AWS Transit Gateway Connect: GRE + BGP = ?

GRE and BGP are technologies that are... mature. In this article we'll take a look at how you can use AWS Transit Gateway Connect to do some unique networking and application delivery in the cloud.

In December 2020 AWS released a new feature of Transit Gateway (TGW) that enables a device to peer with TGW via a GRE/BGP tunnel. The intent was to be used with SD-WAN devices, but we can also use it for things like load balancing many internal private addresses, NAT gateway, etc... In this article we'll look at my experience of setting up TGW Connect in a lab environment based on F5's documentation for setting up GRE and BGP.

Challenges with TGW

For folks that are not familiar with TGW it is an AWS service that allows you to stitch together multiple physical and virtual networks via AWS internal networking (VPC peering) or via network protocols (VPN, Direct Connect (private L2)). Using TGW you can steer traffic to a specific network device by creating a route table entry within a VPC that points to the device's ENI (network interface). This is useful for a case where you want to send all traffic for a specific CIDR ( to traverse that device. 

In the scenario where a device is responsible for a CIDR it is also responsible for updating the route table for HA. This could be done via Lambda function, our Cloud Failover Extension, manual updates, etc.... The other downside is that this limits you to a single device per Availability Zone to receive traffic for that CIDR. 

TGW Connect provides a mechanism for the device to use a GRE tunnel/BGP to establish a connection to TGW and use dynamic routing protocols (BGP) to advertise the health of the device. This allows you to establish up to 4 devices to peer with TGW with up to 5 Gbps of traffic per connection (for comparison you can burst up to 50 Gbps with a VPC connection).

Topology of TGW Connect

When using TGW Connect it re-uses existing TGW connections. In practice this means that you are likely using an existing Direct Connect or VPC connection (I guess you could also use a VPN connection, but that would be weird).

See also:

Configuring a BIG-IP for TGW Connect

To use a BIG-IP with TGW Connect you will need a device that is licensed for BGP (also called Advanced Routing, part of Better/Best). Follow the steps for setting up TGW Connect and be sure to specify a different peer ASN than your TGW (you will need to use eBGP). The "Peer Address" will be the self-ip of the BIG-IP on the AWS VPC (when using a VPC).  

Configuring target VPC

When setting up TGW Connect you will peer with an existing VPC. In the subnet that you want to use with TGW Connect (Peer Address of GRE tunnel) you will need to have a route that points to the TGW peer address; for example if you specify a CIDR of for TGW and the peer address is you will need to create a route that includes on the subnet for BIG-IP peer address. Also make sure to open up Security Groups to allow GRE traffic to traverse to/from the interface that will be used for the GRE tunnel. The rule should allow the IP of the peer address (i.e.

Route to TGW from

GRE Tunnel

On the BIG-IP under Network / Tunnels you will need to create a GRE Tunnel. You can use the default "gre" tunnel profile. Specify the same "Peer Address" that you used when setting up TGW Connect. You will also want to specify the Remote Address that is the TGW address.

BGP Peer

Next you will need to configure the BIG-IP to act as a BGP peer to TGW connecting over the GRE tunnel. TGW requires that you use an IP in the range. This will require modify a db variable to allow that address to be used as a self-ip. The tmsh command to use is.

modify sys db config.allow.rfc3927 { value "enable" }

You can then create your BGP peer address to match the value that you used in TGW Connect.

The BGP peer address will need to be configured to allow BGP updates (port 179). Since the traffic is occurring over the GRE tunnel there is no need to update AWS Security Groups (invisible to the ENI).

