# Advanced routing in your VPC
Configure advanced routing scenarios for your VPC. This section covers both static and dynamic routing approaches for managing traffic flow:
+ **Static ingress routing**: Configure static routes to direct inbound internet traffic destined for your BYOIP (Bring Your Own IP) address pools to specific network interfaces within your VPC.
+ **Dynamic routing with VPC Route Server:** Use BGP-based dynamic routing to automatically update VPC and internet gateway route tables, providing fault tolerance and automatic failover for your workloads.
**Topics**
+ [Route internet traffic to a single network interface](igw-ingress-routing.md)
+ [Dynamic routing in your VPC using VPC Route Server](dynamic-routing-route-server.md)
# Route internet traffic to a single network interface
You can route inbound internet traffic destined for large pools of public IP addresses to a single elastic network interface (ENI) in your VPC.
Previously, internet gateways only accepted traffic destined for public IP addresses that were directly associated with network interfaces in the VPC. Instance types have limits on the number of IP addresses that can be associated with network interfaces, creating challenges for industries like Telecommunications and Internet of Things (IoT) that need to handle traffic for IP pools larger than these limits.
This routing eliminates complex address translation on inbound internet connections. You can bring your own public IP pools (BYOIP) and configure your VPC internet gateway to accept and route traffic for the entire pool to a single network interface. This feature is particularly valuable for:
+ **Telecommunications**: Managing large subscriber IP pools without address translation overhead
+ **IoT applications**: Consolidating traffic from thousands of device IP addresses
+ **Any scenario**: Requiring traffic routing beyond ENI association limits
You can integrate this routing with VPC Route Server for dynamic route updates during failover scenarios.
**Key benefits**
This routing approach provides the following benefits:
+ **No address translation required** - Direct routing eliminates NAT complexity
+ **Bypass ENI limits** - Handle IP pools larger than instance association limits
+ **Industry-optimized** - Purpose-built for Telco and IoT requirements
+ **Dynamic failover** - Integrates with Route Server for automatic updates
**Availability**
You can use this feature in all AWS commercial regions, AWS China regions, and AWS GovCloud regions.
**Topics**
+ [Before you begin](#before-you-begin)
+ [How this feature works](#how-this-feature-works)
+ [Step 1: Create a VPC](#step-1-create-a-vpc)
+ [Step 2: Create and attach an internet gateway](#step-2-create-and-attach-an-internet-gateway)
+ [Step 3: Create a subnet for your target instance](#step-3-create-a-subnet)
+ [Step 4: Create a route table for the subnet](#step-4-create-a-route-table-for-the-subnet)
+ [Step 5: Create a security group for the target instance](#step-5-create-a-security-group)
+ [Step 6: Launch target EC2 instance](#step-6-launch-an-ec2-instance)
+ [Step 7: Create the internet gateway route table](#step-7-create-a-route-table-for-the-internet-gateway)
+ [Step 8: Associate the route table with the internet gateway](#step-8-associate-the-route-table-with-the-internet-gateway)
+ [Step 9: Associate your BYOIP pool with the internet gateway](#step-9-associate-your-byoip-pool-with-the-internet-gateway)
+ [Step 10: Add static route to target your instance](#step-10-add-static-route-to-target-your-instance)
+ [Step 11: Configure the target instance](#step-11-configure-the-target-instance)
+ [Step 12: Configure instance for traffic handling](#step-12-configure-instance-for-traffic-handling)
+ [Step 13: Test connectivity](#step-13-test-connectivity)
+ [Troubleshooting](#troubleshooting)
+ [Advanced option: Route server integration for dynamic routing](#advanced-option-route-server-integration)
+ [Clean up](#clean-up)
## Before you begin
Before starting this tutorial, ensure you have:
1. **A BYOIP pool**: You must have already brought your own IP address range to AWS. Complete the steps in [Bring your own IP addresses (BYOIP) in Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html).
1. **Verify your BYOIP pool**: Confirm your pool is ready by running:
```
aws ec2 describe-public-ipv4-pools --region us-east-1
```
Look for your pool in the output and ensure the `PoolAddressRanges` shows `Available` addresses.
1. **Appropriate permissions**: Ensure your AWS account has permissions to create VPC resources, EC2 instances, and manage BYOIP pools.
## How this feature works
This section explains the technical concepts behind internet gateway ingress routing and how traffic flows from the internet to your target instance.
### Why use internet gateway ingress routing
Previously, you needed to perform address translation to consolidate traffic for large numbers of IP addresses due to ENI association limits. This enhancement removes that complexity by allowing direct routing of BYOIP pools to target instances.
### How the routing works
This feature only works with the public IP CIDRs that you bring to AWS following the BYOIP process. The BYOIP process ensures that your account owns the public IP CIDR. Once you have the BYOIP public CIDR:
1. You associate this public IP address pool with an internet gateway route table. The internet gateway must already be associated with a VPC. This association allows the VPC to accept traffic destined for the IP CIDR. Ensure that the internet gateway has a dedicated route table that is not shared with any subnets.
1. Now that you have associated the BYOIP pool with the internet gateway route table, you can enter a route with a destination equal to the IP CIDR or a subset of it in the internet gateway route table. The target of this route would be the ENI where you want to route your traffic.
1. When your traffic destined for your BYOIP CIDR enters AWS, AWS looks at the internet gateway route table and accordingly routes traffic to the relevant VPC.
1. Inside the VPC, the internet gateway routes the traffic to the target ENI.
1. The target (an elastic network interface associated with your workload) processes the traffic.
**Best practices**
+ **Keep route tables separate**: The internet gateway route table must be dedicated only to the internet gateway. Do not associate this route table with any VPC subnets. Use separate route tables for subnet routing.
+ **Don't directly assign BYOIP IPs**: Do not associate public IP addresses from your BYOIP pool directly to EC2 instances or network interfaces. The internet gateway ingress routing feature routes traffic to instances without requiring direct IP association.
