AWS ANS-C01: Maintaining Hybrid Routing & Connectivity
Maintain routing and connectivity on AWS and hybrid networks
AWS Certified Advanced Networking Specialty (ANS-C01)
Domain 3: Network Management and Operations
This cram sheet focuses on Task 3.1: Maintain routing and connectivity on AWS and hybrid networks. It covers the essential mechanics of BGP over Direct Connect, route propagation, and connectivity troubleshooting.
Topic Weighting
| Domain | Weighting | Task Focus |
|---|---|---|
| Domain 3: Network Management & Operations | 20% of Total Exam | Task 3.1 accounts for ~7-10% of the total exam, focusing on the maintenance and optimization of existing hybrid paths. |
Key Concepts Summary
1. Direct Connect (DX) Virtual Interfaces (VIFs)
- Private VIF: Connects to a single VGW (Virtual Private Gateway) or a Direct Connect Gateway (DXGW). Used for private VPC resources.
- Public VIF: Accesses public AWS endpoints (S3, DynamoDB, EC2 public IPs) via the DX connection instead of the internet.
- Transit VIF: Required to connect DX to a Transit Gateway (TGW). Only one Transit VIF is supported per 1Gbps or higher DX connection.
2. BGP Fundamentals in AWS
- eBGP: Used between customer gateway (CGW) and AWS.
- ASNs: AWS uses
64512–65534for private ASNs. Public ASNs can also be used. - Route Propagation: Automatically injects BGP-learned routes into VPC Route Tables. If disabled, you must add static routes manually.
3. Traffic Engineering (BGP Attributes)
- Inbound (To AWS): Use AS_PATH Prepending to make a path look longer (less preferred).
- Outbound (To On-Prem): AWS honors Local Preference (highest wins) or MED (Multi-Exit Discriminator; lowest wins).
4. Route Priority Hierarchy
AWS follows a strict order of operations for route selection:
- Longest Prefix Match (LPM): The most specific CIDR always wins ($10.0.1.0/24).
- Static Routes: Manually entered routes in the route table.
- Propagated Routes: Learned via BGP (DX or VPN).
Visual Anchors
Hybrid Connectivity Hierarchy
BGP Path Selection Logic
\begin{tikzpicture}[node distance=2cm] \node (start) [draw, rectangle] {Incoming Packet}; \node (lpm) [draw, diamond, below of=start, aspect=2] {Longest Prefix?}; \node (static) [draw, diamond, below of=lpm, aspect=2, yshift=-0.5cm] {Static Route?}; \node (bgp) [draw, diamond, below of=static, aspect=2, yshift=-0.5cm] {Propagated?}; \node (drop) [draw, circle, right of=bgp, xshift=2cm] {Drop}; \node (forward) [draw, rounded corners, left of=bgp, xshift=-2cm] {Forward};
\draw[->] (start) -- (lpm); \draw[->] (lpm) -- node[left] {No} (static); \draw[->] (lpm) -- node[above] {Yes} (forward); \draw[->] (static) -- node[left] {No} (bgp); \draw[->] (static) -- node[above] {Yes} (forward); \draw[->] (bgp) -- node[above] {No} (drop); \draw[->] (bgp) -- node[above] {Yes} (forward); \end{tikzpicture}
Common Pitfalls
- Overlapping CIDRs: If your VPC and On-Prem share the same CIDR, traffic will remain local to the VPC and never reach the hybrid link.
- Asymmetric Routing: Traffic enters via DX but exits via VPN. Ensure BGP metrics (AS_PATH) are configured symmetrically.
- MTU Mismatch: Standard MTU is 1500. DX supports Jumbo Frames (9001 MTU), but VPN does not. Mismatches cause packet drops for large payloads.
- Propagation Check: Forgetting to toggle "Enable Route Propagation" on the VPC Route Table is the #1 reason BGP routes don't appear.
Mnemonics / Memory Triggers
- "L-S-P" (Route Priority): Longest Prefix, Static, Propagated. (Think: Long Story Peters out).
- "V-D-T" (VIF Types): VPC (Private), Data/Public (Public), Transit (TGW).
- BGP Best Path: "Weight, Local Pref, AS_Path, MED" (We Love AWS Most).
Formula / Equation Sheet
| Concept | Rule / Formula |
|---|---|
| Direct Connect Quota | Max 100 routes per BGP session (Private VIF). |
| Transit Gateway Quota | Max 10,000 routes per TGW Route Table. |
| VPN Bandwidth | Max 1.25 Gbps per tunnel (unless using ECMP). |
| BGP Timer | Keepalive: 30s, Hold Time: 90s. |
Worked Examples
Example 1: Resolving Asymmetric Routing
Scenario: A company has a 10Gbps Direct Connect and a Backup VPN. Traffic is returning to On-Prem via the slow VPN.
- Fix: On the AWS side, use AS_PATH Prepending on the VPN BGP configuration. Add your ASN 3+ times to the VPN path advertisement. AWS will see the DX path as shorter and prefer it.
Example 2: Jumbo Frame Configuration
Scenario: App performance is degraded over DX. Large DB queries time out.
- Fix: Ensure the Virtual Private Gateway (VGW) and the On-Prem router both support and are configured for 9001 MTU. Verify that the path between them does not have a 1500 MTU bottleneck.
Fact Recall Blanks
- To connect a Direct Connect to a Transit Gateway, you must use a __________ VIF.
- The default priority for route selection in a VPC is __________ Match.
- If BGP routes are visible in the DX Gateway but not the VPC, ensure __________ is enabled.
- The maximum bandwidth for a single AWS Site-to-Site VPN tunnel is __________ Gbps.
- To influence outbound traffic from AWS to On-Prem, use the __________ attribute.
Practice Set
- Question: You have two DX connections in different locations. How do you ensure Location A is primary for all incoming AWS traffic?
- Answer: Use AS_PATH Prepending on the BGP session for Location B to make it appear less attractive.
- Question: Can a Public VIF be used to access an EC2 instance via its Private IP?
- Answer: No. Public VIFs are for public endpoints. Use a Private VIF or VPN for private IP access.
- Question: A VPC has a static route for $172.16.0.0/12. Which path is taken for a packet to $172.16.10.5?
- Answer: The propagated route (/24$) because Longest Prefix Match (LPM) takes precedence over the route source (Static vs Propagated).