Setting up BGP Peering

TGW Connect requires eBGP to be used. The following is an example of a working config. This also assumes you go through the pre-req of setting up BGP/RHI. Be careful to only advertise the routes that you want, when you use "redistribute kernel" it will also advertise! Please also see:

no service password-encryption
router bgp 65520
 bgp graceful-restart restart-time 120
 aggregate-address summary-only
 aggregate-address summary-only
 aggregate-address summary-only
 aggregate-address summary-only
 redistribute kernel
 neighbor remote-as 64512
 neighbor ebgp-multihop 2
 neighbor soft-reconfiguration inbound
 neighbor prefix-list tenlist out
 neighbor remote-as 64512
 neighbor ebgp-multihop 2
 neighbor soft-reconfiguration inbound
 neighbor prefix-list tenlist out
ip prefix-list tenlist seq 5 deny
ip prefix-list tenlist seq 10 permit ge 16
line con 0
line vty 0 39

This example was created with help from a BGP expert Brandon Frelich.

In the example above we only limiting routes to 3 CIDRs and configuring ECMP. At this point the BIG-IP could allocate VIPs on the CIDR, act as an AFM firewall, and if we used it could act as an outbound gateway.

Verifying the Setup

You should be able to see your BGP connection go green in the AWS console and also see the status by running "show ip bgp neighbors" from imish.

AWS Console

ip-10-1-1-112.ec2.internal[0]>show ip bgp summary
BGP router identifier, local AS number 65520
BGP table version is 4
2 BGP AS-PATH entries
0 BGP community entries

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd    4 64512     293     293        4    0    0 00:47:08        3    4 64512     293     292        4    0    0 00:47:08        3

Total number of neighbors 2

Output from imish

(tmos)# list /ltm virtual-address one-line
ltm virtual-address { address arp disabled floating disabled icmp-echo disabled mask route-advertisement selective traffic-group none unit 0 }
ltm virtual-address { address arp disabled floating disabled icmp-echo disabled mask route-advertisement selective traffic-group none unit 0 }
ltm virtual-address { address arp disabled floating disabled icmp-echo disabled mask route-advertisement selective traffic-group none unit 0 }
(tmos)# list /net route tgw
net route tgw {
    interface /Common/tgw-connect

Output from TMSH. Note route-advertisement is enabled on the virtual-addresses. We are using a static route to steer traffic to the GRE tunnel.

You should also see any routes advertised as well.

ECMP Considerations

When you deploy multiple BIG-IP devices TGW can use ECMP to spray traffic across multiple devices (by enabling traffic group None or multiple standalone devices). Be aware that if you need to statefully inspect traffic you may want to enable SNAT to have the return traffic go to the same device or use traffic-group-1 to run in Active/Standby via Route Health Injection. Otherwise you will need to follow the guidance on setting up a forwarding virtual server to ignore the system connection table.

Routing Connections

One of the issues that a customer discovered when exploring this solution is that the BIG-IP will initially send health checks across the GRE tunnel using an IP from the 169.254.x.x address range, this follows the address selection criteria that a BIG-IP uses. One method of dealing with this is to assign an IP address in a range that you would like to advertise across the tunnel like Creating a self-ip of that you assign to the tunnel. To send traffic for a different range (i.e. you can then create a static route on the BIG-IP that points to Since the BIG-IP sees the address is on the tunnel it will correctly forward the traffic through the tunnel.

Another question that arose was whether it was possible to have asymmetric traffic flows of utilizing both the GRE TGW Connect tunnel and the TGW VPC Connection of the VPC itself. I discovered that YES this is possible by following the guidance on enabling asymmetrically routed traffic. It hurts your brain a bit, but here's the results of a flow that is using both a Connect and VPC connection. You can do some crazy things, but with great power...

Request traffic over VPC Connection

Response traffic over TGW Connect (GRE)

Other Options

You could also achieve a similar result by using default VPC peering and making use of Cloud Failover Extension for updating the route table. The benefit of that approach is that you don't have to deal with GRE/BGP! It does limit you to a single device per-AZ vs. being able to get up to 4 devices running across a connection.

Published Mar 29, 2021
Version 1.0

Was this article helpful?

No CommentsBe the first to comment