How do I set up an Active/Active or Active/Passive Direct Connect connection to AWS from a public virtual interface?

Last updated: 2020-01-16

How do I set up an Active/Active or Active/Passive AWS Direct Connect connection to AWS services from a public virtual interface?

Short Description

When you use AWS Direct Connect to transport production workloads to and from AWS services, it's a best practice to create two DX connections through different data centers or providers. You have two options on how to configure your connections:

  • Active/Active - Traffic is load-shared between interfaces based on flow. If one connection becomes unavailable, all traffic is routed through the other connection.
  • Active/Passive - One connection handles traffic, and the other is on standby. If the active connection becomes unavailable, all traffic is routed through the passive connection.

When you configure your public virtual interfaces, you can use one of the following types of autonomous system numbers (ASNs):

  • A public ASN that you own
  • A private ASN in the 64512-65535 range

Resolution

Configuring an Active/Active connection

If you're using a public ASN:

  • Allow your customer gateway to advertise the same prefix (public IP or network that you own) with the same BGP attributes on both public virtual interfaces. This configuration permits you to load balance traffic over both public virtual interfaces.
  • Check the vendor documentation for device-specific commands for your customer gateway device.

If you're using a private ASN:

  • Autonomous system prepending doesn't work if you use a private ASN for a public virtual interface. If both connections are in the same Region, without any additional configuration, then traffic is load balanced between both public virtual interfaces.
  • To use load balancing with multiple public virtual interfaces, all the public virtual interfaces must be in the same Region.

Note: If you plan to use two DX connections with two public virtual interfaces for redundancy, confirm that both interfaces are terminated on different AWS devices. To confirm this, check the AWS device IDs by opening the DX console and choosing Connections.

Configuring an Active/Passive connection

If you're using a public ASN:

  • Confirm that your customer gateway is advertising the same prefix (public IP or network that you own) on both Border Gateway Protocol (BGP) sessions.
  • You can use the BGP AS_Path attribute such that the prefixes advertised from the secondary connection are prepended with the customer gateway ASN twice. For example, if your customer gateway uses ASN 123, it can advertise the prefix on the secondary connection with AS_Path set to 123 123.
  • You can use the BGP Local Preference attribute such that the customer gateway accepts routes from the primary connection as 200 and the secondary connection as 100. A higher Local Preference value is preferred, and the default is 100.
  • The primary connection is considered the primary path. In the event of a failure, traffic is shifted to the secondary connection as a secondary path.

If you're using a private ASN:

  • Confirm that your customer gateway is advertising the longer prefix on your primary connection. For example, if you're advertising prefix X.X.X.0/24, then your customer gateway can advertise two prefixes (X.X.X.0/25 and X.X.X.128/25) on your primary connection and prefix X.X.X.0/24 on your secondary connection.
  • If both interfaces are in the UP state, and the longer prefix is advertised on your primary connection, then traffic is sent to your customer gateway through the primary connection. In the event of a failure, traffic is shifted and sent to the secondary connection.