How Does AWS Handle Preferred VPN Paths in AWS-to-AWS IPsec Connections?

By
William Rossbach
-
0
11
Asked By CuriousCoder42 On

I'm curious about setting up redundant IPsec VPNs between AWS instances using BGP. I've typically relied on BGP attributes on my on-prem or third-party firewalls to influence the preferred tunnels for incoming and outgoing traffic. However, in an AWS-to-AWS setup, it seems like there's no way to tweak BGP attributes like local preference, MED, or weight. With this limitation in mind, how does AWS decide which VPN path to prefer when multiple tunnels are available? I've checked the AWS documentation, but it mainly focuses on AWS to on-premise configurations and doesn't cover AWS-to-AWS VPNs using BGP. Any insights would be appreciated!

4 Answers

Answered By SupportSeeker88 On

I can't give you a definitive answer, but have you considered reaching out to a Technical Account Manager (TAM)? They can help connect you with the product team to get more detailed insights on your question.

Answered By CloudGuru21 On

You might be overcomplicating things a bit. Within AWS, you can utilize Transit Gateway, VPC peering, or Private Link, including VPC Lattice, as alternatives. These methods can simplify your setup and management without the need for complex BGP configurations.

Answered By DevOpsDynamo On

VPC Peering could be the way to go. In BGP setups, AWS does take AS-Prepends and sometimes MED into account. If you’re planning to scale this beyond just a couple of VPCs, looking into Cloud WAN for managing your VPC to tunnel ratios might also be beneficial.

Answered By NetworkingNinja99 On

Unfortunately, you can't establish a proper AWS to AWS VPN using BGP. The issue is that AWS will use the lower of the two BGP peer IPs—like 169.254.x.9 and 169.253.x.10—which creates a conflict as both sides would try to use .9. As for AWS VPNs, the preferred tunnel generally depends on the BGP MED and AS-path received from the peer as well as the local preference set on their side. AWS doesn't provide options for altering BGP attributes on its own. But, if you route your AWS VPN through Cloud WAN, you can apply routing policies that might help regulate BGP attributes. Otherwise, another approach would be to set up an EC2 instance as the IPsec/BGP peer for more flexibility in changing BGP settings.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.