How do I configure my Site-to-Site VPN for my data center and disaster recovery while using a single EC2 server for project access?


When I establish connections with AWS Site-to-Site VPNs A and B, I want to connect them to a Cisco router. However, both Cisco VPNs, A and B, share the same subnet. How can I manage AWS VPN A to communicate exclusively with Cisco VPN A, and when Cisco VPN A is down, enable communication between AWS VPN B and Cisco VPN B? I have a single EC2 server deployed for apps that need to communicate with both VPNs. I want only one VPN to be active at a time, and when the active VPN goes down, the inactive VPN should automatically activate. Is this possible, and if so, how can I handle this?

AWS Design for site to site vpn connection

2 Answers

Hello Joni,

In your scenario, there doesn't seem to be detail concerning the set-up of the 'shared' subnet. So, I would appreciate any corrections on my interpretation.

You can use BGP to route the traffic as described, using the VPN A connection as the primary, failing over to the VPN B connection in the event of complete failure of the primary CGW (Cisco router DC) or VPN Connection. However, please be advised that each Site-to-Site VPN connection is comprised of two tunnels for redundancy. When one tunnel becomes unavailable traffic is automatically routed to the available tunnel for that specific Site-to-Site VPN connection (e.g VPN A). Both tunnels would have to fail in order to shift traffic to VPN B.

It seems like you are looking for more robust redundancy by adding a second VPN Connection, VPN B, terminating on a secondary CGW (Cisco router DR). It would be good if you could provide additional detail about the Customer Premise side of the scenario. It would help clarify configuration options.

There is additional documentation on this topic:

Site-to-Site multiple VPN connection examples

There are several configuration options for the Cisco/On-Prem side of this scenario.

AS Path Prepending

As previously mentioned, you could advertise a prepended route from the backup Cisco router over VPN B connection. The traffic from the VPC would only use this traffic when the unmodified route being advertised over VPN A disappeared due to a malfunction.

Using BGP AS Path prepending to influence route selection to the Customer

Less specific CIDR range for Backup Path

You could also advertise a less specific CIDR range from the backup Cisco router over VPN B connection. The traffic from the VPC would only use this traffic when the more specific route being advertised over VPN A disappeared due to a malfunction.

Using a less specific CIDR range for the backup route to the Customer

In both of these cases, the VPN B Connection is active, but not used for traffic from the VPC to the Customer because the VPN A Connection is considered the better path in terms of route priority.

answered 6 months ago


I think it's possible if you use BGP for VPN routing.
As stated in the document below, the one with the shortest AS Path is prioritized, so you can configure the Active side router to shorten the AS Path.
Since the AS Path uses the shorter route, normally Cisco VPN A should be used, but if a failure occurs, Cisco VPN B should be used.

  • BGP propagated routes from an AWS Direct Connect connection
  • Manually added static routes for a Site-to-Site VPN connection
  • BGP propagated routes from a Site-to-Site VPN connection
  • For matching prefixes where each Site-to-Site VPN connection uses BGP, the AS PATH is compared and the prefix with the shortest AS PATH is preferred.

profile picture
answered 6 months ago
  • please provide specific configuration

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions