1. Home
  2. Training Library
  3. Designing Secure solutions in AWS - Level 2

Working with BGP in AWS

Instructor: Mike Brown

Working with BGP in AWS

The Border Gateway Protocol (BGP) is classed as an Exterior Gateway routing protocol, It is the protocol that is used on the internet backbone to keep internet routers up-to-date and it is the protocol that is used by cloud providers such as AWS as the dynamic routing protocol for hybrid network connectivity.

For basic BGP connectivity you need a neighbor relationship to be formed between your on premise router and the AWS VPN or Direct connect. Unique ASN numbers for both ends of the connection are used to create the neighbor relationship

Regarding ASN numbers you can accept numbers assigned by AWS or you can configure your own. ASN numbers are assigned from public ranges which you must own or private ranges that anybody can use. Most organizations integrating with AWS use private ASN numbers from the range 64512 to 65534.

You have to configure your on premise device but essentially for a basic relationship that is it:

  • Get your ASNs correct

  • Configure Dynamic Routing on your AWS customer Gateway and VPN or Direct connect connection

  • Configure your on-premise device

For more complex deployments you might want to customize your BGP deployment, there is little you can do on the AWS side of the relationship but on your device you can configure BGP attributes that tune your BGP relationship with AWS and allow you to influence the direction that IP packets use.

Attributes such as:

  • Local Preference

  • AS Path Length

  • MED

Local Preference

Local Preference is a value shared between your BGP routers, it is not shared with your neighbors. The Local Preference influences your path out of your Autonomous System (AS) to a remote network. It is particularly useful when you have multiple paths to a destination and you want traffic to travel out over a specific path. Local Preference values are assigned to prefixes, the higher a value to more preferred a path is.

AS Path Length

When sharing prefixes with BGP neighbors, we share the AS numbers that have shared that prefix. These AS numbers form a list so if a prefix has been through two autonomous systems it might be advertised as coming from, AS65001: AS65002

If it has come through three autonomous systems it might be advertised as coming from AS65001:AS65002:AS65003

If a BGP device has two paths to get to a remote network it might prefer the path through the fewest number of autonomous systems.

When working with BGP we can use AS Path Prepending, this is when you pad an AS Path Length before advertising a prefix to a neighbor, this can help influence that neighbor's decision on how to get to a particular remote network. So a prefix that has come through two autonomous systems such as AS65001;AS65002  can be padded to make it look less desirable. 

When advertised by our BGP devices we might advertise a prefix as coming from AS65001:AS65001:AS65002 instead of AS65001;AS65002 making the path seem less desirable for a remote BGP router.

Multi-exit Discriminator

Multi-exit Discriminator (MED) can help you to influence how your BGP neighbors route traffic to your AS. You advertise a MED value through your BGP devices to a neighbor such as AWS

If you advertise a MED of 200 from one of your BGP devices and a MED of 300 from another of your BGP devices then the path using the lowest MED is prefered.

BGP attributes are assessed in order, not all are required and there are many more not listed here. Using the three attributes here the order of preference and therefore the order in which the attributes are used to make a routing decision would be:

  1. Local Preference

  2. AS Path Length

  3. MED

These attributes are important to get right if you have multiple paths used to connect to AWS or if you have BGP relationships with other cloud providers or internet organizations. If you have a single path to AWS then a basic BGP deployment will suffice.

Difficulty
Intermediate
Duration
2h 45m
Description

This course covers the core learning objective to meet the requirements of the 'Designing secure solutions in AWS - Level 2' skill

Learning Objectives:

  • Analyze the available options to secure credentials using features of AWS Identity and Access Management (IAM)
  • Evaluate the appropriate routing mechanism to securely access AWS service endpoints or internet-based resources from an Amazon VPC
  • Evaluate the appropriate encryption options available for data in transit and when at rest across AWS services
  • Evaluate the most appropriate key management service and options based on business requirements and governance controls

 

About the Author
Students
207448
Labs
1
Courses
211
Learning Paths
163

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.