**Important**
If you are using [VPC Block Public Access (BPA)](security-vpc-bpa.md), when BPA is enabled, it will block traffic to subnets using ingress routing, even if you've set a subnet-level BPA exclusion. Subnet-level exclusions do not work for ingress routing. To allow ingress routing traffic with BPA enabled:
Disable BPA completely, or
Use a VPC-level exclusion
## Step 1: Create a VPC
Complete this step to create a VPC that will host your target instance and internet gateway.
**Note**
Ensure you have not reached your VPC quota limit. For more information, see [Amazon VPC quotas](amazon-vpc-limits.md).
**AWS console**
1. Open the [Amazon VPC console](https://console.aws.amazon.com/vpc).
1. On the VPC dashboard, choose **Create VPC**.
1. For **Resources to create**, choose **VPC only**.
1. For **Name tag**, enter a name for your VPC (for example, **IGW-Ingress-VPC**).
1. For **IPv4 CIDR block**, enter a CIDR block (for example, **10.0.0.0/16**).
1. Choose **Create VPC**.
**AWS CLI**
```
aws ec2 create-vpc --cidr-block 10.0.0.0/16 --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=IGW-Ingress-VPC}]' --region us-east-1
```
## Step 2: Create and attach an internet gateway
Complete this step to create an internet gateway and attach it to your VPC to enable internet connectivity.
**AWS console**
1. Open the [Amazon VPC console](https://console.aws.amazon.com/vpc).
1. In the VPC console, choose **Internet gateways**.
1. Choose **Create internet gateway**.
1. For **Name tag**, enter a name for your internet gateway (for example, **IGW-Ingress-Gateway**).
1. Choose **Create internet gateway**.
1. Select your internet gateway and choose **Actions**, **Attach to VPC**.
1. Select your VPC and choose **Attach internet gateway**.
**AWS CLI**
```
aws ec2 create-internet-gateway --tag-specifications 'ResourceType=internet-gateway,Tags=[{Key=Name,Value=IGW-Ingress-Gateway}]' --region us-east-1
aws ec2 attach-internet-gateway --internet-gateway-id igw-0123456789abcdef0 --vpc-id vpc-0123456789abcdef0 --region us-east-1
```
**Note**: Replace the resource IDs with your actual IDs from the previous step.
## Step 3: Create a subnet for your target instance
Complete this step to create a subnet where your target instance will be deployed.
**AWS console**
1. In the VPC console navigation pane, choose **Subnets**.
1. Choose **Create subnet**.
1. Under **VPC ID**, choose your VPC.
1. For **Subnet name**, enter a name (for example, **Target-Subnet**).
1. For **Availability Zone**, you can choose a Zone for your subnet, or leave the default **No Preference** to let AWS choose one for you.
1. For **IPv4 CIDR block**, select **Manual input** and enter a CIDR block (for example, **10.0.1.0/24**).
1. Choose **Create subnet**.
**AWS CLI**
```
aws ec2 create-subnet \
--vpc-id vpc-0123456789abcdef0 \
--cidr-block 10.0.1.0/24 \
--tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=Target-Subnet}]' \
--region us-east-1
```
## Step 4: Create a route table for the subnet
Complete this step to create a route table for your subnet and associate it with the subnet.
**AWS console**
1. In the VPC console navigation pane, choose **Route tables**.
1. Choose **Create route table**.
1. For **Name**, enter a name for your route table (for example, **Target-Subnet-Route-Table**).
1. For **VPC**, choose your VPC.
1. Choose **Create route table**.
1. Select your route table and choose **Actions**, **Edit subnet associations**.
1. Select your subnet and choose **Save associations**.
**AWS CLI**
```
aws ec2 create-route-table \
--vpc-id vpc-0123456789abcdef0 \
--tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=Target-Subnet-Route-Table}]' \
--region us-east-1
aws ec2 associate-route-table \
--route-table-id rtb-0987654321fedcba0 \
--subnet-id subnet-0123456789abcdef0 \
--region us-east-1
```
## Step 5: Create a security group for the target instance
Complete this step to create a security group that will control network access to your target instance.
**AWS console**
1. In the VPC console navigation pane, choose **Security Groups**.
1. Choose **Create security group**.
1. For **Security group name**, enter a name (for example, **IGW-Target-SG**).
1. For **Description**, enter **Security group for IGW ingress routing target instance**.
1. For **VPC**, select your VPC.
1. To add inbound rules, choose **Inbound rules**. For each rule, choose **Add rule** and specify the following:
+ **Type**: All ICMP - IPv4, **Source**: 0.0.0.0/0 (for ping testing).
+ **Type**: SSH, **Port**: 22, **Source**: 0.0.0.0/0 (for EC2 Instance Connect).
**Note**
This security group opens SSH ports to all internet traffic for this tutorial. This tutorial is for educational purposes and should not be configured for production environments. In production, restrict SSH access to specific IP ranges.
+ Choose **Create security group**.
**AWS CLI**
```
aws ec2 create-security-group \
--group-name IGW-Target-SG \
--description "Security group for IGW ingress routing target instance" \
--vpc-id vpc-0123456789abcdef0 \
--region us-east-1
aws ec2 authorize-security-group-ingress \
--group-id sg-0123456789abcdef0 \
--protocol icmp \
--port -1 \
--cidr 0.0.0.0/0 \
--region us-east-1
aws ec2 authorize-security-group-ingress \
--group-id sg-0123456789abcdef0 \
--protocol tcp \
--port 22 \
--cidr 0.0.0.0/0 \
--region us-east-1
```
## Step 6: Launch target EC2 instance
Complete this step to launch the EC2 instance that will receive traffic from your BYOIP pool.
**AWS console**
1. Open the [Amazon EC2 console](https://console.aws.amazon.com/ec2).
1. Choose **Launch instance**.
1. For **Name**, enter a name for your instance (for example, **IGW-Target-Instance**).
1. For **Application and OS Images (Amazon Machine Image)**, choose **Amazon Linux 2023 AMI**.
1. For **Instance type**, choose **t2.micro** (eligible for free tier).
1. For **Key pair (login)**, select an existing key pair or create a new one.
1. For **Network settings**, choose **Edit** and configure:
+ **VPC**: Select your VPC
+ **Subnet**: Select your subnet
+ **Auto-assign public IP**: Enable
+ **Firewall (security groups)**: Select existing security group and choose your security group
1. Choose **Launch instance**.
1. **Important**: After launch, go to the instance details and note the **Network interface ID** (starts with "eni-") - you'll need this for Step 10.
