Working with BGP in AWS
Start course
2h 45m

This course covers the core learning objective to meet the requirements of the 'Designing secure solutions in AWS - Level 2' skill

Learning Objectives:

  • Analyze the available options to secure credentials using features of AWS Identity and Access Management (IAM)
  • Evaluate the appropriate routing mechanism to securely access AWS service endpoints or internet-based resources from an Amazon VPC
  • Evaluate the appropriate encryption options available for data in transit and when at rest across AWS services
  • Evaluate the most appropriate key management service and options based on business requirements and governance controls



The Border Gateway Protocol is classed as an Exterior Gateway routing protocol. It's the protocol that is used on the Internet backbone to keep Internet routers up-to-date and is the protocol that is used by cloud providers such as AWS as the dynamic routing protocol for hybrid network connectivity. For basic BGP connectivity, you need a neighbor relationship to be formed between your on-premise router and the AWS VPN or Direct connect. Unique ASN numbers for both ends of the connection are used to create the neighbor relationship. Regarding ASN numbers, you can accept numbers assigned by AWS or you can configure your own. ASN numbers are assigned from public ranges, which you must own, or private ranges that anybody can use.

Most organizations integrate in AWS, use private ASN numbers from the range 64512 to 65534. You have to configure your on-premise device. But essentially for basic relationship, that is it. Get your ASNs correct, configure Dynamic Routing on your AWS customer gateway and VPN or Direct Connect connection, and configure your on-premise device. For more complex deployments, you might want to customize your BGP deployments. There is little you can do on the AWS side of relationship. But on your device you can configure BGP attributes that tune your BGP relationship with AWS, allowing to influence the direction the IP packets use. Attributes such as local preference, AS path length, and MED. Local preference is a value shared between your BGP routers. It's not shared with your neighbors. The local preference influences your path out of your autonomous system to remote network.

It is particularly useful when you have multiple paths for destination and you want traffic to travel over a specific path. Local preference values are assigned to prefixes. The higher value the more preferred a path is.  When sharing prefixes with BGP neighbors, we share the AS numbers that have shared that prefix. These AS numbers form a list. So, if a prefix has been through two autonomous systems, it might be advertised as coming from AS65001 and AS65002. If it has come through three autonomous systems, it might be advertised as coming from AS65001, AS65002, and AS65003. If a BGP device has two paths to get to remote network, it might prefer the path through the fewest number of autonomous systems. When working with BGP, we can use AS path prepending. This is when we pad an AS path length before advertising a prefix to a neighbor.

This can help influence that neighbor's decision on how to get to a particular remote network, so that prefix has come through two autonomous systems, such as AS65001 and AS65002, can be padded to make it look less desirable. When advertised by our BGP devices, we might advertise the prefix  is coming from AS65001, AS65001, and AS65002 instead of AS65001 and AS65002. Making the path seem less desirable for remote BGP router. Multi-Exit Discriminator, or MED, can help you to influence how your BGP neighbors route traffic to your AS. You advertise a MED value through your BGP devices to a neighbor such as AWS. If you advertise a MED of 200 from one of your BGP devices and a MED of 300 from another of your BGP devices, then the path using the lowest MED is preferred.

BGP attributes are assessed in order, not all are required, and there are many more not listed here. Using the three attributes here, the order of preference and therefore the order in which the attributes are used to make routing decisions would be local preference, AS path length, then MED. These attributes are important to get right if you have multiple path used to connect to AWS or if you have BGP relationships with other cloud providers or Internet organizations. If you have a single path to AWS then a basic BGP deployment will suffice.


About the Author
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.