Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I configure Direct Connect and VPN failover with Transit Gateway?

4 minute read
-1

I want to use AWS Transit Gateway to configure AWS Direct Connect and VPN failover.

Resolution

Create a transit gateway, and attach your Amazon VPC, VPN, and Direct Connect

Complete the following steps:

  1. Create a transit gateway.
  2. Attach your Amazon Virtual Private Cloud (Amazon VPC) to your transit gateway.
    Note: Note the attachment's ID to use in a later step.
  3. Create an AWS Site-to-Site VPN attachment.
    Note: For a static VPN, use static routes that have a broader CIDR than Border Gateway Patrol (BGP) propagated routes. For more information, see Route evaluation order.
  4. Associate AWS Direct Connect with your transit gateway.
    Note: For each VPC attachment, you must add the Amazon VPC CIDR range to the allowed prefix interactions for Direct Connect gateways. AWS then advertises the prefixes to the remote side over a transit virtual interface.

Note: On a transit virtual interface, you can advertise a maximum of 200 prefixes for each transit gateway from AWS to on-premises networks. To advertise more than 200 CIDR prefixes, summarize the routes to be equal to or fewer than 200 CIDR prefixes based on service quotas. After you summarize the routes, add them to the allowed prefix interaction section. For more information, see AWS Direct Connect quotas.

(Optional) Prevent asymmetric routing when VPN routes are more specific

VPC CIDRs that you advertise from Transit Gateway VPN route tables are more specific than CIDRs that you advertise over a transit virtual interface. As a result, the customer gateway can prioritize the Site-to-Site VPN over Direct Connect and cause asymmetric routing.

Note: When you create summarized routes for Amazon VPC CIDRs in the Direct Connect Gateway allowed prefix field, AWS VPN to on-premises network advertises the Amazon VPC CIDRs.

To resolve asymmetric routing, complete the following steps:

  1. Add the summarized routes that you associated with the Direct Connect gateway to the Site-to-Site VPN attachment that you associated with the transit gateway route table. For the target attachment in the route table, select an Amazon VPC with a CIDR. The CIDR must be part of the summarized route to the Site-to-Site VPN attachment transit gateway route table. You must advertise the summarized route and specific routes over the Site-to-Site VPN.
  2. In the Site-to-Site VPN customer gateway, filter out the routes that advertise more specific CIDR prefixes over the VPN. The customer gateway must have the same summarized routes over both connections. The gateway prefers the AWS Direct Connect connection.

Create transit gateway route tables, and configure route propagation

Note: Advertise the same set of prefixes over BGP sessions in the Direct Connect transit virtual interfaces and the VPN.

Complete the following steps

  1. Open the Amazon VPC console.
  2. In the navigation pane, choose Transit Gateways.
  3. Verify that the Default association route table is set to False. If True, then proceed to the next step.
  4. Choose Transit gateway route tables.
  5. Choose Create transit gateway route table.
  6. For Name tag, enter Route Table A.
  7. For Transit gateway ID, choose the ID for your transit gateway.
  8. Choose Create transit gateway route table.
  9. Select Route Table A or the default route table of your transit gateway, and then choose Associations.
  10. Choose Create Association.
  11. For Choose attachment to associate, choose the association IDs for your Amazon VPCs, and then choose Create Association.
    Note: Repeat the preceding step until your Direct Connect gateway, VPN, and Amazon VPCs all display under Association.
  12. Choose Route table propagation.
  13. Choose Propagation.
  14. For Choose attachment to propagate, select your Direct Connect gateway, VPN, and Amazon VPCs.

Update the Amazon VPC subnet route tables

Complete the following steps:

  1. Open the Amazon VPC console.
  2. In the navigation pane, choose Route tables.
  3. Select the route table that's attached to the attachment subnet.
  4. Choose the Routes tab, and then choose Edit routes.
  5. Choose the Add route tab.
  6. For Destination, select the subnet of the on-premises network.
  7. For Target, select your transit gateway.
  8. Choose Save routes.

Note: To view your routing update events, turn on Transit Gateway Network Manager. For more information, see Routing update events.

Test the failover

Use the Direct Connect failover test in the Resiliency Toolkit to test a failover

Related information

Hybrid connectivity to AWS Transit Gateway

Topics
Networking & Content Delivery
Tags
AWS Direct Connect
Language
English
AWS OFFICIALUpdated 4 months ago
2 Comments

The approach is very poor as it doesn't scale well, which is even called out in the article itself. A better approach is to create a summary route as outlined in this blog post: https://www.edge-cloud.net/2019/08/16/aws-dxgw-with-ipsec-vpn-backup/

AWS
EXPERT
replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

AWS
EXPERT
replied a year ago

Relevant content