The type of routing that you select can depend on the make and model of your customer gateway device. If your customer gateway device supports Border Gateway Protocol (BGP), specify dynamic routing when you configure your Site-to-Site VPN connection, since the BGP protocol offers robust liveness detection checks that can assist failover to the second VPN tunnel if the first tunnel goes down. If your customer gateway device does not support BGP, specify static routing.
If you use a device that supports BGP advertising, you don’t specify static routes to the Site-to-Site VPN connection because the device uses BGP to advertise its routes to the virtual private gateway. If you use a device that doesn’t support BGP advertising, you must select static routing and enter the routes (IP prefixes) for your network that should be communicated to the virtual private gateway.
You must configure your customer gateway device to route traffic from your on-premises network to the Site-to-Site VPN connection.
Route tables determine where network traffic from your VPC is directed. In your VPC route table, you must add a route for your remote network and specify the virtual private gateway as the target. This enables traffic from your VPC that’s destined for your remote network to route via the virtual private gateway and over one of the VPN tunnels. You can enable route propagation for your route table to automatically propagate your network routes to the table for you.
For example, the following route table has a static route to an internet gateway, and a propagated route to a virtual private gateway. Both routes have a destination of
172.31.0.0/24. In this case, all traffic destined for
172.31.0.0/24 is routed to the internet gateway — it is a static route and therefore takes priority over the propagated route.