**AWS CLI**
```
aws ec2 run-instances \
--image-id ami-0abcdef1234567890 \
--count 1 \
--instance-type t2.micro \
--key-name your-key-pair \
--security-group-ids sg-0123456789abcdef0 \
--subnet-id subnet-0123456789abcdef0 \
--associate-public-ip-address \
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=IGW-Target-Instance}]' \
--region us-east-1
```
**To find the ENI ID in the console:**
1. In the EC2 console, select your instance.
1. Go to the **Networking** tab.
1. Note the **Network interface ID** (for example, `eni-0abcdef1234567890`).
**To find the ENI ID using AWS CLI:**
```
aws ec2 describe-instances --instance-ids i-0123456789abcdef0 --query 'Reservations[0].Instances[0].NetworkInterfaces[0].NetworkInterfaceId' --output text --region us-east-1
```
## Step 7: Create the internet gateway route table
Complete this step to create a dedicated route table for the internet gateway that will handle ingress routing.
**AWS console**
1. In the VPC console, choose **Route tables**.
1. Choose **Create route table**.
1. For **Name**, enter a name for your route table (for example, **IGW-Ingress-Route-Table**).
1. For **VPC**, choose your VPC.
1. Choose **Create route table**.
1. Select your route table and choose the **Edge associations** tab.
1. Choose **Edit edge associations**.
1. Select your internet gateway and choose **Save changes**.
**AWS CLI**
```
aws ec2 create-route-table \
--vpc-id vpc-0123456789abcdef0 \
--tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=IGW-Ingress-Route-Table}]' \
--region us-east-1
```
## Step 8: Associate the route table with the internet gateway
Complete this step to associate your route table with the internet gateway to enable ingress routing functionality.
**AWS console**
1. In the VPC console navigation pane, choose **Route tables**, and then select the route table you created.
1. From the **Edge associations** tab, choose **Edit edge associations**.
1. Select the checkbox for the internet gateway.
1. Choose **Save changes**.
**AWS CLI**
```
aws ec2 associate-route-table \
--route-table-id rtb-0123456789abcdef0 \
--gateway-id igw-0123456789abcdef0 \
--region us-east-1
```
## Step 9: Associate your BYOIP pool with the internet gateway
Complete this step to associate your BYOIP pool with the internet gateway route table, enabling the VPC to accept traffic for your IP range.
**AWS console**
1. In the VPC console navigation pane, choose **Route tables**, and select the internet gateway route table you created.
1. Click on the **IPv4 pool associations** tab.
1. Click on the **Edit associations** button.
1. Select your BYOIP pool (for example, `pool-12345678901234567`).
1. Click on the **Save associations** button.
**AWS CLI**
```
aws ec2 associate-route-table \
--route-table-id rtb-0123456789abcdef0 \
--public-ipv4-pool pool-12345678901234567 \
--region us-east-1
```
**Note**: Replace `rtb-0123456789abcdef0` with your internet gateway route table ID and `pool-12345678901234567` with your BYOIP pool ID.
## Step 10: Add static route to target your instance
Complete this step to add a route that directs traffic from your BYOIP range to your target instance's network interface.
**AWS console**
1. In the VPC console navigation pane, choose **Route tables**, and select the internet gateway route table you created.
1. Choose **Actions**, **Edit routes**.
1. Choose **Add route**.
1. For **Destination**, enter your BYOIP CIDR or a subset (for example, **203.0.113.0/24**). The prefix must be between /23 and /28.
1. For **Target**, select **Network interface** and enter your instance's ENI ID (for example, `eni-0abcdef1234567890`).
1. Choose **Save changes**.
**AWS CLI**
```
aws ec2 create-route \
--route-table-id rtb-0123456789abcdef0 \
--destination-cidr-block 203.0.113.0/24 \
--network-interface-id eni-0abcdef1234567890 \
--region us-east-1
```
## Step 11: Configure the target instance
Complete this step to configure your target instance to properly handle traffic destined for BYOIP addresses.
**Important**: Complete this instance configuration step before testing connectivity (Step 12). The instance must be configured to respond to BYOIP addresses for the ingress routing to work properly.
**AWS console**
1. Connect to your target instance using EC2 Instance Connect:
+ In the EC2 console, select your instance.
+ Choose **Actions** > **Connect**.
+ Select **EC2 Instance Connect** tab.
+ Choose **Connect**.
1. Add specific BYOIP IP address to your instance interface:
First, find your network interface name:
```
ip link show
```
Then add the IP address (replace `203.0.113.10` with an IP from your BYOIP range):
```
sudo ip addr add 203.0.113.10/32 dev eth0
```
**Note**: Replace `203.0.113.10` with any IP address from your BYOIP range that you want to test. The interface name may be `eth0`, `ens5`, or similar depending on your instance type.
1. In the EC2 console, disable source/destination check:
+ Select your instance.
+ Go to **Networking** tab, click on the network interface.
+ Choose **Actions**, **Change source/dest check**, **Disable**.
**AWS CLI**
```
aws ec2 modify-network-interface-attribute \
--network-interface-id eni-0abcdef1234567890 \
--no-source-dest-check \
--region us-east-1
```
## Step 12: Configure instance for traffic handling
Complete this step to add BYOIP addresses to your instance and disable source/destination checking to enable proper traffic handling.
**AWS console**
1. Connect to your target instance using EC2 Instance Connect:
+ In the EC2 console, select your instance.
+ Choose **Actions** > **Connect**.
+ Select **EC2 Instance Connect** tab.
+ Choose **Connect**.
1. Add specific BYOIP IP address to your instance interface:
First, find your network interface name:
```
ip link show
```
Then add the IP address (replace `ens5` with your actual interface name):
```
sudo ip addr add 203.0.113.10/32 dev ens5
```
**Note**: Replace `203.0.113.10` with any IP address from your BYOIP range that you want to test. The interface name may be `eth0`, `ens5`, or similar depending on your instance type.
1. In the EC2 console, disable source/destination check:
+ Select your instance.
+ Go to **Networking** tab, click on the network interface.
+ Choose **Actions**, **Change source/dest check**, **Disable**.
**AWS CLI**
```
aws ec2 modify-network-interface-attribute \
--network-interface-id eni-0abcdef1234567890 \
--no-source-dest-check \
--region us-east-1
```
## Step 13: Test connectivity
Complete this step to verify that internet traffic is properly routed to your target instance through the BYOIP addresses.
1. On your target instance, monitor incoming traffic using tcpdump:
```
sudo tcpdump -i any icmp
```
1. From another terminal or computer, test connectivity to your BYOIP IP address:
```
ping 203.0.113.10
```
1. Expected results:
+ Ping should succeed and show responses from your BYOIP IP address.
+ tcpdump should show incoming packets for the BYOIP address, similar to:
```
12:34:56.789012 IP 203.0.113.100 > 203.0.113.10: ICMP echo request, id 1234, seq 1, length 64
12:34:56.789123 IP 203.0.113.10 > 203.0.113.100: ICMP echo reply, id 1234, seq 1, length 64
```
+ Traffic should appear to come from external IP addresses, proving the internet gateway ingress routing is delivering internet traffic to your instance.
## Troubleshooting
Use this section to resolve common issues you might encounter when setting up internet gateway ingress routing.
**Traffic not reaching the instance**
+ Verify the route table has the correct ENI ID as the target.
+ Confirm the BYOIP pool is associated with the internet gateway route table.
+ Check that source/destination check is disabled on the instance.
+ Ensure security groups allow the traffic type you're testing.
**Route creation fails**
+ Verify the BYOIP pool is properly associated with the route table.
+ Confirm the destination CIDR is within your BYOIP range.
+ Check that the target ENI exists and is attached to a running instance.
+ Ensure your BYOIP prefix is between /23 and /28 (prefixes outside this range are not supported).
**Ping/connectivity fails**
+ Verify the IP addresses are added to the instance interface.
+ Check security groups allow ICMP (for ping) or relevant ports.
+ Confirm the instance is in a running state.
+ Test from multiple external locations.
## Advanced option: Route server integration for dynamic routing
For environments requiring automatic failover, this feature integrates with VPC Route Server to:
+ **Dynamically update routes** during instance failures.
+ **Eliminate manual intervention** for route management.
+ **Provide enterprise-grade availability** for critical workloads.
This is particularly important for Telco and IoT use cases where high availability is essential.
**Note**
When using Route Server with multiple BGP peers, be aware that a maximum of 32 BGP peers can advertise the same prefix to the same route table using route server.
For environments requiring dynamic routing, automatic failover, and load distribution across multiple instances, consider integrating with AWS Route Server. Route Server enables BGP-based dynamic routing instead of static routes, providing:
+ **Dynamic route advertisement** from instances through BGP.
+ **Automatic failover** between multiple target instances.
+ **Load distribution** across multiple endpoints.
+ **Centralized route management** through BGP protocols.
This is an important use case for enterprise deployments where high availability and dynamic routing capabilities are required. For detailed Route Server setup instructions, see the [AWS Route Server documentation](dynamic-routing-route-server.md).
## Clean up
To avoid ongoing charges, delete the resources you created in this tutorial:
### Step 1: Terminate EC2 instance
Complete this step to terminate the EC2 instance and stop incurring charges for compute resources.
**AWS console**
1. Open the [Amazon EC2 console](https://console.aws.amazon.com/ec2).
1. In the EC2 console navigation pane, choose **Instances**.
1. Select your instance and choose **Instance state**, **Terminate instance**.
1. Choose **Terminate** to confirm.
**AWS CLI**
```
aws ec2 terminate-instances --instance-ids i-0123456789abcdef0 --region us-east-1
```
### Step 2: Detach internet gateway from VPC
Complete this step to detach and delete the internet gateway from your VPC.
**AWS console**
1. Open the [Amazon VPC console](https://console.aws.amazon.com/vpc).
1. In the VPC console navigation pane, choose **Internet gateways**.
1. Select your internet gateway and choose **Actions**, **Detach from VPC**.
1. Choose **Detach internet gateway**.
1. After detaching, choose **Actions**, **Delete internet gateway**.
1. Choose **Delete internet gateway**.
**AWS CLI**
```
aws ec2 detach-internet-gateway --internet-gateway-id igw-0123456789abcdef0 --vpc-id vpc-0123456789abcdef0 --region us-east-1
aws ec2 delete-internet-gateway --internet-gateway-id igw-0123456789abcdef0 --region us-east-1
```
### Step 3: Delete VPC
Complete this step to delete the VPC and all associated resources to complete the cleanup process.
**AWS console**
1. In the VPC console, choose **Your VPCs**.
1. Select your VPC and choose **Actions**, **Delete VPC**.
1. Type **delete** to confirm and choose **Delete**.
**AWS CLI**
```
aws ec2 delete-vpc --vpc-id vpc-0123456789abcdef0 --region us-east-1
```
**Note**
Deleting the VPC will also delete associated subnets, route tables, and security groups.
**Note**
Your BYOIP pool remains available for future use and is not deleted as part of this cleanup process.
# Dynamic routing in your VPC using VPC Route Server
Amazon VPC Route Server simplifies routing for traffic between workloads that are deployed within a VPC and its internet gateways. With this feature, VPC Route Server dynamically updates VPC and internet gateway route tables with your preferred IPv4 or IPv6 routes to achieve routing fault tolerance for those workloads. This enables you to automatically reroute traffic within a VPC, which increases the manageability of VPC routing and interoperability with third-party workloads.
Route server supports the following route table types:
+ VPC route tables not associated with subnets
+ Subnet route tables
+ Internet gateway route tables
Route server does not support route tables associated with virtual private gateways. To propagate routes into a transit gateway route table, use [Transit Gateway Connect](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-connect.html).
**Quotas**
For quotas associated with Amazon VPC Route Server, see [Route server quotas](amazon-vpc-limits.md#vpc-limits-route-servers).
**Pricing**
For information about costs associated with Amazon VPC Route Server, see the [VPC Route Server](https://aws.amazon.com/vpc/pricing/) tab on the Amazon VPC pricing page.
**Topics**
+ [Terminology](route-server-terms.md)
+ [How Amazon VPC Route Server works](route-server-how-it-works.md)
+ [Route server peer logging](route-server-peer-logging.md)
+ [Get started tutorial](route-server-tutorial.md)
# Terminology
The following terms are used in this guide:
+ **FIB**: The [Forwarding Information Base (FIB)](https://en.wikipedia.org/wiki/Forwarding_information_base) serves as a forwarding table for what route server has determined are the best-path routes in the RIB after evaluating all available routing information and policies. The FIB routes that are installed on the route tables. The FIB is recomputed whenever there are changes to the RIB.
+ **RIB**: The [Routing Information Base (RIB)](https://en.wikipedia.org/wiki/Routing_table) serves as a database that stores all the routing information and network topology data collected by a router or routing system, such as routes learned from BGP peers. The RIB is constantly updated as new routing information is received or existing routes change. This ensures that the route server always has the most current view of the network topology and can make optimal routing decisions.
+ **Route server**: The route server component updates your VPC and internet gateway route tables with the IPv4 or IPv6 routes in your Forwarding Information Base (FIB). The route server represents a single FIB and Routing Information Base (RIB).
+ **Route server association**: A route server association is the connection established between a route server and a VPC.
+ **Route server endpoint**: A route server endpoint is an AWS-managed component inside a subnet that facilitates [BGP (Border Gateway Protocol)](https://en.wikipedia.org/wiki/Border_Gateway_Protocol) connections between your route server and your BGP peers.
+ **Route server peer**: A route server peer is a session between a route server endpoint and the device deployed in AWS (such as a firewall appliance or other network security function running on an EC2 instance). The device must meet these requirements:
+ Have an elastic network interface in the VPC
+ Support BGP (Border Gateway Protocol)
+ Can initiate BGP sessions
+ **Route server propagation**: When enabled, route server propagation installs the routes in the FIB on the route table you've specified. Route server supports IPv4 and IPv6 route propagation.
# How Amazon VPC Route Server works
This section explains how Amazon VPC Route Server works and helps you understand how it achieves routing fault tolerance for your workloads running in subnets.
**Topics**
+ [Overview](#route-server-overview)
+ [Diagrams](#route-server-diagrams)
## Overview
How Amazon VPC Route Server works:
1. You configure a network device (like a firewall running on an EC2 instance in the VPC) to use Amazon VPC Route Server.
1. The network device fails.
1. The route server endpoints detect the failure through [BFD (Bidirectional Forwarding Detection)](https://en.wikipedia.org/wiki/Bidirectional_Forwarding_Detection) configured on the route server peer.
1. The route server endpoints update the route server to withdraw routes in a [Routing Information Base (RIB)](https://en.wikipedia.org/wiki/Routing_table) where the failed device is the next hop.
1. The route server computes a [Forwarding Information Base (FIB)](https://en.wikipedia.org/wiki/Forwarding_information_base) from the RIB, selecting the best available routes.
1. Route server updates the configured route tables with the routes from the FIB.
1. All new traffic is forwarded to the standby device.
## Diagrams
The following is an example diagram of VPC route server with route server endpoints configured for devices in two subnets.
![\[Basic Amazon VPC Route Server setup\]](http://docs.aws.amazon.com/vpc/latest/userguide/images/route-server-main.png)
Starting with the example above as a baseline, the example below shows a more detailed design, where both Device A and Device B advertise over BGP that they can accept any traffic with a destination IP in the range of 192.0.0.0/24 (from 192.0.0.0 to 192.0.0.255). The MED (Multi-Exit Discriminator) attribute of 0 tells route server that Device A should be preferred over Device B. The route server receives the route and the MED attribute from Device A and installs that route in the subnet route tables with the network interface of Device A as the "next hop". As a result, any traffic within the subnet with a destination IP in the 192.0.0.0/24 range is sent to Device A. Device A then processes the traffic and sends it onward. Traffic within either subnet (10.0.0.0/24 or 10.0.1.0/24) that is bound for 192.0.0.0/24 will be routed to Device A eni-abcd (10.0.0.1) as the next hop.
![\[Amazon VPC Route Server setup before device A failure\]](http://docs.aws.amazon.com/vpc/latest/userguide/images/route-server-failover-part-1.png)
This last example below shows how route server handles failover. While the higher MED attribute tells route server that Device B is less preferred than Device A, if Device A eni-abcd (10.0.0.1) goes down, route server updates the subnet route tables, and traffic to 192.0.0.0/24 is routed to Device B eni-efgh (10.0.1.1) as the next hop.
![\[Amazon VPC Route Server failover to device B\]](http://docs.aws.amazon.com/vpc/latest/userguide/images/route-server-failover-part-2.png)
# Route server peer logging
Use VPC Route Server peer logging when you need to:
+ Monitor BGP and BFD session health
+ Troubleshoot connection issues
+ Review historical session changes
+ Track network status
## Pricing
+ **CloudWatch**: Data ingestion and archival charges for vended logs apply when you publish route server peer logs to CloudWatch Logs.
+ **S3**: Data ingestion and archival charges for vended logs apply when you publish route server peer logs to Amazon S3.
+ **Data Firehose**: Standard ingestion and delivery charges apply.
Vended logs are logs from specific AWS services that are available at volume tiered pricing and delivered to CloudWatch Logs, Amazon S3, or Amazon Data Firehose. For more information, open [Amazon CloudWatch Pricing](https://aws.amazon.com//cloudwatch/pricing/), select **Logs** and find **Vended Logs**.
