Mastering AWS Hybrid Routing & Connectivity

This study guide focuses on the critical operations within Domain 3 (Network Management and Operations) of the AWS Certified Advanced Networking - Specialty (ANS-C01) exam. Specifically, it covers the maintenance and optimization of routing between on-premises environments and AWS VPCs.

Learning Objectives

After studying this guide, you should be able to:

• Configure and maintain BGP peering sessions over AWS Direct Connect (DX).
• Identify and resolve routing conflicts caused by overlapping IP address blocks.
• Optimize network traffic using route summarization and propagation settings.
• Compare various hybrid connectivity methods like Direct Connect Gateway, Transit Gateway, and Site-to-Site VPN.
• Manage service limits and quotas to ensure network scalability.

Key Terms & Glossary

• BGP (Border Gateway Protocol): The standard dynamic routing protocol used to exchange reachability information between autonomous systems.
• ASN (Autonomous System Number): A unique identifier assigned to a network (Autonomous System) for use in BGP routing.
• VIF (Virtual Interface): A logical connection on a Direct Connect link (can be Private, Public, or Transit).
• VGW (Virtual Private Gateway): The VPN concentrator on the Amazon side of a Site-to-Site VPN connection.
• DXGW (Direct Connect Gateway): A global resource that allows you to connect a single Direct Connect connection to multiple VPCs across different Regions.
• Route Propagation: A feature that allows a VPC route table to automatically learn and install routes from a VGW or DXGW via BGP.

The "Big Idea"

The primary goal of hybrid networking is to create a seamless, single contiguous network. From an application perspective, there should be no functional difference between accessing a server in a local rack versus an EC2 instance in a VPC. This is achieved by mastering BGP over dedicated links, ensuring high availability through redundant paths, and proactively monitoring connectivity health.

Formula / Concept Box

Hierarchical Outline

• Hybrid Connectivity Methods
  • AWS Direct Connect (DX): Dedicated physical link; low latency, high reliability.
  • AWS Site-to-Site VPN: IPsec over public internet; fast setup, encrypted, but variable latency.
  • AWS Transit Gateway (TGW): Hub-and-spoke router for connecting thousands of VPCs and on-prem networks.
• Routing Management
  • Dynamic Routing (BGP): Automated route updates using BGP peering between Customer Gateway (CGW) and AWS.
  • Static Routing: Manually entered routes; useful for simple setups or as backups.
  • Route Summarization: Consolidating multiple contiguous CIDR blocks into a single advertisement to reduce table size.
• Operational Maintenance
  • Monitoring: Using CloudWatch and VPC Flow Logs for traffic analysis.
  • Troubleshooting: Using VPC Reachability Analyzer to find misconfigured Security Groups or ACLs.

Visual Anchors

BGP Peering Flow

Hybrid Architecture with Redundancy

\begin{tikzpicture}[node distance=2cm, every node/.style={draw, thick, fill=white, align=center, minimum height=1cm, minimum width=2.5cm}] \node (onprem) {On-Premises\Data Center}; \node (dxgw) [right=of onprem] {Direct Connect\Gateway}; \node (vpc1) [above right=of dxgw] {VPC A}; \node (vpc2) [below right=of dxgw] {VPC B};

\end{tikzpicture}

Definition-Example Pairs

• Route Summarization: The process of advertising a single broad CIDR instead of many smaller ones.
  • Example: Instead of advertising 10.0.1.0/24 and 10.0.2.0/24, you advertise 10.0.0.0/22 to the on-premises network.
• Overlapping CIDRs: When two connected networks use the same IP address space.
  • Example: Both the on-prem data center and the AWS VPC use 192.168.1.0/24, causing routing ambiguity.
• BGP Peering: A management connection between two BGP-speaking routers.
  • Example: Configuring an ASN of 65000 on your Cisco router to exchange routes with AWS's ASN 64512.

Worked Examples

Scenario: Resolving Overlapping IP Address Blocks

Problem: A company acquires a firm that uses 10.1.0.0/16, which is the exact same CIDR as their existing production VPC. They need to connect the two via VPC Peering.

Step-by-Step Breakdown:

1. Identify the Conflict: VPC Peering cannot be established if CIDRs overlap.
2. Solution A (AWS PrivateLink): Create a VPC Endpoint Service in the provider VPC. The consumer VPC accesses specific services via a Private IP in their own space, avoiding full network routing.
3. Solution B (Secondary CIDR): Add a non-overlapping secondary CIDR to the VPCs and use those for the peering connection.
4. Solution C (NAT Gateway): Use a Transit Gateway with NAT to translate addresses before they cross the peering boundary.

Checkpoint Questions

1. What is the maximum bandwidth for a single AWS Site-to-Site VPN tunnel?
2. In a hybrid setup, does AWS prefer a /24 propagated route via BGP or a /16 static route in the VPC route table?
3. Which AWS service allows you to connect a Direct Connect VIF to multiple VPCs in different AWS Regions?
4. What happens if you do not enable "Route Propagation" on a VPC route table connected to a VGW?

[!TIP] Answers: 1) 1.25 Gbps. 2) The /24 route (Longest Prefix Match). 3) Direct Connect Gateway (DXGW). 4) The routes learned via BGP will not be automatically added to the table; you would have to add them manually.

Muddy Points & Cross-Refs

• Route Priority Confusion: Many students struggle with the hierarchy when DX and VPN are both present. Remember: LPM (Longest Prefix Match) is the king. If prefixes are equal, DX is preferred over VPN.
• ASN Selection: You can use public ASNs (if owned) or private ASNs in the range 64512–65534. Do not use the same ASN for both ends of a BGP session.
• CloudWatch vs. Flow Logs: Use CloudWatch Metrics for "Is the link up?" and VPC Flow Logs for "What specific traffic is failing?"

Comparison Tables