I am designing a solution where my client has to connect to a cloud service from two different locations. Here’s the criteria:
- Location 1 will be the primary path and the client will peer with the cloud service via eBGP
- Location 2 will be a backup path and the client will peer with the cloud service via a site-to-site Internet VPN on their ASA.
- The BGP and VPN connections will take place at the client’s network edge. The routes to the cloud service will then be redistributed into OSPF, which is the client’s LAN routing protocol.
The dilemma is that once I redistribute these routes from BGP and the site-to-site VPN (location 1 and location 2, respectively) into the internal LAN OSPF network, the routes will appear as E2 with a fixed and equal metric. Thus, I won’t be able to prefer the BGP path over the site-to-site VPN path.
The only idea I’ve come up with is to redistribute the route learned via BGP through a route-map/prefix list and set the metric-type for the this BGP-learned route to type E1, therefore having preference over the VPN path (since the VPN path when redistributed will have the standard E2 type).
That is exactly how I would do it. I was asked to configure a very similar solution during my last interview. The Criteria was 2 isps and routes from specified subnets should prefer one or the other as their path. I configured a route map matching specified prefixes and redistributed them as e1/e2 respectively. They were satisfied with my solution and I got the job.
I deal with this all the time working with AWS direct connects and use site to site VPN as backup to the VPC. I would use your config if I didn’t have a routing core in place, but if I did I would use iBGP and not worry about redistribution. So many ways to do it…
This peering is with Azure. The primary path is via a pair of Express Routes, which themselves have a primary and backup. The VPN gateway therefore becomes really a path.
Fred, I’m curious with AWS - do you deploy a virtual firewall or does AWS have a VPN gateway built into it’s service?
AWS does support VPN with its VPCs. My experience with AWS is (if possible) to use a service they offer instead of starting another EC2 and installing your own stuff