## Example log format
```
{
"resource_arn": "arn:aws:ec2:us-east-1:111122223333:route-server-peer/rsp-1234567890abcdef0",
"event_timestamp": 1746643505367,
"type": "RouteStatus",
"status": "ADVERTISED",
"message": {
"prefix": "10.24.34.0/32",
"asPath": "65000",
"med": 100,
"nextHopIp": "10.24.34.1"
}
}
{
"resource_arn": "arn:aws:ec2:us-east-1:111122223333:route-server-peer/rsp-1234567890abcdef0",
"event_timestamp": 1746643490000,
"type": "BGPStatus",
"status": "UP",
"message": null
}
```
Where:
+ The `resource_arn` is the ARN for the route server peer.
+ The `event_timestamp` is the timestamp of the event.
+ The `type` of log events we produce (`RouteStatus`, `BGPStatus`, `BFDStatus`).
+ The `status` field is the status update.
+ For `RouteStatus` type messages
+ `ADVERTISED` (route was advertised by the peer)
+ `UPDATED` (existing route was updated by the peer)
+ `WITHDRAWN` (route was withdrawn by peer)
+ For `BFDStatus` and `BGPStatus` updates
+ `UP`, `DOWN`.
+ The `message` field is currently only used for route attributes for the RouteStatus message type but may be populated with relevant information for any type.
------
#### [ AWS Management Console ]
To create route server peer logs:
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **Virtual private cloud**, choose **Route servers**.
1. On the **Route servers** page, choose **Route server peers**.
1. Choose the **Log delivery** tab.
1. Choose **Add log delivery**.
1. Choose a destination and configure the settings:
+ Amazon CloudWatch Logs
+ **Log type**: Types of logs to deliver. The only supported log type is EVENT\$1LOGS.
+ **Destination log group**: The CloudWatch log group where logs will be sent. You can pick an existing log group or create a new one (example: /aws/vpc/route-server-peers).
+ **Field selection**: Data fields to include in your logs.
+ **Output format**: How logs are formatted:
+ JSON: Structured format for computer processing
+ Text: Plain text format
+ **Field delimiter**: When using Text format, this is the character that separates fields (example: comma, tab, space).
+ Amazon S3
+ Cross account - Sending logs to different AWS accounts
+ **Log type**: Types of logs to deliver. The only supported log type is EVENT\$1LOGS.
+ **Delivery destination ARN**: The Amazon Resource Name of the S3 bucket in another AWS account where logs will be sent.
+ **Field selection**: Data fields to include in your logs.
+ **Suffix**: The ending added to log file names (example: .log, .txt).
+ **Hive-compatible**: When turned on, organizes logs in a folder structure that works with Hive-based tools for easier searching with services like Amazon Athena.
+ **Field delimiter**: When using Text format, this is the character that separates fields.
+ In current account
+ **Log type**: Types of logs to deliver. The only supported log type is EVENT\$1LOGS.
+ **Destination S3 bucket**: The S3 bucket in your account where logs will be sent. You can specify a subfolder path.
+ **Field selection**: Data fields to include in your logs.
+ **Suffix**: The ending added to log file names (example: .log, .txt).
+ **Hive-compatible**: When turned on, organizes logs in a folder structure that works with Hive-based tools for easier searching.
+ **Field delimiter**: When using Text format, this is the character that separates fields.
+ Amazon Data Firehose
+ Cross account
+ **Log type**: Types of logs to deliver. The only supported log type is EVENT\$1LOGS.
+ **Delivery destination ARN**: The Amazon Resource Name of the Firehose delivery stream in another AWS account.
+ **Field selection**: Data fields to include in your logs.
+ **Field delimiter**: When using Text format, this is the character that separates fields.
+ In current account
+ **Log type**: Types of logs to deliver. The only supported log type is EVENT\$1LOGS.
+ **Delivery destination stream**: The Firehose delivery stream in your account where logs will be sent. The stream must use the "Direct Put" source type.
+ **Field selection**: Data fields to include in your logs.
+ **Output format**: How logs are formatted:
+ JSON: Structured format for computer processing
+ Text: Plain text format
+ **Field delimiter**: When using Text format, this is the character that separates fields.
------
#### [ Command line ]
The commands in this section link to the *AWS CLI Command Reference*. The documentation provides detailed descriptions of the options that you can use when you run the commands.
To create route server peer logs:
1. Use the [put-delivery-source](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/put-delivery-source.html) command.
+ Example request
```
aws logs put-delivery-source --name "source-rsp-1234567890abcdef0" --resource-arn "arn:aws:ec2:us-east-1:111122223333:route-server-peer/rsp-1234567890abcdef0" --log-type "EVENT_LOGS"
```
+ Example response
```
{
"deliverySource": {
"name": "source-rsp-1234567890abcdef0",
"arn": "arn:aws:logs:us-east-1:111122223333:delivery-source:source-rsp-1234567890abcdef0",
"resourceArns": [
"arn:aws:ec2:us-east-1:111122223333:route-server-peer/rsp-1234567890abcdef0"
],
"service": "ec2",
"logType": "EVENT_LOGS"
}
}
```
1. Use the [put-delivery-destination](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/put-delivery-destination.html) command.
+ The following AWS CLI example creates a route server log. The logs are delivered to the specified log group.
