Configuring BGP over AWS Direct Connect
"A comprehensive tutorial on establishing resilient Border Gateway Protocol (BGP) routing across an AWS Direct Connect virtual interface."
Welcome to this comprehensive tutorial. In enterprise hybrid-cloud deployments, AWS Direct Connect (DX) provides a dedicated network connection between your premises and AWS. However, physical connectivity is only half the battle. To dynamically route traffic, we must configure BGP (Border Gateway Protocol).
1. Executive Summary
In this guide, we will walk through the exact steps required to bring up a BGP peering session over an 802.1Q VLAN across an AWS DX Virtual Interface (VIF).
Here is a quick look at the core BGP capabilities we will leverage:
| Feature | Description | Benefit |
|---|---|---|
| Local Preference | Influences outbound traffic from AWS. | Deterministic routing. |
| AS-PATH Prepending | Influences inbound traffic from AWS. | Active/Passive failover. |
| BFD | Bidirectional Forwarding Detection. | Sub-second failover. |
2. Configuration on Customer Edge (Cisco)
Let's assume your on-premise router is a Cisco ASR. We need to assign the appropriate VLAN tags and establish the BGP neighbor relationship with the Amazon router. First, let's verify our interface status:
Verifying the physical uplink to the DX location.
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0/1 unassigned YES NVRAM up up
Excellent, the physical port is up. Next, we configure the BGP router process. We will use ASN 65000 for our datacenter and the Amazon side uses 64512.
Verifying the BGP neighbor state after configuration.
BGP router identifier 10.0.0.1, local AS number 65000
BGP table version is 12, main routing table version 12
1 network entries using 248 bytes of memory
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
169.254.255.1 4 64512 4133 4131 12 0 0 2d19h 1
The state 1 indicates that we are successfully receiving 1 prefix (your VPC CIDR) from AWS!
3. Conclusion
By leveraging BGP over DX, you ensure that any new subnets added to your AWS VPC are automatically advertised to your datacenter without requiring manual static route updates.
Advanced High Availability Design over Direct Connect
Designing a redundant cloud connectivity architecture using BGP and AWS Direct Connect requires detailed attention to routing configuration and failover mechanisms:
- Active-Active Routing: Configure dual Direct Connect links utilizing BGP Multi-Exit Discriminators (MED) and AS Path prepending to distribute traffic symmetrically across both paths.
- Failover Validation: Implement Bidirectional Forwarding Detection (BFD) over the eBGP sessions to achieve sub-second routing convergence during link-down events.
- Backup VPN Configuration: Deploy a secure IPsec VPN over the public internet as a backup connection, using a lower BGP local preference to ensure it only carries traffic if both physical Direct Connect links fail.
By following these design criteria, enterprise hybrid architectures can achieve maximum reliability and eliminate single points of failure for critical on-premises to AWS traffic.
References & Official Docs
- •AWS Direct Connect User Guide
- •BGP Best Path Selection Algorithm
