How can I resolve asymmetric routing issues when I create a VPN as a backup to a Direct Connect connection in a transit gateway?

4 minute read

I have an AWS Direct Connect connection. The Direct Connect gateway is associated with an AWS Transit Gateway. I created a Site-to-Site VPN as a backup to the Direct Connect connection, but I have asymmetric routing issues.

Short description

When you use a virtual private network (VPN) connection as a backup to Direct Connect, asymmetric routing issues can occur. Asymmetric routing occurs when network traffic enters through one connection and exits through another connection. If the traffic that's received isn't logged in your stateful table, then network devices, such as firewalls, can drop packets.


Outbound traffic from AWS to your network

Use the following best practices for outbound traffic from AWS to your network:

  • Use Border Gateway Protocol (BGP) to configure the VPN with dynamic routing.
  • Make sure that your devices advertise the same or less specific prefixes from on-premises to AWS with the VPN and Direct Connect. For example, is less specific than
  • For a prefix length that's the same value, AWS sends on-premises traffic to your network with a higher preference value for Direct Connect over VPN connections. For the AWS Transit Gateway, use a static route that points to a VPN attachment rather than a dynamically propagated Direct Connect gateway route.
  • For Direct Connect that you deploy with dynamic VPN as backup, it's not a best practice to use AS PATH prepending. If the prefixes are the same, then use Direct Connect routes regardless of the AS PATH prepend length.

For more information, see Routing.

Inbound traffic from your network to AWS

Use the following best practices for inbound traffic from your network to AWS:

  • Configure your network device preference to send return traffic through the Direct Connect connection.
  • If the prefixes that are advertised from AWS to your network device are the same for Direct Connect and VPN, then use the BGP local preference attribute. The BGP local preference attribute forces your device to send outbound traffic through the Direct Connect connection toward AWS. Set the Direct Connect path with a higher local preference value, and set a lower preference for VPN. For example, set local preference to 200 for Direct Connect and 100 for VPN.

Important: For Direct Connect allowed prefixes that are summarized and less specific than the routes advertised through VPN, network devices prefer the routes received through VPN.

See the following example scenario:

  • The transit gateway propagated routes are VPC-A CIDR, VPC-B CIDR, and VPC-C
  • To accommodate the 20-prefix quota, the summarized prefix on the Direct Connect gateway allowed prefixes is

For each virtual private cloud (VPC) over VPN, Direct Connect advertises the Direct Connect gateway prefix and the VPN transit gateway advertises the /16 CIDRs.

To resolve this issue, insert the summarized Direct Connect gateway route into the transit gateway route table. For example, add a static route that points to a VPC attachment so that the transit gateway advertises the summarized network over VPN. Your network devices receive the same prefix from Direct Connect and VPN. Then, configure your gateway to filter out the specific prefixes that are received. Make sure that only the summarized prefix is installed in the routing table from the VPN peer. Depending on vender specifications, there are different options to filter out routes, such as route-maps, prefix-lists, and router-filter-lists.

Traffic from your network to AWS reaches the transit gateway route table. The gateway does a lookup to select the most specific routes from each VPC attachment.

See the following example:

  • Attachment A that points to VPC-A CIDR is
  • Attachment B that points to VPC-B CIDR is
  • Attachment C that points to VPC-C CIDR is

Related information

Route priority

How do I configure Direct Connect and VPN failover with Transit Gateway?

AWS OFFICIALUpdated 8 months ago