+ Example request
```
aws logs put-delivery-destination --name "destination-rsp-abcdef01234567890" --destination-resource-arn "arn:aws:logs:us-east-1:111122223333:log-group:/aws/vendedlogs/ec2/route-server-peer/EVENT_LOGS/rsp-abcdef01234567890"
```
+ Example response
```
{
"deliveryDestination": {
"name": "destination-rsp-abcdef01234567890",
"arn": "arn:aws:logs:us-east-1:111122223333:delivery-destination:destination-rsp-abcdef01234567890",
"deliveryDestinationType": "CWL",
"deliveryDestinationConfiguration": {
"destinationResourceArn": "arn:aws:logs:us-east-1:111122223333:log-group:/aws/vendedlogs/ec2/route-server-peer/EVENT_LOGS/rsp-abcdef01234567890"
}
}
}
```
1. Use the [create-delivery](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/create-delivery.html) command.
+ Example request
```
aws logs create-delivery --delivery-source-name "source-rsp-1234567890abcdef0" --delivery-destination-arn "arn:aws:logs:us-east-1:111122223333:delivery-destination:destination-rsp-abcdef01234567890"
```
+ Example response
```
{
"delivery": {
"id": "1234567890abcdef0",
"arn": "arn:aws:logs:us-east-1:111122223333:delivery:1234567890abcdef0",
"deliverySourceName": "source-rsp-1234567890abcdef0",
"deliveryDestinationArn": "arn:aws:logs:us-east-1:111122223333:delivery-destination:destination-rsp-abcdef01234567890",
"deliveryDestinationType": "CWL",
"recordFields": [
"resource_arn",
"event_timestamp",
"type",
"status",
"message"
]
}
}
```
------
# Get started tutorial
This tutorial walks you through the process of setting up and configuring VPC Route Server to enable dynamic routing in your VPC. You'll learn how to create and configure all the necessary components, establish BGP peering, and verify proper operation. The tutorial covers everything from initial IAM setup through testing and cleanup.
Before beginning this tutorial, ensure you have:
+ Administrative access to your AWS account
+ A VPC with at least two subnets where you want to enable dynamic routing
+ Network devices (like firewalls running on EC2 instances) that support BGP and can serve as route server peer devices
+ Basic familiarity with BGP concepts and AWS networking
The steps can be completed using either the AWS Management Console or AWS CLI. Both methods are provided for each step.
Estimated time to complete: 15-30 minutes
**Topics**
+ [Step 1: Configure required IAM Role permissions](route-server-iam.md)
+ [Step 2: Create a route server](route-server-tutorial-create.md)
+ [Step 3: Associate route server with a VPC](route-server-tutorial-associate.md)
+ [Step 4: Create route server endpoints](route-server-tutorial-create-endpoints.md)
+ [Step 5: Enable route server propagation](route-server-tutorial-enable-prop.md)
+ [Step 6: Create route server peer](route-server-tutorial-create-peer.md)
+ [Step 7: Initiate BGP sessions from the devices](route-server-tutorial-initiate-bgp.md)
+ [Step 8: Cleanup](route-server-tutorial-cleanup.md)
# Step 1: Configure required IAM Role permissions
To use VPC Route Server, ensure that the IAM user or role you are using has the required IAM permissions. Below is a guide to which permissions are required for each API:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CreateRouteServer",
"Effect": "Allow",
"Action": [
"sns:CreateTopic"
],
"Resource": "*"
},
{
"Sid": "DeleteRouteServer",
"Effect": "Allow",
"Action": [
"sns:DeleteTopic"
],
"Resource": "*"
},
{
"Sid": "CreateRouteServerEndpoint",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:CreateNetworkInterfacePermission",
"ec2:CreateSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": "*"
},
{
"Sid": "DeleteRouteServerEndpoint",
"Effect": "Allow",
"Action": [
"ec2:DeleteNetworkInterface",
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupIngress",
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": "*"
},
{
"Sid": "CreateRouteServerPeer",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress"
],
"Resource": "*"
},
{
"Sid": "DeleteRouteServerPeer",
"Effect": "Allow",
"Action": [
"ec2:RevokeSecurityGroupIngress"
],
"Resource": "*"
}
]
}
```
------
# Step 2: Create a route server
Complete the steps in this section to create a route server.
The route server component updates your VPC and internet gateway route tables with the IPv4 or IPv6 routes in your Forwarding Information Base (FIB). The route server represents a single FIB and Routing Information Base (RIB).
------
#### [ AWS Management Console ]
**To create a route server**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **Virtual private cloud**, choose **Route servers**.
1. On the **Route servers** page, choose **Create route server**.
1. On the **Create route server** page, configure the following settings:
+ For **Name**, enter a name for your route server (e.g., "my-route-server-01"). The name must be 255 characters or less in length.
+ For **Amazon Side ASN**, enter a BGP ASN value. This value must be in the range of 1-4294967295. We recommend using a private ASN in the 64512–65534 (16-bit ASN) or 4200000000–4294967294 (32-bit ASN) range.
+ For **Persist routes**, choose either **Enable** or **Disable**. This option determines whether routes should be maintained after all BGP sessions are terminated:
+ If enabled: Routes will be preserved in the route server's routing database even if all BGP sessions end
+ If disabled: Routes will be removed from the routing database when all BGP sessions end
+ If you enabled persist routes, for **Persist duration**, enter a value between 1-5 minutes. This duration specifies how long the route server will wait after BGP is re-established to unpersist the routes. For example, if you set it to 1 minute, your device has 1 minute after re-establishing BGP to relearn and advertise its routes before the route server resumes normal functionality. While 1 minute is typically sufficient, you can set up to 5 minutes if your BGP network needs more time to fully re-establish and re-learn all routes.
+ (Optional) To enable SNS notifications for BGP status changes, toggle the **Enable SNS notifications** switch. Enabling SNS notifications persists BGP or BFD session status changes on route server peers and maintenance notifications for route server endpoints to an SNS topic provisioned by AWS. For details about these notifications, see the **SNS notification details** table below.
1. (Optional) To add tags to your route server, scroll down to the **Tags - optional** section and choose **Add new tag**. Enter a key and an optional value for each tag. You can add up to 50 tags.
1. Review your settings and choose **Create route server**.
1. Wait for the route server to be created. Once complete, you will be redirected to the **Route servers** page, where you can see your new route server listed with a status of *Available*.
------
#### [ Command line ]
Use the following procedure to create a new route server to manage dynamic routing in a VPC.
For `--amazon-side-asn`, enter a BGP ASN value. This value must be in the range of 1-4294967295. We recommend using a private ASN in the 64512–65534 (16-bit ASN) or 4200000000–4294967294 (32-bit ASN) range.
