Tutorial / Cram Notes
In Amazon Web Services (AWS), a route table contains a set of rules called routes that determine where network traffic from your subnet or gateway is directed. Every subnet in a VPC must be associated with a route table, which controls the routing for the subnet. A VPC automatically comes with a default route table that can be modified or replaced.
Automatic Route Propagation:
With Virtual Private Gateways (VGW) and Virtual Private Networks (VPN) connections, AWS offers a feature called automatic route propagation. When enabled, this feature automatically adds routes for the VPN connections to the route table specified, which simplifies the management of the routes in dynamic network environments.
| Destination | Target |
|---|---|
| 0.0.0.0/0 | igw-xxx |
| 10.0.0.0/16 | local |
| 172.16.0.0/12 | vgw-yyy |
In this example, traffic intended for the internet (“0.0.0.0/0”) is directed to an internet gateway (igw), whereas traffic for the local VPC (“10.0.0.0/16”) is kept within the VPC. The traffic for the remote network over the VPN (“172.16.0.0/12”) is directed to the virtual private gateway (vgw).
BGP and AWS Route Tables:
When dealing with Border Gateway Protocol (BGP) in AWS, route tables work alongside BGP advertised routes. BGP is used in AWS Direct Connect and VPN connections to exchange routing information between your VPC and your on-premises network.
In the AWS environment, BGP can automatically propagate routes to your route tables. This means that when your customer gateway or AWS Direct Connect advertises new routes, the VPC route tables can dynamically update if so configured, to reflect these changes.
Real-World Scenario Example:
Let’s consider a scenario where an enterprise has a corporate data center connected to an AWS VPC via an AWS Direct Connect (DX) connection. The enterprise wants to ensure that all traffic to their on-premises data center uses the DX connection, while the internet-bound traffic should go through the internet gateway.
| Destination | Target |
|---|---|
| 0.0.0.0/0 | igw-xxx |
| 192.168.0.0/16 | dx-gw-aaa |
Here, “igw-xxx” represents the internet gateway, and “dx-gw-aaa” represents the Direct Connect gateway. Any traffic bound for the internet uses the default route (“0.0.0.0/0”), which points to the internet gateway. Meanwhile, traffic that’s destined for the in-house data center’s network (“192.168.0.0/16”) uses the DX connection.
By implementing appropriate routing policies and leveraging AWS features such as automatic route propagation and BGP support, network administrators can achieve robust network designs. These are well-suited for the types of hybrid environments and complex routing scenarios that might be encountered on the AWS Certified Advanced Networking – Specialty (ANS-C01) exam.
Understanding these concepts will help you in case-study questions where you are asked to design a network that meets certain criteria or troubleshoot issues related to incorrect routing. It is also important to note that route table limits per VPC, route propagation settings, and BGP configurations must adhere to the AWS specific best practices for a well-architected framework.
Practice Test with Explanation
True or False: Route tables are used to determine where network traffic from your VPC is directed.
- (A) True
- (B) False
Answer: A
Explanation: Route tables are used within a VPC to determine where network traffic is directed based on the destination IP address.
Which of the following can be a destination for a VPC route table entry?
- (A) A specific IP address
- (B) An IP address range
- (C) A peered VPC
- (D) An internet gateway
- (E) All of the above
Answer: E
Explanation: A VPC route table can direct traffic to various destinations including a specific IP address, an IP address range, a peered VPC, or an internet gateway.
True or False: Every subnet in a VPC must be associated with a route table, but it can be the main route table or a custom route table.
- (A) True
- (B) False
Answer: A
Explanation: Each subnet in a VPC must be associated with a route table, which can be either the main route table that comes with the VPC or a custom route table that you create.
When enabling route propagation in a VPC, which of the following AWS services can automatically update route tables?
- (A) AWS Direct Connect
- (B) Elastic Load Balancing
- (C) Amazon S3
- (D) AWS VPN Connection
Answer: D
Explanation: Enabling route propagation allows AWS VPN Connections to automatically update route tables with routes to the VPN-connected networks.
