Use BGP for your VPN tunnels to AWS and fail over gets better!

It used to be that you could only connect policy based IPSEC VPN’s to AWS. That has recently changed on the AWS side. By using BGP, your VPN tunnels to AWS and failover gets better.  If you are using a Firewall made within the past few years, chances are it supports BGP.

BGP may be confusing for a lot of organizations, but in its simplest form it is nothing more than a routing protocol. It tries to send traffic to endpoint A, if endpoint A doesn’t respond, it simply goes to endpoint B. The importance of this is simple. When a Virtual Private Gateway is set up on AWS, BGP gives you two endpoints to connect to.

Since BGP allows you to connect to two endpoints, this prevents network downtime. BGP also adds a layer to your network, which will help with scaling from both your premise and the cloud. For example, if you have a secondary internet connection, add it to your BGP policy. Once you add the secondary connection to your policy, you will have two points of failure on either side. This means, if one of your company’s internet connections or AWS endpoints goes down, you will not lose your connection.

The previous example is just one instance where BGP is beneficial.  When companies switch to cloud based infrastructures and implement multiple connections with good routing protocols such as BGP, the result is more to uptime. This allows those companies to use cheaper bandwidth and increase availability.

Routed IPSEC VPN’s vs Policy based in the Cisco world get debated from time to time. From my experience BGP provides a nice layer of redundancy without compromising security. Feel free to give us a call to discuss your network topology.

For more information on BGP check this link: