Configuring Routing for AWS Hybrid Connectivity: Static and Dynamic Strategies
Configuring static or dynamic routing protocols to work with hybrid connectivity solutions
Configuring Routing for AWS Hybrid Connectivity: Static and Dynamic Strategies
This guide explores the mechanisms used to establish network reachability between on-premises environments and the AWS Cloud, focusing on the configuration and implementation of static and dynamic routing protocols.
Learning Objectives
After studying this guide, you should be able to:
- Differentiate between static and dynamic routing use cases in hybrid environments.
- Configure BGP parameters for AWS Site-to-Site VPN and Direct Connect.
- Identify the required components of a static route entry.
- Optimize hybrid traffic flow using BGP attributes and route summarization.
- Select the appropriate routing protocol based on network scale and stability.
Key Terms & Glossary
- Autonomous System (AS): A collection of IP networks under the control of one or more network operators that has a single and clearly defined routing policy.
- BGP (Border Gateway Protocol): The standardized exterior gateway protocol designed to exchange routing and reachability information among autonomous systems.
- eBGP (External BGP): BGP used to interconnect different autonomous systems (e.g., your Corporate Data Center and AWS).
- iBGP (Internal BGP): BGP used within a single autonomous system.
- IGP (Interior Gateway Protocol): Routing protocols used within an organization, such as OSPF or EIGRP.
- VPG (Virtual Private Gateway): The VPN concentrator on the Amazon side of the Site-to-Site VPN connection.
The "Big Idea"
Hybrid networking is the bridge between traditional data centers and the cloud. Routing acts as the GPS for this bridge. Without correctly configured routing, even a physically connected Direct Connect line or an established VPN tunnel will fail to pass traffic. Choosing between Static (manual, rigid, low-overhead) and Dynamic (automated, resilient, complex) determines how effectively your network scales and recovers from failures.
Formula / Concept Box
| Routing Component | Requirement / Attribute |
|---|---|
| Static Route Syntax | Destination Network + Subnet Mask + Next Hop IP/Interface |
| BGP Path Selection | Primarily based on AS_PATH (shorter is preferred) |
| Direct Connect BGP | Requires a unique ASN (Autonomous System Number) |
| VPN BGP | Requires BGP peering over the IPsec tunnel |
Hierarchical Outline
- Static Routing Fundamentals
- Manual Configuration: Administrator hard-codes routes into the table.
- Components: Destination prefix, mask, and egress interface/next hop.
- Pros/Cons: No protocol overhead, higher security (no updates on wire), but lacks automatic failover.
- Dynamic Routing & BGP
- BGP Role: The industry-standard for AWS hybrid networks.
- Automation: Automatically records topology changes and updates the forwarding table.
- Interoperability: Used specifically to interconnect different Autonomous Systems (AS).
- AWS Hybrid Implementation
- Site-to-Site VPN: Can use static or BGP. BGP is preferred for multi-region or high-availability setups.
- Direct Connect (DX): Exclusively uses BGP for dynamic routing to VIFs (Virtual Interfaces).
- Transit Gateway (TGW): Supports BGP for connecting to on-premises SD-WAN or appliances.
- Routing Optimization
- Summarization: Grouping multiple CIDR blocks into a single advertisement to reduce table size.
- Traffic Influence: Using BGP attributes to prefer one path over another (Active/Passive).
Visual Anchors
Decision Logic: Static vs. Dynamic
Hybrid Connectivity Architecture
\begin{tikzpicture}[node distance=2cm, every node/.style={draw, thick, rectangle, rounded corners, inner sep=5pt}]
% Define Nodes \node (OnPrem) [fill=blue!10] {\textbf{On-Premises DC}}; \node (Router) [right of=OnPrem, xshift=1.5cm, fill=blue!5] {\textbf{Customer Gateway (CGW)}}; \node (AWS) [right of=Router, xshift=2.5cm, fill=orange!10] {\textbf{AWS Cloud (VPC)}}; \node (VPG) [left of=AWS, xshift=-0.5cm, fill=orange!5] {VPG/TGW};
% Connections \draw [<->, thick] (OnPrem) -- (Router); \draw [<->, dashed, thick] (Router) -- node[above, draw=none] {BGP Session} (VPG); \draw [<->, thick] (VPG) -- (AWS);
% Annotations \node [below of=Router, yshift=1cm, draw=none] {\footnotesize ASN: 65000}; \node [below of=VPG, yshift=1cm, draw=none] {\footnotesize ASN: 64512}; \end{tikzpicture}
Definition-Example Pairs
- Term: Static Routing
- Definition: A manually configured path in a router's routing table.
- Example: Configuring a route on your on-premises router so that all traffic for
10.0.0.0/16(your AWS VPC) is sent specifically to the interfacetun0(your VPN tunnel).
- Term: BGP Route Propagation
- Definition: The process where AWS automatically adds BGP-learned routes to a VPC route table.
- Example: When your on-premises router advertises
192.168.1.0/24via BGP, AWS automatically populates this route into your VPC's route table with the Virtual Private Gateway as the target.
Worked Examples
Scenario: Configuring Static Routing for a New VPN
Problem: You have a small office with a single VPN tunnel to AWS. You need to ensure the office can reach the VPC 172.31.0.0/16.
Solution Steps:
- On-Prem Router: Add a static route:
ip route 172.31.0.0 255.255.0.0 <VPN_Tunnel_Interface_IP>. - AWS Console: Navigate to VPC > Route Tables. Select the table associated with your subnets.
- Add Route: Edit routes and add
Destination: 10.1.0.0/24(On-prem range) andTarget: vgw-xxxxxxx(Virtual Private Gateway). - Verification: Ping an EC2 instance private IP from the local office.
Scenario: Using BGP for Active/Passive Failover
Problem: You have two VPN tunnels and want to use one as primary and one as backup.
Solution: Use AS PATH Prepending. On your on-premises router, for the backup tunnel, advertise your local CIDR but append your own ASN multiple times (e.g., 65000 65000 65000). AWS will see a "longer" path for the backup tunnel and prefer the primary one.
Checkpoint Questions
- What three pieces of information are required to define a static route?
- Why is BGP considered more suitable for large-scale hybrid networks than static routing?
- In an AWS hybrid setup, if you are connecting two different entities (On-prem and AWS), are you using iBGP or eBGP?
- True or False: Static routing can automatically adjust if a physical link in the network fails.
Muddy Points & Cross-Refs
- eBGP vs. iBGP: It's often confusing which to use. In 99% of AWS hybrid connectivity cases (DX or VPN), you are using eBGP because your data center and AWS are treated as separate Autonomous Systems.
- Metric Complexity: BGP metrics (AS_PATH, MED, Local Preference) can be daunting. For the ANS-C01 exam, focus on AS_PATH as the primary way AWS determines the best path back to your network.
- Route Limits: Be aware that AWS has hard limits on the number of routes you can advertise via BGP (e.g., 100 routes for a VPG). Exceeding this will cause the BGP session to go down.
Comparison Tables
| Feature | Static Routing | Dynamic Routing (BGP) |
|---|---|---|
| Configuration | Manual / Administrative | Automated / Protocol-based |
| Scalability | Low (Difficult to manage) | High (Ideal for large networks) |
| Overhead | Zero (No protocol traffic) | Low to Medium (Keepalives/Updates) |
| Failover | Manual Intervention Required | Automatic and Fast |
| Security | High (No route spoofing) | Medium (Requires MD5 auth/filters) |
| Best Use Case | Small, fixed topologies | Redundant, large-scale hybrid links |