Answer: Configure the virtual tunnel interfaces on the customer gateway to allow asymmetric routing.

The issue described is a classic case of asymmetric routing, where traffic takes one path to the destination and a different path back, leading to potential packet loss. In this scenario, traffic from the on-premises network to the EC2 instance is sent over the first tunnel, but the return traffic comes back over the second tunnel and is dropped at the customer gateway. This happens because the customer gateway does not recognize the return traffic as belonging to the same session that was initiated over the first tunnel, due to the active/active configuration with ECMP routing on the transit gateway. To resolve this issue without reducing the overall VPN bandwidth, the best solution is to configure the customer gateway to allow asymmetric routing. This means that the customer gateway will accept return traffic on either tunnel, regardless of which tunnel was used for the outgoing traffic. This approach maintains the active/active configuration and the benefits of ECMP routing, ensuring that the overall VPN bandwidth is not reduced. Therefore, the correct solution is to configure the virtual tunnel interfaces on the customer gateway to allow asymmetric routing, which corresponds to option C.

Author: LeetQuiz Editorial Team