Which AWS service below uses BGP to exchange routing information for the internet?
- (A) AWS Direct Connect
- (B) Amazon Route 53
- (C) Amazon VPC
- (D) AWS Transit Gateway
Answer: A
Explanation: AWS Direct Connect uses BGP to exchange routing information with your network for both public and private routes.
True or False: Automatic propagation of routes is available for VPC peering connections.
- (A) True
- (B) False
Answer: B
Explanation: Automatic propagation of routes is not available for VPC peering connections. Routes to peered VPCs need to be manually entered in the route tables.
Which of the following is not an attribute of a route in a route table?
- (A) Destination CIDR block
- (B) Target gateway
- (C) Propagation status
- (D) Instance type
Answer: D
Explanation: Instance type is not an attribute of a route in a route table. The key attributes include the destination CIDR block, target gateway, and optionally, the propagation status if route propagation is used.
True or False: Border Gateway Protocol (BGP) is only used in AWS for external routing purposes.
- (A) True
- (B) False
Answer: B
Explanation: While BGP is primarily used for external routing, AWS also uses it internally for services like AWS Transit Gateway, which can connect VPCs, AWS Direct Connect gateways, and VPNs.
In AWS, how many route tables can be associated with a subnet at one time?
- (A) One
- (B) Two
- (C) Three
- (D) Unlimited
Answer: A
Explanation: A subnet can only be associated with one route table at a time in AWS.
True or False: When associated with an internet gateway, a route table does not require a route for local VPC traffic.
- (A) True
- (B) False
Answer: B
Explanation: A route table requires at least two types of routes: one for local VPC traffic (to ensure instances within the VPC can communicate) and one for the internet gateway (if the VPC will communicate with the internet).
Which of the following route targets allows traffic to flow from a VPC to the internet?
- (A) Virtual Private Gateway (VGW)
- (B) VPC Peering Connection
- (C) Internet Gateway (IGW)
- (D) Network Interface (ENI)
Answer: C
Explanation: The Internet Gateway (IGW) target in a route table entry enables traffic to flow from the VPC to the internet.
True or False: A more specific CIDR (Classless Inter-Domain Routing) block in a route table always takes precedence over a less specific CIDR block when determining the path for network traffic.
- (A) True
- (B) False
Answer: A
Explanation: In route tables, AWS uses the most specific route that matches the traffic (longest prefix match). Therefore, a more specific CIDR block takes precedence over a less specific one when directing traffic.
Interview Questions
What is the purpose of a route table in AWS, and how does it contribute to directing traffic within a VPC?
The purpose of a route table in AWS is to define rules, known as routes, that determine where network traffic from subnets or the VPC itself should be directed. Each subnet in a VPC must be associated with a route table, which tells the network how to handle traffic coming from and going to different IP addresses. Route tables help in setting up public and private subnets by controlling the flow of traffic to and from the internet or between the subnets.
Can you explain how to automatically propagate routes to a route table in an AWS VPC?
Automatic route propagation is done by enabling a Virtual Private Gateway (VGW) or a Direct Connect Gateway (DXGW) associated with a VPN connection or AWS Direct Connect to automatically update the VPC route tables. When you enable route propagation, the gateway propagates routes from the BGP advertisements, typically from on-premises networks, to your VPC route tables. You enable it by editing the route table and turning on the route propagation setting for the chosen VGW or DXGW.
Describe BGP and its role in managing traffic routes within AWS Direct Connect.
BGP, or Border Gateway Protocol, is the standard routing protocol used to exchange routing information over the internet and between different networks. Within AWS Direct Connect, BGP is used to exchange routing information between the AWS network and a customer’s on-premises network. It ensures that data transferred over Direct Connect uses the most efficient routes, and it allows for dynamic updates if network changes occur.
What is the difference between static and dynamic routes in AWS route tables, and when would you use each type?
