Prefer AWS Direct Connect for Dynamic VPN Link Traffic
Question
An oil & gas company has set up a dynamic VPN link to AWS VGW for accessing web applications deployed in AWS VPC.
They have commissionedAWS Direct Connect to AWS VGW from the customer's end Cisco router for higher bandwidth requirements.
When the server team was trying to reach servers in VPC Private subnet, they found that the traffic is flowing through the VPN link, not through the Direct Connect Link and impacting the performance.
As a Network Engineer, you found that the prefixes with the same prefix length have been advertised for both the VPN & AWS Direct Connect links.
What additional check would you do to prefer AWS Direct Connect?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - A.
Weight Attribute is local to router & higher weight is preferred.
In the above case, since both VPN links & AWS Direct Connect links are terminating on the same router & the same prefixes are advertised to both links, it will prefer AWS Direct Connect links.
VPN Link will prefer only if f weight on VPN links is higher than AWS Direct Connect Links.
To prefer AWS Direct Connect links for outbound traffic, the weight attribute can be modified so that VPN links have a lower weight than AWS Direct Connect links.
With lower weight on VPN links, these links will be back up links & traffic will be flowing out on these links only if AWS Direct Connect links are down.
Option B is incorrect as having a Different ASN for VPN& AWS Direct Connect links is not required.
Option C is incorrect as the addition of AS Prepend will impact incoming traffic & not outgoing traffic.
Option D is incorrect as adding Local Preference higher for VPN links will prefer these links & not AWS Direct Connect links.
Reference:
https://docs.aws.amazon.com/vpn/latest/s2svpn/s2s-vpn-user-guide.pdf#VPC_VPN https://docs.aws.amazon.com/directconnect/latest/UserGuide/dc-ug.pdfThe issue is that the traffic from the servers in the VPC Private subnet is being sent through the VPN link instead of the Direct Connect link, which is impacting performance. This is happening because both the VPN and Direct Connect links are advertising the same prefixes with the same prefix length. To prefer the Direct Connect link, we need to implement BGP (Border Gateway Protocol) path selection.
BGP is a protocol used for exchanging routing information between different Autonomous Systems (AS). In this scenario, the AS of the oil & gas company is exchanging routing information with AWS VPCs using BGP. BGP has several attributes that can be used to select the best path for routing. These attributes include:
Weight: This is a Cisco proprietary attribute that is local to the router. It is used to indicate a preference for a particular path. The path with the highest weight is preferred.
Local preference: This attribute is used to indicate the preference for a particular path within the same AS. The path with the highest local preference is preferred.
AS path: This attribute is used to prevent routing loops. It specifies the ASes that the path has traversed. Paths with shorter AS paths are preferred.
Origin: This attribute is used to indicate the origin of the route. Paths with a lower origin type are preferred.
MED (Multi-Exit Discriminator): This attribute is used to indicate the preferred path for traffic exiting the AS. Paths with lower MED values are preferred.
Based on the above attributes, we can use the following methods to prefer the Direct Connect link over the VPN link:
A. Modify BGP weight lower for VPN Links so that AWS Direct Connect links are preferred.
This option involves setting a lower weight for the VPN link than the Direct Connect link. The path with the higher weight is preferred, so the Direct Connect link will be preferred over the VPN link. However, this method is not recommended as weight is a Cisco proprietary attribute and is not universally supported by all routers.
B. Modify BGP ASN for both VPN & AWS Direct Connect links.
This option involves changing the ASN (Autonomous System Number) for both the VPN and Direct Connect links. This method is not recommended as it can cause disruption to the existing routing infrastructure and is a complex solution.
C. Add AS Path Prepend to VPN Links so that the AWS Direct Connect link is preferred.
This option involves adding additional AS numbers to the AS path of the VPN link. This will make the VPN link appear longer than the Direct Connect link, and the Direct Connect link will be preferred. This method is recommended as it is a simple and effective solution.
D. Modify BGP Local Preference to higher values for VPN links so that the AWS Direct Connect link is preferred.
This option involves setting a higher local preference for the Direct Connect link than the VPN link. The path with the higher local preference is preferred, so the Direct Connect link will be preferred over the VPN link. However, this method is not recommended as local preference is only used within the same AS, and it may not be effective in this scenario.
Therefore, the best option in this scenario is to use option C, add AS Path Prepend to VPN Links so that the AWS Direct Connect link is preferred. This is a simple and effective solution that will ensure traffic is routed through the Direct Connect link, improving performance.
