How do I configure Direct Connect and a VPN failover with Transit Gateway?

4 minute read

I want to use AWS Transit Gateway to configure AWS Direct Connect and VPN failover.


1.    Create a transit gateway.

2.    Attach your Amazon Virtual Private Cloud (Amazon VPC) to your transit gateway.

3.    Create an AWS Site-to-Site VPN and attach it to your transit gateway.
Note: If you use a static VPN, then make sure that the defined static routes use a less specific CIDR than the BGP propagated routes. According to the route evaluation order for routes that use the same CIDR, Transit Gateway prefers static routes instead of BGP propagated routes.

4.    Attach your Direct Connect gateway to your transit gateway. Also, you must add the Amazon VPC CIDR range to the Direct Connect gateway allowed prefix interactions for each Amazon VPC attachment. After you add the prefixes, they are advertised to the remote side over a transit virtual interface.
Note: On a transit virtual interface, you can advertise a maximum of 200 prefixes per transit gateway from AWS to on-premises. To advertise more than 200 CIDR prefixes, summarize the routes to be equal to or less than 200 CIDR prefixes according to service quotas. After you summarize the routes, add them to the allowed prefix interaction section. For more information, see AWS Direct Connect quotas.

5.    (Optional) VPC CIDRs that are advertised from AWS VPN Transit Gateway associated route tables are more specific than the transit virtual interface advertised CIDRs. This might cause the customer gateway to prioritize the VPN over the AWS Direct Connect connection and can cause potential asymmetric routing. To resolve this issue, complete the following steps:
Note: When creating summarized routes for Amazon VPC CIDRs in the "Direct Connect Gateway allowed prefix" field, AWS VPN to on-premises advertises the Amazon VPC CIDRs.

  1. Add the summarized routes that are associated with the Direct Connect gateway to the VPN attachment that's associated with the Transit Gateway route table. For the target attachment in the route table, select an Amazon VPC with a CIDR. The CIDR must be part of the summarized route to the Site-to-Site VPN attachment Transit Gateway route table. The summarized route and specific routes must both be advertised over the Site-to-Site VPN.
  2. In the VPN customer gateway, filter out the routes that advertise more specific CIDR prefixes over the Site-to-Site VPN. The customer gateway must have the same summarized routes over both connections. The gateway prefers the AWS Direct Connect connection.

6.    Create Transit Gateway route tables, and then turn on route propagation for all attachments:
Note: Advertise the same set of prefixes over BGP sessions in the Direct Connect transit virtual interfaces and the Site-to-Site VPN.

  1. Open the Amazon VPC console.
  2. From the navigation pane, choose Transit Gateways.
  3. Verify that the Default association route table setting for your transit gateway is set to False. If the setting is True, then proceed to the next step.
  4. Choose Transit Gateway Route Tables.
  5. Choose Create Transit Gateway Route Table.
  6. For Name tag, enter Route Table A.
  7. For Transit Gateway ID, choose the Transit Gateway ID for your transit gateway.
  8. Choose Create Transit Gateway Route Table.
  9. Select Route Table A (or the default route table of your transit gateway), and then choose Associations.
  10. Choose Create Association.
  11. For Choose attachment to associate, choose the association IDs for your Amazon VPCs, and then choose Create Association. Repeat this step until your Direct Connect gateway, VPN, and Amazon VPCs all display under Association.
  12. Choose Route Table Propagation.
  13. Choose Propagation. For Choose attachment to propagate, select your Direct Connect gateway, VPN, and Amazon VPCs.

7.    Configure the route table that's associated with your Amazon VPC and attachment subnet:

  1. Open the Amazon VPC console.
  2. From the navigation pane, choose Route Tables.
  3. Select the route table that's attached to the attachment subnet.
  4. Choose the Routes tab, and then choose Edit Routes.
  5. Choose the Add Route tab.
  6. For Destination, select the subnet of the on-premises network.
  7. For Target, select your transit gateway.
  8. Choose Save routes.

Note: For more visibility into your routing update events, it's a best practice to turn on Transit Gateway Network Manager. For more information, see Routing update events.

8.    To test the environment redundancy, use the Direct Connect Failover Test to turn off the Direct Connect connection. For more information, see Testing AWS Direct Connect Resiliency with Resiliency Toolkit – Failover Testing.

Related information

Hybrid connectivity to AWS Transit Gateway

AWS OFFICIALUpdated a year ago

The approach is very poor as it doesn't scale well, which is even called out in the article itself. A better approach is to create a summary route as outlined in this blog post:

profile pictureAWS
replied 2 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
replied 2 months ago