Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor II

AWS Direct Connect on static route, and AWS VPN on BGP as failover

I have a little challenge at work.

We have a AWS Direct Connect (DxC) through a provider, meaning that we are tenants and we do not control the BGP towards AWS (we give the provider the networks and they advertise them to AWS through their router). So the connection goes:

  1. from our FW to the provider's router with static route;
  2. and with BGP between AWS and the provider.

The VPN as usual can be made with BGP, no problem, since our FW has direct internet connection, no problem there.

The issue is: how do I make a failover from the DxC towards the VPN connections?

  • I was thinking using the link monitor but it only works with static routes.
  • I cannot use bgp over the DxC because is not directly connected to my FW, and the provider is the one advertising the routes, meaning that AWS DxC bgp will see "flapping" between itself and the provider, but my FW will not see this flapping because it has a static route towards the provider's router (no bgp there).
    • Yes, it would be IDEAL if the provider enabled BGP between my FW and their router, but so far, they don't want to.

So, in summary
The pickle:

  • AWS DxC <- > BGP <-> Provider's router <-> Static Route <-> FW

Point in favour:

  • AWS VPN <-> BGP over Internet <-> FW

What I want to do:




  • (AWS DxC on static route + AWS VPN as failover on BGP) <-> FW

Any ideas?

"Well, hello there"
"Well, hello there"
Community Manager
Community Manager

Hello FortDoog,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Anthony-Fortinet Community Team.

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors