I have a little challenge at work.
We have a AWS Direct Connect (DxC) through a provider, meaning that we are tenants and we do not control the BGP towards AWS (we give the provider the networks and they advertise them to AWS through their router). So the connection goes:
- from our FW to the provider's router with static route;
- and with BGP between AWS and the provider.
The VPN as usual can be made with BGP, no problem, since our FW has direct internet connection, no problem there.
The issue is: how do I make a failover from the DxC towards the VPN connections?
- I was thinking using the link monitor but it only works with static routes.
- I cannot use bgp over the DxC because is not directly connected to my FW, and the provider is the one advertising the routes, meaning that AWS DxC bgp will see "flapping" between itself and the provider, but my FW will not see this flapping because it has a static route towards the provider's router (no bgp there).
- Yes, it would be IDEAL if the provider enabled BGP between my FW and their router, but so far, they don't want to.
So, in summary
The pickle:
- AWS DxC <- > BGP <-> Provider's router <-> Static Route <-> FW
Point in favour:
- AWS VPN <-> BGP over Internet <-> FW
What I want to do:
- (AWS DxC on static route + AWS VPN as failover on BGP) <-> FW
Any ideas?
