How can I achieve equal-cost multi-path routing (ECMP) with multiple VPN tunnels associated with a transit gateway?

Last updated: 2020-04-15

I need to establish network connectivity between virtual private clouds (VPCs) and my on-premises network using multiple VPN connections that are associated with a transit gateway. I also want to achieve equal-cost multi-path routing (ECMP) between the available VPN tunnels. How can I enable equal-cost multi-path routing for the VPN tunnels attached to my transit gateway?

Resolution

Create a transit gateway, and then attach your VPCs and a site-to-site VPN

  1. Create a transit gateway.
    Important: When you create your transit gateway, you must enable VPN ECMP support.
  2. Attach your VPCs to your transit gateway.
  3. Create a site-to-site VPN and attach it to your transit gateway.
    Important: When you create your VPN, you must choose Dynamic for Routing options. Static routing does not support ECMP.

Confirm your customer gateway Border Gateway Protocol (BGP) configuration

  1. Confirm that your customer gateway is configured to perform ECMP for traffic going out to AWS for all VPN tunnels. If necessary, configure your customer gateway BGP to accept the route from AWS so that the customer gateway installs all the routes with the same metric.
  2. Confirm that your customer gateway is advertising the on-premises prefix to AWS with the same BGP AS PATH attribute. For AWS to choose all the available ECMP paths, the AS Path and AS Number must match.

For example, let's say that you plan to use ECMP with two VPN connections. The AS Number of your customer gateway is 65270. In this scenario, you configure your VPNs as follows:
VPN-A
Tunnel 1 – AS PATH: 65270 (while advertising the prefix)
Tunnel 2 – AS PATH: 65270 (while advertising the prefix)
VPN-B
Tunnel 1 – AS PATH: 65270 (while advertising the prefix)
Tunnel 2 – AS PATH: 65270 (while advertising the prefix)
With a configuration similar to the above, AWS sends out traffic with ECMP on all four VPN tunnels.

Note: For ECMP to function properly, Dynamic VPN and VPN ECMP Support must be enabled on the transit gateway. The VPN ECMP Support option can only be enabled or disabled when you create a transit gateway.

Create a transit gateway route table and associate your VPCs and VPN to it

  1. Open the Amazon Virtual Private Cloud (Amazon VPC) console.
  2. From the navigation pane, choose Transit Gateways.
  3. Review the Default association route table setting for your transit gateway. If it's set to False, proceed to step 4. If it's set to True, then all the associations are already part of the default route table, so you can proceed to task 6.
  4. Choose Transit Gateway Route Tables.
  5. Choose Create Transit Gateway Route Table, and then complete the following:
    For Name tag, enter Route Table A.
    For Transit Gateway ID, choose the Transit Gateway ID for your transit gateway.
    Choose Create Transit Gateway Route Table.
  6. Choose Route Table A (or the default route table of your transit gateway).
  7. Choose AssociationsCreate Association.
  8. For Choose attachment to associate, choose the association IDs for your VPCs and VPNs. Then, choose Create Association. Repeat this step until all your VPCs and VPNs display under Association.

Propagate routes to your VPCs and VPNs on the transit gateway route table

  1. Choose Route Table A Propagation.
  2. Choose Propagation.
  3. For Choose attachment to propagate, choose the propagation for the VPNs and VPCs.

Did this article help you?

Anything we could improve?


Need more help?