AWS Direct Connect and VPN Backup: Preferred Path Configuration

Ensure AWS Direct Connect is the Preferred Path

Prev Question Next Question

Question

Your company plans to create a Direct Connect connection and have a VPN as a backup connection.

Which of the following must be done to ensure that the AWS Direct connect connection is the preferred path?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - A.

By default, AWS will choose AWS Direct Connect.

In order to ensure architecture for proper failover, the AWS Documentation mentions the following points.

To configure the hardware VPN as a backup for your Direct Connect connection:

· Be sure that you use the same virtual private gateway for both Direct Connect and the VPN connection to the VPC.· If you are configuring a Border Gateway Protocol (BGP) VPN, advertise the same prefix for Direct Connect and the VPN.

· If you are configuring a static VPN, add the same static prefixes to the VPN connection that you are announcing with the Direct Connect virtual interface.

· If you are advertising the same routes toward the AWS VPC, the Direct Connect path is always be preferred, regardless of AS path prepending.

Options B, C and D are incorrect because these are not the right configurations when configuring an active/passive connection with AWS Direct Connect and AWS VPN.

For more information on these points, please refer to the below URL.

https://aws.amazon.com/premiumsupport/knowledge-center/configure-vpn-backup-dx/

To ensure that the AWS Direct Connect connection is the preferred path, you need to configure the routing such that the Direct Connect connection is chosen over the VPN connection.

To accomplish this, the following steps can be taken:

  1. Ensure that the prefixes are advertised the same on both connections: When advertising prefixes over Direct Connect and VPN, make sure that the prefixes are advertised in the same way on both connections. If the prefixes are advertised differently, there can be routing inconsistencies that may cause traffic to be routed over the VPN instead of Direct Connect.

  2. Ensure that the longest prefix is advertised on AWS Direct connect: The length of the prefix determines the priority when choosing the preferred path. If there are multiple routes to the same destination, the route with the longest prefix is preferred. Therefore, ensure that the longest prefix is advertised over Direct Connect.

  3. Avoid AS_PATH prepending on AWS Direct Connect: AS_PATH prepending is a method of manipulating the BGP attributes to influence the path selection process. In some cases, it may be used to make a certain path less desirable. However, in this case, you want to make sure that Direct Connect is the preferred path, so avoid AS_PATH prepending on Direct Connect.

  4. Avoid advertising the shortest prefix on Direct Connect: If the shortest prefix is advertised on Direct Connect, it may be selected as the preferred path. In this case, you want to make sure that the Direct Connect connection is the backup path, so avoid advertising the shortest prefix on Direct Connect.

In summary, the correct answer is A: Ensure that prefixes are advertised the same on both connections, and B: Ensure that the longest prefix is advertised on AWS Direct connect.