Skip to main content
HashnodeAWS Solutions Simplified

Command Palette

Search for a command to run...

How Do I Configure Direct Connect and VPN Failover with Transit Gateway?

Published
4 min read
How Do I Configure Direct Connect and VPN Failover with Transit Gateway?
H
Harish Narnaware

I am here for giving wonderful knowledge to society

Introduction

When connecting on-premises environments to AWS, high availability and resiliency are critical. AWS recommends using Direct Connect (DX) as the primary connectivity option for predictable performance, with a Site-to-Site VPN as a backup for automatic failover.

In this blog, we’ll walk through how to configure AWS Transit Gateway to use Direct Connect as the primary path and VPN as the secondary failover path, ensuring uninterrupted connectivity between on-premises networks and AWS VPCs.

Architecture Overview

The solution uses the following AWS components:

  • AWS Transit Gateway (TGW) – Central hub for network routing

  • AWS Direct Connect Gateway – Primary private connectivity

  • AWS Site-to-Site VPN – Secondary failover connectivity

  • Amazon VPC – Workloads hosted in AWS

  • Customer Gateway (CGW) – On-premises router/firewall

Traffic Flow Logic

  • Normal operation → Traffic flows via Direct Connect

  • DX failure → Traffic automatically fails over to VPN

  • DX recovery → Traffic switches back to Direct Connect

Step 1: Create a Transit Gateway

  1. Open the Amazon VPC Console

  2. In the navigation pane, choose Transit Gateways

  1. Click Create Transit Gateway

  2. Enter a Name tag

  1. Leave other settings as default (or adjust based on requirements)

  1. Choose Create Transit Gateway

⏳ Provisioning may take a few minutes.

Step 2: Attach the VPC to the Transit Gateway

  1. In the VPC Console, choose Transit Gateway Attachments

  2. Click Create Transit Gateway Attachment

  1. Select:

    • The Transit Gateway

    • The VPC ID

    • One subnet per Availability Zone

  1. Choose Create attachment

This allows the VPC to send and receive traffic through the Transit Gateway.

Step 3: Create a Site-to-Site VPN and Attach It to Transit Gateway

  1. In the VPC Console, choose Site-to-Site VPN Connections

  2. Click Create VPN Connection

  3. Enter a Name tag

  4. For Target Gateway Type, select Transit Gateway

  5. Choose the Transit Gateway

  6. Select an existing Customer Gateway, or create a new one by providing:

    • Public IP address

    • BGP ASN

Routing Options

  • Dynamic routing (BGP) – Recommended

  • Static routing – Requires less-specific CIDRs than propagated routes

  1. Specify:

    • Local network CIDR (on-premises)

    • Remote network CIDR (AWS/VPC)

  1. Choose Create VPN Connection

⏳ VPN provisioning may take a few minutes.

Step 4: Attach Direct Connect Gateway to Transit Gateway

  1. Open the Direct Connect Console

  2. Choose Direct Connect Gateways

  1. Select your DX Gateway

  2. Choose Gateway Associations

  3. Click Associate Gateway

  4. Select the Transit Gateway

  5. Define the AWS prefixes to advertise (example: 192.168.10.0/24)

  1. Choose Associate Gateway

This enables AWS prefixes to be advertised to on-premises via Direct Connect.

Step 5: Create a Transit Gateway Route Table for Failover

  1. In the VPC Console, choose Transit Gateway Route Tables

  1. Click Create Transit Gateway Route Table

  2. Enter a name (example: dx-vpn-failover)

  1. Select the Transit Gateway

  2. Choose Create

Step 6: Associate Attachments with the Route Table

  1. Select the newly created route table

  1. Choose Associations

  2. Click Create Association

  3. Associate the following attachments:

    • VPC attachment

    • Direct Connect gateway attachment

    • VPN attachment

  1. Choose Create Association

Step 7: Enable Route Propagation

  1. Go to the Propagation tab of the route table

  1. Enable propagation for:

    • Direct Connect attachment

    • VPN attachment

  1. Save the changes

This allows Transit Gateway to dynamically learn routes from both DX and VPN.

Step 8: Update VPC Route Tables

  1. In the VPC Console, choose Route Tables

  2. Select the route table associated with the TGW attachment subnet

  3. Choose Edit routes

  1. Add a route:

    • Destination: On-premises CIDR

    • Target: Transit Gateway

  1. Save changes

How Failover Works

  • Direct Connect routes are preferred due to BGP path selection

  • If Direct Connect becomes unavailable:

    • BGP routes are withdrawn

    • VPN routes automatically become active

  • When Direct Connect is restored:

    • Traffic automatically switches back to DX

✅ No manual intervention required

Best Practices

  • Use BGP (dynamic routing) for faster failover

  • Monitor links using CloudWatch and Direct Connect metrics

  • Deploy redundant VPN tunnels

  • Use multiple Direct Connect locations for higher resilience

  • Test failover regularly

Conclusion

By combining AWS Transit Gateway, Direct Connect, and Site-to-Site VPN, you can build a highly available hybrid network architecture. This design ensures predictable performance under normal conditions and seamless failover during outages.

This approach is widely used in enterprise hybrid cloud deployments and follows AWS networking best practices.

#aws-transitgateway-directconnect-vpn-hybridcloud-cloudnetworking-devops-cloudarchitecture-networking-awsbestpractices

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

AWS Solutions Simplified

19 posts