Learn how to fix return traffic drops on active/active AWS Site-to-Site VPNs using ECMP by configuring the customer gateway to support asymmetric routing without reducing tunnel throughput.
Table of Contents
Question
A company’s network engineer is configuring an AWS Site-to-Site VPN connection between a transit gateway and the company’s on-premises network. The Site-to-Site VPN connection is configured to use BGP over two tunnels in active/active mode with equal-cost multi-path (ECMP) routing activated on the transit gateway.
When the network engineer attempts to send traffic from the on-premises network to an Amazon EC2 instance, traffic is sent over the first tunnel. However, return traffic is received over the second tunnel and is dropped at the customer gateway. The network engineer must resolve this issue without reducing the overall VPN bandwidth.
Which solution will meet these requirements?
A. Configure the customer gateway to use AS PATH prepending and local preference to prefer one tunnel over the other.
B. Configure the Site-to-Site VPN options to set the first tunnel as the primary tunnel to eliminate asymmetric routing.
C. Configure the virtual tunnel interfaces on the customer gateway to allow asymmetric routing.
D. Configure the Site-to-Site VPN to use static routing in active/active mode to ensure that traffic flows over a preferred path.
Answer
C. Configure the virtual tunnel interfaces on the customer gateway to allow asymmetric routing.
Explanation
The solution that meets the requirements is C:
- Configure the virtual tunnel interfaces on the customer gateway to allow asymmetric routing.
This will:
- Allow return traffic to flow over different tunnel than initial traffic
- Maintain full bandwidth of both tunnels with active/active VPN
- Not require modifying BGP settings or preferring a tunnel
The other options do not fully meet the needs:
A – AS PATH prepending impacts overall BGP behavior
B – Specifying a primary tunnel reduces equal bandwidth use
D – Static routing disables ECMP and load balancing
By configuring the customer gateway for asymmetric routing, this resolves the dropped return traffic issue while maintaining full active/active VPN bandwidth utilization across both tunnels.
AWS Certified Advanced Networking – Specialty ANS-C01 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the AWS Certified Advanced Networking – Specialty ANS-C01 exam and earn AWS Certified Advanced Networking – Specialty ANS-C01 certification.