Lab: Implementing Hybrid Connectivity with BGP-based Site-to-Site VPN

This lab guides you through establishing a secure, dynamic hybrid connection between an "on-premises" environment and the AWS Cloud using Border Gateway Protocol (BGP). To simulate an on-premises data center, we will use a secondary VPC with a simulated Customer Gateway.

Prerequisites

An active AWS Account with permissions to manage VPC, EC2, and VPN components.
AWS CLI installed and configured with appropriate credentials.
Basic understanding of CIDR notation and BGP autonomous system numbers (ASNs).
A Region with at least two available Elastic IPs (EIPs).

Learning Objectives

Provision and configure a Customer Gateway (CGW) and Virtual Private Gateway (VGW).
Establish a Site-to-Site VPN connection using dynamic routing.
Configure BGP Route Propagation to automate route table updates.
Validate end-to-end connectivity and BGP peering status.

Architecture Overview

We will create a hub-and-spoke style connection where the "On-Premises" VPC acts as the remote site.

Loading Diagram...

Step-by-Step Instructions

Step 1: Create the Virtual Private Gateway (VGW)

The VGW is the VPN concentrator on the Amazon side of the Site-to-Site VPN connection.

bash

# Create the VGW with a custom ASN
aws ec2 create-vpn-gateway --type ipsec.1 --amazon-side-asn 64512

# Attach the VGW to your AWS VPC
aws ec2 attach-vpn-gateway --vpn-gateway-id <VGW_ID> --vpc-id <VPC_ID>

▶Console alternative

Navigate to VPC Dashboard > Virtual Private Gateways > Create Virtual Private Gateway. Name it BrainyBee-VGW, select Custom ASN (64512), and click Create. Select the new VGW, click Actions > Attach to VPC, and select your target VPC.

Step 2: Create the Customer Gateway (CGW)

The CGW provides AWS with information about your on-premises router.

bash

# Replace <PUBLIC_IP> with the Elastic IP of your simulated on-prem router
aws ec2 create-customer-gateway --type ipsec.1 --public-ip <PUBLIC_IP> --bgp-asn 65000

[!TIP] In a real-world scenario, the Public IP would be the outside interface of your physical router (e.g., Cisco, Juniper, or Fortinet).

Step 3: Establish the Site-to-Site VPN Connection

This step initiates the creation of two IPsec tunnels for high availability.

bash

aws ec2 create-vpn-connection --type ipsec.1 \
    --customer-gateway-id <CGW_ID> \
    --vpn-gateway-id <VGW_ID> \
    --options "StaticRoutesOnly=false"

[!IMPORTANT] By setting StaticRoutesOnly=false, we enable Dynamic Routing (BGP), allowing the networks to exchange prefixes automatically.

Step 4: Enable Route Propagation

Instead of manual route entries, AWS can automatically inject BGP-learned routes into your VPC route tables.

bash

aws ec2 enable-vgw-route-propagation --gateway-id <VGW_ID> --route-table-id <RTB_ID>

Checkpoints

Verification Step	Command	Expected Result
Tunnel Status	`aws ec2 describe-vpn-connections`	`State` should be `available`.
BGP Status	Check `VgwTelemetry` in CLI output	`Status` should be `UP`.
Route Table	`aws ec2 describe-route-tables`	Look for `172.16.1.0/24` via `vgw-xxxx`.
Ping Test	`ping 172.16.1.x`	Successful ICMP response from on-prem instance.

Visualizing the BGP Peering

Below is a logic diagram of how the BGP session is established over the IPsec tunnel.

Compiling TikZ diagram…

⏳

Running TeX engine…

This may take a few seconds

Troubleshooting

Issue	Possible Cause	Fix
Tunnel is DOWN	Security Group/ACL blocking UDP 500/4500	Ensure UDP 500/4500 and IP Protocol 50 (ESP) are allowed.
BGP is IDLE	ASN Mismatch	Verify that the CGW ASN matches the on-prem router config.
Routes not showing	Propagation Disabled	Run `enable-vgw-route-propagation` on the specific route table.

Clean-Up / Teardown

[!WARNING] Failure to delete these resources will result in hourly charges for the VPN connection.

Delete VPN Connection: aws ec2 delete-vpn-connection --vpn-connection-id <VPN_ID>
Detach VGW: aws ec2 detach-vpn-gateway --vpn-gateway-id <VGW_ID> --vpc-id <VPC_ID>
Delete VGW: aws ec2 delete-vpn-gateway --vpn-gateway-id <VGW_ID>
Delete CGW: aws ec2 delete-customer-gateway --customer-gateway-id <CGW_ID>

Stretch Challenge

Multi-Exit Discriminator (MED) Influence: If you have two tunnels, try to influence the inbound traffic from AWS to your on-premises environment by adjusting the BGP MED attribute on your customer router. Observe how the preferred path changes in the AWS Route Table.

Cost Estimate

AWS Site-to-Site VPN: Approximately $0.05 per hour per connection ($1.20/day).
Data Transfer Out: First 100GB/month is free; then ~$0.09/GB.
VGW/CGW: No additional hourly charge, but the VPN connection itself costs money.

