AWS Hybrid Network Routing: Industry-Standard Protocols and BGP

This guide explores the foundational routing protocols used to interconnect on-premises environments with the AWS Cloud, focusing on the Border Gateway Protocol (BGP) and its application in hybrid architectures like Direct Connect and VPNs.

Learning Objectives

By the end of this guide, you should be able to:

• Explain why BGP is the industry standard for AWS hybrid networking.
• Differentiate between Internal BGP (iBGP) and External BGP (eBGP) in a cloud context.
• Describe the requirements for establishing a BGP peering session over AWS Direct Connect.
• Compare the use cases for Static Routing versus Dynamic Routing.
• Identify tools for optimizing and troubleshooting hybrid route propagation.

Key Terms & Glossary

• BGP (Border Gateway Protocol): A standardized exterior gateway protocol designed to exchange routing and reachability information among autonomous systems (AS) on the internet.
• Autonomous System (AS): A collection of connected IP routing prefixes under the control of one or more network operators on behalf of a single administrative entity.
• ASN (Autonomous System Number): A unique number assigned to an AS for use in BGP routing.
• Peering: A BGP management connection between two "BGP-speaking" routers used to exchange network prefix information.
• Prefix: An IP address block (CIDR) advertised over BGP (e.g., 10.0.0.0/16).
• VGW (Virtual Private Gateway): The VPN concentrator on the Amazon side of a Site-to-Site VPN connection or Direct Connect.

The "Big Idea"

Hybrid networking is not just about "plugging in a cable." It is about creating a single contiguous network fabric where resources in an on-premises data center and an AWS VPC can communicate as if they were in the same building. Industry-standard protocols like BGP provide the "intelligence" that allows these two disparate environments to share their maps (routes) automatically, ensuring high availability and efficient traffic flow without manual intervention every time a new subnet is added.

Formula / Concept Box

AWS Route Priority Logic

When multiple routes exist for the same destination, AWS follows a specific hierarchy of preference:

Hierarchical Outline

1. Introduction to Hybrid Routing
   • Dynamic Routing (BGP): Automated exchange of reachability info.
   • Static Routing: Manual configuration; used for specific paths or low-complexity setups.
2. Border Gateway Protocol (BGP) Specifics
   • eBGP: Interconnecting different Autonomous Systems (On-Prem AS to AWS AS).
   • iBGP: Internal routing within a single organization's AS.
3. BGP over AWS Direct Connect
   • Connectivity: Bypasses public internet for reliability.
   • Peering Session: Established between Customer Gateway (CGW) and AWS Direct Connect router.
   • Requirements: ASN and IP addresses for the peering interface.
4. Route Optimization & Troubleshooting
   • Route Summarization: Consolidating prefixes to reduce table size.
   • Monitoring: Using CloudWatch and VPC Flow Logs to identify overlapping CIDRs or packet loss.

Visual Anchors

BGP Peering Flowchart

Hybrid Connectivity Architecture

\begin{tikzpicture}[node distance=2cm, every node/.style={rectangle, draw, rounded corners, minimum width=2.5cm, minimum height=1cm, align=center}] % Nodes \node (onprem) {On-Premises\Router (CGW)}; \node (dx) [right=of onprem] {Direct Connect\Location}; \node (aws) [right=of dx] {AWS Cloud$VPC/VGW)};

% Connections \draw[thick, <->] (onprem) -- node[above] {BGP Session} (dx); \draw[thick, <->] (dx) -- node[above] {Dedicated Fiber} (aws);

% Annotations \node[below=0.2cm of onprem, draw=none] {ASN: 65000}; \node[below=0.2cm of aws, draw=none] {ASN: 64512}; \end{tikzpicture}

Definition-Example Pairs

• Term: Route Propagation
  • Definition: The process where a Virtual Private Gateway (VGW) automatically updates a VPC route table with routes learned via BGP.
  • Example: When you turn on propagation, your VPC route table automatically gains a route to 192.168.1.0/24 (your office) as soon as the BGP session comes up, without you clicking "Add Route."
• Term: Static Route
  • Definition: A fixed routing entry that does not change unless manually edited.
  • Example: You create a static route pointing all traffic for 10.50.0.0/16 to a specific VPN tunnel because that legacy hardware does not support BGP.

Worked Examples

Scenario: Configuring BGP for a new Direct Connect (DX) Connection

Goal: Connect On-Prem (ASN 65100) to AWS VPC (ASN 64512).

1. Step 1: Exchange Info. Collect the BGP Auth Key (password) and the peer IP addresses (usually a /30 or /31 subnet).
2. Step 2: Configure On-Prem Router. Set up the BGP process to target the AWS side IP.
   • Logic: neighbor <AWS_IP> remote-as 64512
3. Step 3: Advertise Prefixes. Tell your router which local subnets to "tell" AWS about.
   • Logic: network 172.16.0.0 mask 255.255.0.0
4. Step 4: Enable Propagation. In the AWS Console, go to the VPC Route Table and toggle "Route Propagation" to Enabled for the VGW.
5. Step 5: Verification. Check the Routes tab in the AWS Console to ensure the on-prem CIDR appears with a status of "Propagated."

Checkpoint Questions

1. What is the main difference between iBGP and eBGP?
2. Why is BGP preferred over static routing for large-scale hybrid networks?
3. If a VPC route table has a static route and a propagated BGP route for the exact same destination CIDR, which one takes precedence?
4. What AWS resource acts as the BGP peer on the Amazon side for a VPN or DX connection?

Muddy Points & Cross-Refs

• Overlapping IP Addresses: If your on-prem network uses the same CIDR as your VPC, BGP will not solve the conflict; it will likely cause routing loops or black-holed traffic. Cross-ref: See "VPC Peering & NAT Gateways" for overlapping IP solutions.
• ASN Limits: AWS has specific ranges for private ASNs (64512–65534). Using a public ASN you don't own can cause issues if routes leak to the internet. Cross-ref: See "AWS Networking Quotas."

Comparison Tables