VPN connection as a backup to AWS DX connection example - Hybrid Connectivity

VPN connection as a backup to AWS DX connection example

In some scenarios, VPN can be selected to provide a backup hybrid network connection to an AWS DX. Typically, this type of connectivity model is driven by cost, because it provides lower level of reliability to the overall hybrid connectivity solution for the reasons discussed earlier in this whitepaper, such as indeterministic performance over the internet. There is no SLA that can be obtained for a connection over the public internet. It is a valid and cost-effective connectivity model, and should be used when cost is the top priority consideration and there is limited budged, or possibly as an interim solution until a secondary DX to be provisioned. Figure 15 illustrates the design of this connectivity model.

One key consideration to be taken into account is that, with this design, where both the VPN and DX connections are terminating at the same AWS Transit Gateway, the VPN connection can advertise higher number of routes than the ones that can be advertised over a DX connection connected to AWS Transit Gateway via DXGW. For more information, see Allowed prefixes interactions. This may result in asymmetric routing situation, in cases where more specific routes are advertised over the VPN connection. One simple way to avoid such issue is to configure route filtering at the customer gateway device CGW for the routes received from the VPN connection where, for example, only the summary route(s) is accepted.


To create the summary route on the AWS Transit Gateway, specify a static route in the AWS Transit Gateway route table to an arbitrary attachment that you don’t plan to delete anytime soon, so that it is sent along the more specific routes. Otherwise if the CGW filters specifics, it will not see the aggregate routes.

From AWS Transit Gateway routing table point of view, the routes for the on-premises prefix received from the AWS DX connection (via DXGW) and from VPN, both are with the same prefix length and propagated dynamically over BGP. Following the route evaluation order of AWS Transit Gateway (in which routes received over Direct Connect have a higher preference than the ones received over dynamic Site-to-Site VPN), the path over the AWS Direct Connect will be the preferred way to reach the on-premises network(s).

VPN connection as a backup to AWS DX connection

Figure 1 – VPN connection as a backup to AWS DX connection example

The following decision tree guides you through making the desired decision for achieving a resilient and reliable hybrid network connectivity. For more information see Using the AWS Direct Connect Resiliency Toolkit to get started.

Reliability decision tree

Figure 2 – Reliability decision tree