I want to make my application more fault tolerant by configuring my VPN connection to use both VPN tunnels. How do I do that?

Each AWS hardware VPN connection has two VPN tunnels. By default, AWS is configured to automatically fail over to the second VPN tunnel if the first one fails or is down for maintenance.

If your device is configured according to AWS recommendations, you’re already prepared for outages or maintenance, though you might experience a brief outage when the connection fails over to the other tunnel. For example, if you’re using a Cisco ASA device, check the recommended configurations here: Example: Cisco ASA Device.

If you received a maintenance notification and you want to fail over to the other tunnel at a time that’s more convenient for you, you can switch tunnels ahead of the planned maintenance time. See your VPN device vendor’s documentation for more details on configuring both VPN tunnels.

Note: If your device uses an active/active configuration, be sure to configure your device to tolerate asymmetric routing. For a list of devices that support BGP-based active/active tunnels, see Customer Gateway Devices We've Tested.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-09-15

Updated: 2018-05-29