunnels up) if I advertise both CIDRs only via 1 BGP-Peer not not via both. e.g. advertise 192.168.1.0/30 and 192.168.2.0/30 to 192.168.1.2 and advertise 192.168.2.0/30 only to 192.168.2.2.

ah-sso
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content