Static routes are fixed paths that a network administrator manually sets up in the route table to direct traffic to a specific destination. They do not change unless manually updated. Dynamic routes, on the other hand, are automatically adjusted by the routing protocol in response to changes in the network, such as BGP. Static routes are typically used in simple or controlled environments with predictable traffic, while dynamic routes are preferred in complex, evolving environments for more flexibility and automation.
What metrics are used by BGP to determine the best path for data to travel across the internet or AWS network?
BGP uses attributes called path attributes, the most important of which are the following:
- AS_PATH: The sequence of AS (Autonomous System) numbers traffic will pass through, preferring shorter paths.
- NEXT_HOP: Determines the next router to which traffic is sent.
- LOCAL_PREF: Indicates the preference for a route within an AS; routes with a higher local preference are preferred.
- MULTI_EXIT_DISC (MED): Suggests to external AS the preferred entry point into an AS.
BGP uses these attributes to make informed decisions on choosing the best path for routing traffic.
How does AWS allow you to influence the BGP route selection process when using AWS Direct Connect?
AWS allows you to influence the BGP route selection process by using BGP attributes such as AS_PATH prepending, LOCAL_PREF, and MED. When configuring your BGP on AWS Direct Connect, you can set these attributes to manipulate the route priority and help BGP choose a particular path over another.
What is an IP prefix list in AWS, and how can it be utilized in conjunction with route tables?
An IP prefix list in AWS is a set of IP address ranges that can be used to filter traffic by matching IP address ranges in route tables or network ACLs. Prefix lists can be used to specify allowed or denied CIDR blocks, thus simplifying the management of access control and routing policies, particularly when dealing with multiple CIDR blocks.
Can you explain the concept of “most specific route” in AWS route tables and why it is important?
The “most specific route” in AWS route tables refers to the route with the longest subnet mask, or the smallest address range, that matches the destination IP address. This is important because AWS uses the longest prefix match rule when deciding which route to use for traffic. The most specific route is preferred as it is assumed to be the best path to reach the specific destination.
How does AWS ensure redundancy and failover for network traffic using route tables?
AWS ensures redundancy and failover by allowing multiple routes to be specified in the route tables for the same destination with different targets. AWS Route 53 can also be used in conjunction with health checks to route traffic away from unhealthy endpoints. Additionally, AWS Transit Gateway supports Equal-Cost Multi-Path routing (ECMP) for VPN connections, enabling you to use multiple paths to your on-premises network for failover and load balancing.
What are the implications of modifying a route table associated with a subnet that is currently in use in AWS?
Modifying a route table associated with a subnet currently in use can impact the flow of traffic to and from instances in the subnet. Changes can potentially lead to traffic being routed incorrectly, causing disruptions or security issues. It is important to thoroughly understand the implications and to plan changes carefully, considering all the dependencies and potential impacts.
When setting up BGP peering for AWS Direct Connect, what are the necessary steps for ensuring secure communication?
For ensuring secure BGP communication, you need to:
- Exchange public BGP router IPs between your network and AWS.
- Share BGP Autonomous System Numbers (ASN).
- Establish a BGP session on both ends.
- Use MD5 authentication for the BGP session.
- Optionally, filter traffic using prefix lists or route-maps.
- Ensure appropriate routing policies are in place to prevent potential routing issues.
Can you explain how route summarization in BGP affects AWS networking infrastructure and why it might be beneficial?
Route summarization in BGP involves consolidating a group of IP prefixes into a single, broader IP prefix. This reduces the number of routes that must be advertised, which simplifies the BGP table and can improve network performance and scalability. In an AWS context, summarization can minimize route propagation to the VPC route tables, leading to more manageable and efficient routing for AWS resources.
Great blog post! I’ve been struggling with understanding BGP and this made it much clearer.
Can someone explain how automatic propagation works in route tables?
Does using BGP have any impact on network latency?
I appreciate the detailed explanation on route tables. Very helpful!
How do I troubleshoot if route propagation isn’t working as expected?
Can someone clarify the difference between static routing and dynamic routing in AWS?
This tutorial really helped me prepare for the ANS-C01 exam. Thanks!
Why use BGP over static routes in AWS?