0

I've configured redundant site-to-site VPN between AWS and GCP with 2 VPN connections, 4 tunnels and BGP dynamic routing. Everything works, all good, servers on both sides of the tunnels can reach each-other.

I did that using Terraform and if on GCP side I did configured advertisement of all subnets:

  name    = "gcp-to-aws-router"
  project = google_project.aws_gcp_test.project_id
  region  = var.gcp_region
  network = google_compute_network.gcp_aws_vpc.name
  bgp {
    asn               = var.gcp_bgp_asn
    advertise_mode    = "CUSTOM"
    advertised_groups = ["ALL_SUBNETS"]
  }

then on AWS I haven't done anything specific to advertise routes, I have only enabled route propagation on a routing table where my server is located. I haven't explicitly added any routes nor announces subnets used on both sides of the tunnel by my servers. I've only enabled routing propagation on AWS side.

resource "aws_vpn_gateway_route_propagation" "this" {
  vpn_gateway_id = aws_vpn_gateway.aws_vpg.id
  route_table_id = aws_route.internet_gw_route.route_table_id
   
}

In here

the documentation states that:

You can enable route propagation for your route table to automatically propagate your network routes to the table for you. Nothing about advertisement of local routes to BGP.

I can't understand how how routes from AWS are ending up on GCP side? How does that work? :)

Thanks a lot!

Dmitry
  • 11
  • 4
  • Route propagation is one of the primary reasons BGP was developed. I would expect the AWS routes to be forwarded to the GCP side and vice versa without doing anything special. It is only when you have **custom/best** routes do you need to advertise them. Routes do take time to propagate, sometimes many minutes. Advertising can speed this process up. – John Hanley Apr 26 '22 at 22:26
  • Thank you John, but how AWS will decide which routes to add to BGP? All routes available in VPC in which the Virtual Gateway is created or is there any other mechanism? – Dmitry Apr 27 '22 at 00:17
  • For the most part, BGP takes care of everything for you. Route selection, forwarding, and advertising can be complicated. In summary, BGP makes routing decisions based on paths, defined by rules or network policies set by network administrators. Each router maintains a routing table controlling how packets are directed. Routing table information is generated by the BGP process on the router, based on incoming information from other routers, and information in the BGP routing information base (RIB), which is a data table stored on a server on the BGP router. There are good books for BGP. – John Hanley Apr 27 '22 at 00:45
  • Another concept to understand: ASN -Autonomous System Numbers. AWS maintains the RIB for AWS networks (ASNs). All other networks are usually "discovered" or defined by rules/policies. – John Hanley Apr 27 '22 at 00:48
  • All this gets even more complicated when you factor in that destinations usually have more than one route and each route can have a different cost. Routes can fail and come online. BGP routers constant exchange messages to keep routing functional. – John Hanley Apr 27 '22 at 00:51
  • Thanks a lot for the explanation, John! It became a bit more clear now, looks like I need to read up on how BGP works to understand it better :) – Dmitry Apr 28 '22 at 22:21

1 Answers1

0

When you attach a Virtual Private Gateway (VGW) to your VPC, and you have a Dynamic VPN (the one that uses BGP), AWS will advertise all VPC CIDRs to your Customer Gateway (CGW).

AWS advertises VPC CIDR not routes from an individual Route Table.

If your VPC has CIDR 10.10.0.0/16, your CGW will get this CIDR as advertised route.

As you can have up-to 5 CIDRs configured on your VPC, every time you add a new CIDR AWS will advertise it as well.

Azize
  • 128
  • 5