In this section of the AWS Certified Advanced Networking - Specialty learning path, we introduce you to the various tools, technologies, and services used to connect on-premises environments to the AWS Cloud, including Direct Connect and VPNs.
Learning Objectives
- Identify and describe how Direct Connect and VPNs are used to connect on-premises environments to the AWS Cloud
- Describe advanced AWS Direct Connect connectivity scenarios, including when to leverage Public, Private, and Transit Virtual Interfaces (VIFs)
- Understand routing fundamentals for static and dynamic routing in AWS along with industry-standard routing protocols such as Border Gateway Protocol (BGP)
- Describe how to use encryption to secure traffic as it travels across VPNs and Direct Connect connections
Prerequisites
The AWS Certified Advanced Networking - Specialty certification has been designed for anyone with experience designing, implementing, and operating complex AWS and hybrid networking architectures. Ideally, you’ll also have some exposure to the nuances of AWS networking, particularly regarding the integration of AWS services and AWS security best practices. Many exam questions will require advanced level knowledge of many AWS services, including AWS networking services. The AWS Cloud concepts introduced in this course will be explained and reinforced from the ground up.
The Border Gateway Protocol is classed as an Exterior Gateway routing protocol. It's the protocol that is used on the Internet backbone to keep Internet routers up-to-date and is the protocol that is used by cloud providers such as AWS as the dynamic routing protocol for hybrid network connectivity. For basic BGP connectivity, you need a neighbor relationship to be formed between your on-premise router and the AWS VPN or Direct connect. Unique ASN numbers for both ends of the connection are used to create the neighbor relationship. Regarding ASN numbers, you can accept numbers assigned by AWS or you can configure your own. ASN numbers are assigned from public ranges, which you must own, or private ranges that anybody can use.
Most organizations integrate in AWS, use private ASN numbers from the range 64512 to 65534. You have to configure your on-premise device. But essentially for basic relationship, that is it. Get your ASNs correct, configure Dynamic Routing on your AWS customer gateway and VPN or Direct Connect connection, and configure your on-premise device. For more complex deployments, you might want to customize your BGP deployments. There is little you can do on the AWS side of relationship. But on your device you can configure BGP attributes that tune your BGP relationship with AWS, allowing to influence the direction the IP packets use. Attributes such as local preference, AS path length, and MED. Local preference is a value shared between your BGP routers. It's not shared with your neighbors. The local preference influences your path out of your autonomous system to remote network.
It is particularly useful when you have multiple paths for destination and you want traffic to travel over a specific path. Local preference values are assigned to prefixes. The higher value the more preferred a path is. When sharing prefixes with BGP neighbors, we share the AS numbers that have shared that prefix. These AS numbers form a list. So, if a prefix has been through two autonomous systems, it might be advertised as coming from AS65001 and AS65002. If it has come through three autonomous systems, it might be advertised as coming from AS65001, AS65002, and AS65003. If a BGP device has two paths to get to remote network, it might prefer the path through the fewest number of autonomous systems. When working with BGP, we can use AS path prepending. This is when we pad an AS path length before advertising a prefix to a neighbor.
This can help influence that neighbor's decision on how to get to a particular remote network, so that prefix has come through two autonomous systems, such as AS65001 and AS65002, can be padded to make it look less desirable. When advertised by our BGP devices, we might advertise the prefix is coming from AS65001, AS65001, and AS65002 instead of AS65001 and AS65002. Making the path seem less desirable for remote BGP router. Multi-Exit Discriminator, or MED, can help you to influence how your BGP neighbors route traffic to your AS. You advertise a MED value through your BGP devices to a neighbor such as AWS. If you advertise a MED of 200 from one of your BGP devices and a MED of 300 from another of your BGP devices, then the path using the lowest MED is preferred.
BGP attributes are assessed in order, not all are required, and there are many more not listed here. Using the three attributes here, the order of preference and therefore the order in which the attributes are used to make routing decisions would be local preference, AS path length, then MED. These attributes are important to get right if you have multiple path used to connect to AWS or if you have BGP relationships with other cloud providers or Internet organizations. If you have a single path to AWS then a basic BGP deployment will suffice.
Jeremy is a Content Lead Architect and DevOps SME here at Cloud Academy where he specializes in developing DevOps technical training documentation.
He has a strong background in software engineering, and has been coding with various languages, frameworks, and systems for the past 25+ years. In recent times, Jeremy has been focused on DevOps, Cloud (AWS, Azure, GCP), Security, Kubernetes, and Machine Learning.
Jeremy holds professional certifications for AWS, Azure, GCP, Terraform, Kubernetes (CKA, CKAD, CKS).