How do I set up an Active/Active or Active/Passive Direct Connect connection to AWS from a public virtual interface?

Last updated: 2021-03-05

How do I set up an Active/Active or Active/Passive AWS Direct Connect connection to AWS services from a public virtual interface?

Short description

When using Direct Connect to transport production workloads between AWS services, it's a best practice to create two connections through different data centers or providers. You have two options on how to configure your connections:

  • Active/Active Traffic is load-shared between interfaces based on flow. If one connection becomes unavailable, all traffic is routed through the other connection.
  • Active/Passive – One connection handles traffic, and the other is on standby. If the active connection becomes unavailable, all traffic is routed through the passive connection.

When configuring public virtual interfaces, you can use a public or private Autonomous System Number (ASN) for your on-premises peer router for the new virtual interface. The valid values are 1 to 2,147,483,647.

Per the Internet Assigned Numbers Authority (IANA), the following ASNs are available for private use:

  • 2-byte private ASNs – 64,512 to 65,534
  • 4-byte private ASNs – 4,200,000,000 to 4,294,967,294

Resolution

Configuring an Active/Active connection

If you're using a public ASN:

  • Allow your customer gateway to advertise the same prefix (public IP or network that you own) with the same Border Gateway Protocol (BGP) attributes on both public virtual interfaces. This configuration permits you to load balance traffic over both public virtual interfaces.
  • Check the vendor documentation for device-specific commands for your customer gateway device.

If you're using a private ASN, load balancing on a public virtual interface is not supported.

Note: If you're using two Direct Connect connections with two public virtual interfaces for redundancy, confirm that both interfaces are terminated on different AWS devices. To confirm this, check the AWS device IDs by opening the Direct Connect console, and then choose Connections.

Configuring an Active/Passive connection

If you're using a public ASN:

  • Confirm that your customer gateway is advertising the same prefix (public IP or network that you own) on both BGP sessions.
  • Identify which connection you plan to set as the secondary connection. Then, start advertising the on-premises public prefixes with additional AS_Path prepends in the BGP attributes. For example, if your customer gateway uses ASN 123, it can advertise the prefix on the secondary connection with AS_Path set to 123 123 123 123. With this configuration, AWS always sends traffic to on-premises prefixes on the connection with the shorter AS_Path.
  • Identify which connection you plan to set as the primary connection. Then, increase the Local Preference (local-pref) to be sure that the on-premises router always chooses the correct path for sending traffic to AWS. A higher Local Preference (local-pref) value is preferred, and the default is 100. For more information, see Public virtual interface routing policies. Or, you can use the BGP communities to influence the path from AWS to the on-premises router.
  • The primary connection is considered the primary path. In the event of a failure, traffic is shifted to the secondary connection as a secondary path.

If you're using a private ASN:

  • Confirm that your customer gateway is advertising the longer prefix on your primary connection. For example, if you're advertising prefix X.X.X.0/24, then your customer gateway can advertise two prefixes (X.X.X.0/25 and X.X.X.128/25) on your primary connection. In this example, your customer gateway can also advertise prefix X.X.X.0/24 on your secondary connection.
  • If both interfaces are UP, and the longer prefix is advertised on your primary connection, then traffic is sent to your customer gateway through the primary connection. In the event of a failure, traffic is shifted and sent to the secondary connection.