Good day,

With your help I was able to solve a previous issue with BGP AWS IPSEC. Now, more than an issue, it may sound more like a workaround, here is the scenario.

I have both AWS DirectConnect (DXC) and AWS IPSEC VPNs, as some may know, using BGP with both products makes life easier but there is catch.

Let´s say you have both VPNs and DirectConnect attached to the a Transit Gateway (TGW). The subnets/routes that live in the TGW get propagated over the tunnels just fine, but, on the DirectConnect the difference is that you have to define the prefixes that you want to propagate.

Meaning:

• IPSEC VPNs: BGP propagates what the TGW has, everything.
• DxC: there is a specific section in which you have to manually define up a certain ammount of routes.

Most of the examples I found say to have "the same prexifes" on both the TGW and the DirectConnect. Meaning:

If TGW has x.x.x.x/xx, then on the DxC you need to manually configure the SAME x.x.x.x/xx. That´s all good, BUT, let´s say you want to be clever.

What IF all your VPC in AWS can be summarized to x.x.x.x/zz, knowing that /zz envelops all your /xx subnets?

Let´s put numbers on it:

• x.x.x.x/16 are all your subnets, there are even smaller like /24, but you were clever and planned ahead. All the accounts/subnets, EVERYTHING can be summarized with a x.x.x.x/11. My doubt falls as following:
  • the DxC has x.x.x.x/11 defined
  • the IPSEC VPNs have x.x.x.x/16 defined

How would you "tell" the firewall to give more preference to the DxC and have the IPSEC VPNs as failover?

Now that I want to add the DxC to the mix, my theory goes (using what I have done before):

All interfaces will be UP, so the BGP will dictate where the traffic should go to when something happens to the BGP session.

My planning for the configuration is as follows:

For the route map out, that´s easy, as the prefix is the same for all three:

For the route map in, that´s where I get my doubt:

Metric? Local Preference? I´m lost here, anyone has any ideas?