How do I set an Active/Passive Direct Connect connection to AWS?
Last updated: 2022-02-22
How do I set an Active/Passive AWS Direct Connect connection to AWS?
When using Direct Connect to transport production workloads to and from AWS, it's a best practice to use dual Direct Connect connections using different data centers or providers.
Configure the following:
- Two routers to terminate the primary and secondary Direct Connect connections to avoid a single point of device failure.
- A private virtual interface on each of the Direct Connect routers that terminate to the same Amazon Virtual Private Cloud (Amazon VPC).
- High availability routing protocols (such as HSRP, VRRP, and GLBP) on two routers to allow local servers to use multiple routers that act as a single virtual router. This configuration helps you to maintain connectivity even if the primary router fails.
Run an internal routing protocol (such as Border Gateway Protocol (BGP) that learns routes from Direct Connect external BGP gateways and distributes prefixes to internal BGP gateways.
- Active/Passive (failover). In this scenario, one connection handles traffic, and the other is on standby. If the active connection becomes unavailable, all traffic is routed through the passive connection. You must use Autonomous System (AS) prepending for the routes on one of your links to set it as the passive link.
For more information, see Configure redundant connections.
Note: Check your vendor documentation for commands that are specific to your network device.
Influencing outbound traffic from on premises using local preference
The local preference attribute is used to prefer an exit point from the local AS. If there are multiple exit points from the AS, the local preference attribute is used to select the exit point for a specific route. The highest local preference attribute is selected.
Influencing inbound traffic to on premises using AS PATH prepending when the Direct Connect connections are located in the same AWS Region as the VPC
Note: AS PATH prepending doesn’t work when the Direct Connect connections are in different AWS Regions than the VPC.
Influencing inbound traffic to on premises using local preference BGP community tags when the Direct Connect connections aren't located in the same AWS Region as the VPC
- 7224:7100 = Low preference
- 7224:7200 = Medium preference
- 7224:7300 = High preference
To support Active/Passive functionality across multiple Direct Connect connections, apply a community tag with a higher preference to the prefixes for the primary or active virtual interface. Apply a community tag with a lower preference to the prefixes for the secondary or passive virtual interface.
For example, set the BGP community tags for your primary or active virtual interfaces to 7224:7300 (high preference). Then, set your secondary or passive virtual interfaces to 7224:7100 (low preference).