How do I configure Direct Connect and VPN failover with Transit Gateway?

Last updated: 2021-03-04

I want to configure AWS Direct Connect as the primary link to my on-premises resources. I also want to configure a VPN as the secondary link to the same resources. How can I do this with AWS Transit Gateway?


Task 1: Create a transit gateway

Task 2: Attach your VPC to your transit gateway

Task 3: Create an AWS Site-to-Site VPN and attach it to your transit gateway

Note: When creating your Site-to-Site VPN, choose Dynamic for Routing options. Static routes have a higher precedence than dynamic propagated routes in the Transit Gateway Route Evaluation Order.

Task 4: Attach your Direct Connect gateway to your transit gateway

Note: For each VPC as an attachment to your transit gateway, you must add the VPC CIDR range to the Direct Connect Gateway allowed prefix interaction. After the prefixes are added, they're advertised to the remote side over Transit Virtual Interface. You can have a maximum of 20 prefixes per AWS Transit Gateway from AWS to on-premises on a transit virtual interface. This quota can't be increased. For more information, see AWS Direct Connect quotas. If you have more than 20 VPCs, summarize the routes for multiple VPCs into a single CIDR range. Enter the summarized routes in the Direct Connect Gateway allowed prefix interaction section.

Task 5: Create transit gateway route tables, and then enable route propagation for all attachments

Note: Be sure to advertise the same prefix on the Border Gateway Protocol (BGP) session on the Direct Connect Transit Virtual Interface (VIF) and the BGP session over the VPN.

  1. Open the Amazon Virtual Private Cloud (Amazon VPC) console.
  2. From the navigation pane, choose Transit Gateways.
  3. Verify that the Default association route table setting for your transit gateway is set to False.
    Note: If the setting is set to True, skip to task 6.
  4. Choose Transit Gateway Route Tables.
  5. Choose Create Transit Gateway Route Table and then complete the following:
    For Name tag, enter Route Table A.
    For Transit Gateway ID, choose the Transit Gateway ID for your transit gateway.
    Choose Create Transit Gateway Route Table.
  6. Choose Route Table A (or the default route table of your transit gateway) and choose Associations, Create Association.
  7. For Choose attachment to associate, choose the association IDs for your VPCs and choose Create Association. Repeat this step until your Direct Connect gateway, VPN, and VPCs all display under Association.
  8. Choose Route Table Propagation.
  9. Choose Propagation. For Choose attachment to propagate, choose your Direct Connect gateway, VPN, and VPCs.

Task 6: Configure the route table associated with your VPC and attachment subnet

  1. Open the Amazon VPC console.
  2. From the navigation pane, choose Route Tables.
  3. Choose the route table that's attached to the attachment subnet.
  4. Choose the Routes tab and choose Edit Routes.
  5. Choose the Add Route tab and then complete the following:
    For Destination, choose the subnet of the on-premises network.
    For Target, choose your transit gateway.
    Choose Save routes.

Did this article help?

Do you need billing or technical support?