AWS Site-to-Site VPN (TGW) with Active-Standby On-Premise VPN Setup

Select Language:

If you’re looking to set up a reliable connection between your on-premises network and AWS using a Site-to-Site VPN with failover capabilities, here’s a straightforward approach to get it done smoothly.

You have two physical VPN devices—one primary and one secondary—each connected to two Internet Service Providers (ISPs): ISP A (main) and ISP B (backup). Each device has its own public IP address, which stays the same even when switching lines.

Your main goal is to prioritize the ISP A line on your primary device. If ISP A goes down, the connection should automatically switch to ISP B on the same device. And if the primary device fails for any reason, the secondary device should take over, maintaining a seamless connection.

To achieve this, using BGP (Border Gateway Protocol) is your best option. BGP is designed for dynamic routing and can automatically reroute traffic based on network health, making it ideal for failover scenarios like yours.

Here’s a simplified plan:

Configure BGP on both local on-premises gateways and the AWS Transit Gateway (TGW).
Set up BGP sessions between your VPN devices and AWS. This allows dynamic route exchange and automatic failover.
Prioritize ISP A in your BGP settings.
Give ISP A a lower BGP local preference or route weight so it remains the primary path. When ISP A becomes unavailable, BGP will automatically begin routing traffic through ISP B.
Set up BGP on your devices to advertise only the preferred routes initially.
This way, the active path stays through ISP A unless it fails, at which point BGP will switch to ISP B.
Configure your secondary VPN device similarly, but ensure it only advertises routes if the primary device fails.
This approach guarantees that the second device takes over only when needed.
Decide between BGP and static routing.
Static routes are simpler but don’t provide automatic failover. BGP, while slightly more complex to configure, offers dynamic failover, which is essential for maintaining uptime without manual intervention.

By following this setup, you’ll create a resilient, active-standby VPN connection that switches seamlessly between ISPs and devices, ensuring continuous access to AWS resources even if one part of the network encounters issues.

This configuration offers a practical and robust way to maintain your network’s stability and performance, leveraging BGP’s strengths in dynamic routing and failover management.