I need to setup S2S VPN between AWS and GCP clouds. This needs to work in High Availability and use dynamic routing.
On AWS side I have a Transit Gateway with number of VPC networks attached to which I want to attach also the VPN (well, in fact on AWS that will be two VPN connections with 2 tunnels each). Important part is that one of the VPCs advertises route 0.0.0.0/0 and it has to stay the - this is the only exit to the public internet in this setup (other VPCs do not have own Internet Gateways and use this route instead). This route gets advertised to GCP...
Now, on GCP side all the routes received from AWS are registered with priority 100 while default GCP routes have priority=1000. This means that when I establish VPN entire public traffic from GCP starts flowing into AWS first (0.0.0.0/0 from AWS with prio 100 is considered better than default 0.0.0.0/0 through own GCP Internet Gateway with prio 1000). Besides the cost impact it also breaks some functionalities on GCP side (i.e. AppEngine Flex health checks can't get through firewall).
My question is: how can I avoid this?
I can think of number of solutions:
- Disable advertisement of public routes on AWS side somehow
- Increase priority of advertised routes on AWS side (increase MED value for each route)
- Increase all the priorities received from VPN on GCP side (like, "comes from VPN then add X to the MED value).
- FIlter some routes received from paired network on GCP side.
Any of these strategies would work for me but I have no idea how to do any of them. I have found filtering of advertised routes and custom MED value in GCP so that I could adjust what GCP advertises to AWS but I need exactly other way around...
