Lab: Implementing Hybrid Connectivity with BGP-based Site-to-Site VPN
Implement routing and connectivity between on-premises networks and the AWS Cloud
Lab: Implementing Hybrid Connectivity with BGP-based Site-to-Site VPN
This lab guides you through establishing a secure, dynamic hybrid connection between an "on-premises" environment and the AWS Cloud using Border Gateway Protocol (BGP). To simulate an on-premises data center, we will use a secondary VPC with a simulated Customer Gateway.
Prerequisites
- An active AWS Account with permissions to manage VPC, EC2, and VPN components.
- AWS CLI installed and configured with appropriate credentials.
- Basic understanding of CIDR notation and BGP autonomous system numbers (ASNs).
- A Region with at least two available Elastic IPs (EIPs).
Learning Objectives
- Provision and configure a Customer Gateway (CGW) and Virtual Private Gateway (VGW).
- Establish a Site-to-Site VPN connection using dynamic routing.
- Configure BGP Route Propagation to automate route table updates.
- Validate end-to-end connectivity and BGP peering status.
Architecture Overview
We will create a hub-and-spoke style connection where the "On-Premises" VPC acts as the remote site.
Step-by-Step Instructions
Step 1: Create the Virtual Private Gateway (VGW)
The VGW is the VPN concentrator on the Amazon side of the Site-to-Site VPN connection.
# Create the VGW with a custom ASN
aws ec2 create-vpn-gateway --type ipsec.1 --amazon-side-asn 64512
# Attach the VGW to your AWS VPC
aws ec2 attach-vpn-gateway --vpn-gateway-id <VGW_ID> --vpc-id <VPC_ID>▶Console alternative
Navigate to VPC Dashboard > Virtual Private Gateways > Create Virtual Private Gateway. Name it BrainyBee-VGW, select Custom ASN (64512), and click Create. Select the new VGW, click Actions > Attach to VPC, and select your target VPC.
Step 2: Create the Customer Gateway (CGW)
The CGW provides AWS with information about your on-premises router.
# Replace <PUBLIC_IP> with the Elastic IP of your simulated on-prem router
aws ec2 create-customer-gateway --type ipsec.1 --public-ip <PUBLIC_IP> --bgp-asn 65000[!TIP] In a real-world scenario, the Public IP would be the outside interface of your physical router (e.g., Cisco, Juniper, or Fortinet).
Step 3: Establish the Site-to-Site VPN Connection
This step initiates the creation of two IPsec tunnels for high availability.
aws ec2 create-vpn-connection --type ipsec.1 \
--customer-gateway-id <CGW_ID> \
--vpn-gateway-id <VGW_ID> \
--options "StaticRoutesOnly=false"[!IMPORTANT] By setting
StaticRoutesOnly=false, we enable Dynamic Routing (BGP), allowing the networks to exchange prefixes automatically.
Step 4: Enable Route Propagation
Instead of manual route entries, AWS can automatically inject BGP-learned routes into your VPC route tables.
aws ec2 enable-vgw-route-propagation --gateway-id <VGW_ID> --route-table-id <RTB_ID>Checkpoints
| Verification Step | Command | Expected Result |
|---|---|---|
| Tunnel Status | aws ec2 describe-vpn-connections | State should be available. |
| BGP Status | Check VgwTelemetry in CLI output | Status should be UP. |
| Route Table | aws ec2 describe-route-tables | Look for 172.16.1.0/24 via vgw-xxxx. |
| Ping Test | ping 172.16.1.x | Successful ICMP response from on-prem instance. |
Visualizing the BGP Peering
Below is a logic diagram of how the BGP session is established over the IPsec tunnel.
\begin{tikzpicture}[node distance=2cm, box/.style={rectangle, draw, minimum width=3cm, minimum height=1.5cm, align=center}] \node[box] (aws) {AWS VGW\ASN: 64512}; \node[box, right=4cm of aws] (onprem) {Customer Router\ASN: 65000};
\draw[<->, thick, double, dashed] (aws) -- (onprem) node[midway, above] {BGP Peering (TCP 179)};
\draw[->, color=blue] (aws) -- +(0,-1.5) node[below] {Advertises 10.0.0.0/16};
\draw[->, color=red] (onprem) -- +(0,-1.5) node[below] {Advertises 172.16.0.0/16};\end{tikzpicture}
Troubleshooting
| Issue | Possible Cause | Fix |
|---|---|---|
| Tunnel is DOWN | Security Group/ACL blocking UDP 500/4500 | Ensure UDP 500/4500 and IP Protocol 50 (ESP) are allowed. |
| BGP is IDLE | ASN Mismatch | Verify that the CGW ASN matches the on-prem router config. |
| Routes not showing | Propagation Disabled | Run enable-vgw-route-propagation on the specific route table. |
Clean-Up / Teardown
[!WARNING] Failure to delete these resources will result in hourly charges for the VPN connection.
- Delete VPN Connection:
aws ec2 delete-vpn-connection --vpn-connection-id <VPN_ID> - Detach VGW:
aws ec2 detach-vpn-gateway --vpn-gateway-id <VGW_ID> --vpc-id <VPC_ID> - Delete VGW:
aws ec2 delete-vpn-gateway --vpn-gateway-id <VGW_ID> - Delete CGW:
aws ec2 delete-customer-gateway --customer-gateway-id <CGW_ID>
Stretch Challenge
Multi-Exit Discriminator (MED) Influence: If you have two tunnels, try to influence the inbound traffic from AWS to your on-premises environment by adjusting the BGP MED attribute on your customer router. Observe how the preferred path changes in the AWS Route Table.
Cost Estimate
- AWS Site-to-Site VPN: Approximately $0.05 per hour per connection ($1.20/day).
- Data Transfer Out: First 100GB/month is free; then ~$0.09/GB.
- VGW/CGW: No additional hourly charge, but the VPN connection itself costs money.
Concept Review
| Concept | Description |
|---|---|
| eBGP | Used between different Autonomous Systems (AWS vs. On-Prem). |
| VGW | The AWS-side anchor for VPN and Direct Connect. |
| ASN | A unique identifier for a network (Amazon default is 64512). |
| Route Propagation | The mechanism that automates updating VPC route tables with BGP routes. |