How can I achieve ECMP routing with multiple Site-to-Site VPN tunnels that are associated with a transit gateway?

4 minute read

I want to achieve equal-cost multi-path routing (ECMP) with multiple AWS Site-to-Site VPN tunnels that are associated with a transit gateway.


Create a transit gateway, and then attach your Amazon VPC and a Site-to-Site VPN

  1. Create a transit gateway.
    Important: When you create your transit gateway, you must turn on VPN ECMP support.
  2. Attach your Amazon Virtual Private Clouds (Amazon VPCs) to your transit gateway.
  3. Create a Site-to-Site VPN, and then attach it to your transit gateway.
    Important: AWS provides two routing options to create Site-to-Site VPN connections, static and dynamic. The dynamic option uses border gateway protocol (BGP). When you create your Site-to-Site VPN, you must choose Dynamic for Routing options. Static routing doesn't support ECMP.

Confirm your customer gateway BGP configuration

  1. Make sure to turn on asymmetric routing on your customer gateway. Check that the customer gateway is configured to perform ECMP for traffic going out to AWS for all Site-to-Site VPN tunnels. To do this, configure equal local preference value or weight on all the Site-to-Site VPN tunnels. If necessary, configure your customer gateway BGP to accept the route from AWS. This means that the customer gateway installs all routes with the same metric.

    Note: If the customer gateway isn't configured to perform ECMP, and asymmetric routing isn't turned on, then packet loss can occur.

  2. Confirm that your customer gateway is advertising the on-premises prefix to AWS with the same BGP AS PATH attribute. For AWS to choose all of the available ECMP paths, the AS Path and neighbor AS Number must match.

    For example, you want to use ECMP with two Site-to-Site VPN connections. The AS Number of your customer gateway is 65270. In this scenario, configure your Site-to-Site VPNs like the following example:

    Site-to-Site VPN-A
    Tunnel 1 – AS PATH: 65270 (when advertising the prefix)
    Tunnel 2 – AS PATH: 65270 (when advertising the prefix)
    Site-to-Site VPN-B
    Tunnel 1 – AS PATH: 65270 (when advertising the prefix)
    Tunnel 2 – AS PATH: 65270 (when advertising the prefix)

    With the preceding configurations, AWS sends traffic with ECMP turned on for all four Site-to-Site VPN tunnels.

    Note: You must turn on Dynamic VPN and VPN ECMP Support on the transit gateway for ECMP to function properly. Modify the transit gateway to turn VPN ECMP Support on or off.

Create a transit gateway route table, and associate your Amazon VPCs and Site-to-Site VPN to it

  1. Open the Amazon VPC console.
  2. From the navigation pane, choose Transit Gateways.
  3. Review the Default association route table setting for your transit gateway. If it's set to False, then proceed to step 4. If it's set to True, then all the associations are already part of the default route table, so you can proceed to step 6.
  4. Choose Transit Gateway Route Tables.
  5. Choose Create Transit Gateway Route Table, and then complete the following:
    For Name tag, enter Route Table A.
    For Transit Gateway ID, choose the Transit Gateway ID for your transit gateway.
    Choose Create Transit Gateway Route Table.
  6. Choose Route Table A (or the default route table of your transit gateway).
  7. Choose Associations, and then choose Create Association.
  8. For Choose attachment to associate, choose the association IDs for your Amazon VPCs and Site-to-Site VPNs. Then, choose Create Association.
  9. Repeat step 8 until all of your Amazon VPCs and Site-to-Site VPNs display under Association.

Propagate routes from your Amazon VPCs and Site-to-Site VPNs on the transit gateway route table

  1. Choose Route Table A Propagation.
  2. Choose Propagation.
  3. For Choose attachment to propagate, choose the propagation for the Site-to-Site VPNs and Amazon VPCs.
AWS OFFICIALUpdated a year ago