How do I configure my Site-to-Site VPN connection to prefer tunnel A over tunnel B?

Last updated: 2021-02-02

My AWS Site-to-Site VPN connection consists of two virtual private network (VPN) tunnels. These tunnels exist between a customer gateway device and either a virtual private gateway or a transit gateway. How can I be sure that tunnel A is preferred over tunnel B when sending traffic from AWS to an on-premises network?

Resolution

Static VPNs created between a customer gateway and either a virtual private gateway or a transit gateway

In this scenario, the virtual private gateway or transit gateway sends traffic from AWS to the on-premises network on a single VPN tunnel. This tunnel is randomly chosen by AWS and is referred to as the preferred tunnel.

If the AWS VPN connection (static routing type) has an Active/Active configuration (both tunnels are UP), then you can't configure AWS to prefer a specific tunnel to send traffic. For example, tunnel A was randomly chosen by AWS as the preferred VPN tunnel for sending traffic from AWS to the on-premises network. If tunnel A goes down, traffic from AWS automatically fails over to tunnel B.
Note: With an Active/Active configuration, the customer gateway must have Asymmetric routing enabled on the virtual tunnel interfaces.

If the AWS VPN connection (static routing type) has an Active/Passive configuration (Tunnel A is UP, but tunnel B is DOWN), then traffic from AWS to the on-premises network traverses tunnel A because it's in the UP state.

Dynamic VPNs created between a customer gateway and either a virtual private gateway or a transit gateway

For virtual private gateway or transit gateway configurations with ECMP disabled

Traffic from AWS to the on-premises network is sent over the preferred tunnel (randomly chosen by AWS) when the AWS VPN connection:

  • Has an Active/Active configuration (both tunnels are UP), and
  • Is advertising the same prefixes to the virtual private gateway or transit gateway with the same Border Gateway Protocol (BGP) attributes.
    Note: With an Active/Active configuration, the customer gateway must have Asymmetric routing enabled on the virtual tunnel interfaces.

If the AWS VPN connection (dynamic routing type) has an Active/Passive configuration (tunnel A is UP, but tunnel B is DOWN), traffic from AWS to the on-premises network traverses tunnel A because it's in the UP state.

For transit gateway configurations with ECMP enabled

The transit gateway load balances traffic from AWS to the on-premises network between the VPN tunnels:

  • If the same prefixes are advertised from the customer gateway device over the tunnels, and
  • BGP attributes for the prefixes advertised from the customer gateway device must be identical on the VPN tunnels. These BGP attributes include the AS-Path prepend and the first AS in the AS_SEQUENCE, MED.

For dynamic AWS VPN connections

Set the customer gateway device to prefer one VPN tunnel over the other by leveraging the order of preference criteria:

  1. Advertise a more specific prefix to the virtual private gateway or transit gateway on the tunnel that the customer prefers to receive traffic from AWS.
  2. For matching prefixes where each VPN connection uses BGP, the AS PATH is compared and the prefix with the shortest AS PATH is preferred.
  3. When the AS PATHs are the same length, and the first AS in the AS_SEQUENCE is the same across multiple paths, multi-exit discriminators (MEDs) are compared. The path with the lowest MED value is preferred.

Note: It's a best practice to avoid using AS Path prepending so that both tunnels have an equal AS PATH value. With an equal AS PATH value, the MED value that AWS sets on the tunnel during VPN tunnel endpoint updates determines tunnel priority.


Did this article help?


Do you need billing or technical support?