Concept Review

Concept	Description
eBGP	Used between different Autonomous Systems (AWS vs. On-Prem).
VGW	The AWS-side anchor for VPN and Direct Connect.
ASN	A unique identifier for a network (Amazon default is 64512).
Route Propagation	The mechanism that automates updating VPC route tables with BGP routes.

Lab: Implementing Hybrid Connectivity with BGP-based Site-to-Site VPN

Prerequisites

An active AWS Account with permissions to manage VPC, EC2, and VPN components.
AWS CLI installed and configured with appropriate credentials.
Basic understanding of CIDR notation and BGP autonomous system numbers (ASNs).
A Region with at least two available Elastic IPs (EIPs).

Learning Objectives

Provision and configure a Customer Gateway (CGW) and Virtual Private Gateway (VGW).
Establish a Site-to-Site VPN connection using dynamic routing.
Configure BGP Route Propagation to automate route table updates.
Validate end-to-end connectivity and BGP peering status.

Architecture Overview

We will create a hub-and-spoke style connection where the "On-Premises" VPC acts as the remote site.

Loading Diagram...

Step-by-Step Instructions

Step 1: Create the Virtual Private Gateway (VGW)

The VGW is the VPN concentrator on the Amazon side of the Site-to-Site VPN connection.

bash

# Create the VGW with a custom ASN
aws ec2 create-vpn-gateway --type ipsec.1 --amazon-side-asn 64512

# Attach the VGW to your AWS VPC
aws ec2 attach-vpn-gateway --vpn-gateway-id <VGW_ID> --vpc-id <VPC_ID>

▶Console alternative

Step 2: Create the Customer Gateway (CGW)

The CGW provides AWS with information about your on-premises router.

bash

# Replace <PUBLIC_IP> with the Elastic IP of your simulated on-prem router
aws ec2 create-customer-gateway --type ipsec.1 --public-ip <PUBLIC_IP> --bgp-asn 65000

[!TIP] In a real-world scenario, the Public IP would be the outside interface of your physical router (e.g., Cisco, Juniper, or Fortinet).

Step 3: Establish the Site-to-Site VPN Connection

This step initiates the creation of two IPsec tunnels for high availability.

bash

aws ec2 create-vpn-connection --type ipsec.1 \
    --customer-gateway-id <CGW_ID> \
    --vpn-gateway-id <VGW_ID> \
    --options "StaticRoutesOnly=false"

[!IMPORTANT] By setting StaticRoutesOnly=false, we enable Dynamic Routing (BGP), allowing the networks to exchange prefixes automatically.

Step 4: Enable Route Propagation

Instead of manual route entries, AWS can automatically inject BGP-learned routes into your VPC route tables.

bash

aws ec2 enable-vgw-route-propagation --gateway-id <VGW_ID> --route-table-id <RTB_ID>

Checkpoints

Verification Step	Command	Expected Result
Tunnel Status	`aws ec2 describe-vpn-connections`	`State` should be `available`.
BGP Status	Check `VgwTelemetry` in CLI output	`Status` should be `UP`.
Route Table	`aws ec2 describe-route-tables`	Look for `172.16.1.0/24` via `vgw-xxxx`.
Ping Test	`ping 172.16.1.x`	Successful ICMP response from on-prem instance.

Visualizing the BGP Peering

Below is a logic diagram of how the BGP session is established over the IPsec tunnel.

Compiling TikZ diagram…

⏳

Running TeX engine…

This may take a few seconds

Troubleshooting

Issue	Possible Cause	Fix
Tunnel is DOWN	Security Group/ACL blocking UDP 500/4500	Ensure UDP 500/4500 and IP Protocol 50 (ESP) are allowed.
BGP is IDLE	ASN Mismatch	Verify that the CGW ASN matches the on-prem router config.
Routes not showing	Propagation Disabled	Run `enable-vgw-route-propagation` on the specific route table.

Clean-Up / Teardown

[!WARNING] Failure to delete these resources will result in hourly charges for the VPN connection.

Delete VPN Connection: aws ec2 delete-vpn-connection --vpn-connection-id <VPN_ID>
Detach VGW: aws ec2 detach-vpn-gateway --vpn-gateway-id <VGW_ID> --vpc-id <VPC_ID>
Delete VGW: aws ec2 delete-vpn-gateway --vpn-gateway-id <VGW_ID>
Delete CGW: aws ec2 delete-customer-gateway --customer-gateway-id <CGW_ID>

Stretch Challenge

Cost Estimate

AWS Site-to-Site VPN: Approximately $0.05 per hour per connection ($1.20/day).
Data Transfer Out: First 100GB/month is free; then ~$0.09/GB.
VGW/CGW: No additional hourly charge, but the VPN connection itself costs money.

Concept Review

Concept	Description
eBGP	Used between different Autonomous Systems (AWS vs. On-Prem).
VGW	The AWS-side anchor for VPN and Direct Connect.
ASN	A unique identifier for a network (Amazon default is 64512).
Route Propagation	The mechanism that automates updating VPC route tables with BGP routes.