Ian Rushton
asked on
AWS VPN Quandry
I have a client environment within AWS, that uses a Direct Connect solution to connect to an external resource. I have now been asked to create a VPN connection to the environment for a new resource for the web solution.
We currently have the direct connection associated with a Virtual Private Gateway, which is attached to the VPC that the solution resides.
Having not had a massive amount of experience with this part of AWS I'm a little unsure how i can proceed - from reading I can only have 1 VPG attached to a VPC at any one time - so creating a second VPG and creating the VPN connection on that is not possible. but if i create a new VPN connection on the existing VPG, will this work and how will the routing for this work to decide what traffic goes were after i add a route to the VPG for VPN traffic?
We currently have the direct connection associated with a Virtual Private Gateway, which is attached to the VPC that the solution resides.
Having not had a massive amount of experience with this part of AWS I'm a little unsure how i can proceed - from reading I can only have 1 VPG attached to a VPC at any one time - so creating a second VPG and creating the VPN connection on that is not possible. but if i create a new VPN connection on the existing VPG, will this work and how will the routing for this work to decide what traffic goes were after i add a route to the VPG for VPN traffic?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thats great - was worried it might affect the Direct Connect associated with that VPG
"When a virtual private gateway receives routing information, it uses path selection to determine how to route traffic to your remote network. Longest prefix match applies; otherwise, the following rules apply:
If any propagated routes from a VPN connection or AWS Direct Connect connection overlap with the local route for your VPC, the local route is most preferred even if the propagated routes are more specific.
If any propagated routes from a VPN connection or AWS Direct Connect connection have the same destination CIDR block as other existing static routes (longest prefix match cannot be applied), we prioritize the static routes whose targets are an Internet gateway, a virtual private gateway, a network interface, an instance ID, a VPC peering connection, a NAT gateway, or a VPC endpoint.
If you have overlapping routes within a VPN connection and longest prefix match cannot be applied, then we prioritize the routes as follows in the VPN connection, from most preferred to least preferred:
BGP propagated routes from an AWS Direct Connect connection
Manually added static routes for a VPN connection
BGP propagated routes from a VPN connection"
Hope this helps....
I