1. Command:
```
aws ec2 create-route-server --amazon-side-asn 65000
```
Response:
```
{
"RouteServer": {
"RouteServerId": "rs-1",
"AmazonSideAsn": 65000,
"State": "pending"
}
}
```
1. Wait for the route server to be available.
Command:
```
aws ec2 describe-route-servers
```
Response:
```
{
"RouteServer": {
"RouteServerId": "rs-1",
"AmazonSideAsn": 65000,
"State": "available"
}
}
```
------
**SNS notification details**
The following table shows details about the messages that Amazon VPC Route Server will send using Amazon SNS:
| Standard fields | | Message attributes (Metadata) | | | |
| --- | --- | --- | --- | --- | --- |
| Message | When it is sent | timestamp | eventCode | routeServerEndpointId | affectedRouteServerPeerIds |
| Route Server Endpoint [ENDPOINT ID] is now undergoing maintenance. BFD and BGP sessions may be impacted. | Route server endpoint maintenance | Format: 2025-02-17T15:55:00Z | ROUTE\$1SERVER\$1ENDPOINT\$1MAINTENANCE | Affected endpoint ID | List of affected peer IDs |
| Message | When it is sent | timestamp | eventCode | routeServerPeerId | newBgpStatus |
| BGP for Route Server Peer [PEER ID] is now [UP/DOWN]. | Route server peer BGP status change | Format: 2025-02-17T15:55:00Z | ROUTE\$1SERVER\$1PEER\$1BGP\$1STATUS\$1CHANGE | Affected peer ID | UP or DOWN |
| Message | When it is sent | timestamp | eventCode | routeServerPeerId | newBfdStatus |
| BFD for Route Server Peer [PEER ID] is now [UP/DOWN]. | Route server peer BFD status change | Format: 2025-02-17T15:55:00Z | ROUTE\$1SERVER\$1PEER\$1BFD\$1STATUS\$1CHANGE | Affected peer ID | UP or DOWN |
# Step 3: Associate route server with a VPC
Complete the steps in this section to associate the route server with a VPC.
A route server association is the connection established between a route server and a VPC. This is a fundamental configuration step that enables the route server to work with appliances in your VPC.
When you create a route server association:
+ It links the route server to a specific VPC.
+ It enables the route server to interact with route tables within the VPC’s subnets.
+ It allows the route server to receive and propagate routes within the associated VPC.
+ It establishes the scope of where the route server can operate.
Key aspects of a route server association:
+ Each route server can be associated with one VPC. Each VPC can have up to 5 separate route server associations by default. For more information about quotas, see [Route server quotas](amazon-vpc-limits.md#vpc-limits-route-servers).
+ The association must be created before the route server can manage routes.
+ The association can be monitored to track its state (such as associating and associated).
+ The association can be removed (disassociated) if you no longer want the route server to operate in that VPC.
------
#### [ AWS Management Console ]
**Associate a route server with a VPC**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **Virtual private cloud**, choose **Route servers**.
1. Select the route server you want to associate with a VPC.
1. On the **Association tab**, choose **Associate route server**.
1. In the Associate route server dialog box:
+ The **Route server ID** field is automatically populated with your selected route server
+ For **VPC ID**, choose the VPC you want to associate from the dropdown list
1. Choose **Associate route server**.
1. Wait for the association to complete. Once finished, the **State** will show as *Associated* on the **Association** tab.
------
#### [ Command line ]
Use the following procedure to associate a route server with a VPC.
1. Command:
```
aws ec2 associate-route-server --route-server-id rs-1 --vpc-id vpc-1
```
Response:
```
{
"RouteServerAssociation": {
"RouteServerId": "rs-1",
"VpcId": "vpc-1",
"State": "associating"
}
}
```
1. Wait for the association to complete.
Command:
```
aws ec2 get-route-server-associations --route-server-id rs-1
```
Response:
```
{
"RouteServerAssociation": {
"RouteServerId": "rs-1",
"VpcId": "vpc-1",
"State": "associated"
}
}
```
------
# Step 4: Create route server endpoints
Complete the steps in this section to create route server endpoints. Create two endpoints per subnet for redundancy.
A route server endpoint is an AWS-managed component inside a subnet that facilitates [BGP (Border Gateway Protocol)](https://en.wikipedia.org/wiki/Border_Gateway_Protocol) connections between your route server and your BGP peers.
Route server endpoints are the "contact points" where your network devices establish BGP sessions with the route server. They're the components that actually handle the BGP connections, while the route server itself manages the routing decisions and route propagation.
**Note**
Route server endpoints are charged \$10.75 per hour.
------
#### [ AWS Management Console ]
**To create route server endpoints**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **Virtual private cloud**, choose **Route servers**.
1. Select the route server for which you want to create endpoints.
1. In the lower pane, choose the **Route server endpoints** tab.
1. Choose **Create route server endpoint**.
1. On the **Create route server endpoint** page, configure the following settings:
+ For **Name**, enter a descriptive name for your endpoint.
+ For **Route server**, confirm that the correct route server is selected.
+ For **Subnet**, select the subnet in which you want to create the endpoint.
1. (Optional) To add tags to your route server endpoint, scroll down to the **Tags - optional** section and choose **Add new tag**. Enter a key and an optional value for each tag.
1. Review your settings and choose **Create route server endpoint**.
1. Wait for the endpoint to be created. Once complete, you will see a success message.
1. Repeat steps 5-9 to create a second endpoint in the same subnet, using a different name.
1. Repeat steps 5-10 for each subnet where you need route server endpoints.
1. After creating the endpoints, return to the **Route server endpoints** tab for your route server.
1. Verify that you see two endpoints listed for each subnet.
1. Check that the **State** for each endpoint is *Available*.
------
#### [ Command line ]
Use the following procedure to create a route server endpoint.
1. Command:
```
aws ec2 create-route-server-endpoint --route-server-id rs-1 --subnet-id subnet-1
```
Response:
```
{
"RouteServerEndpoint": {
"RouteServerId": "rs-1",
"RouteServerEndpointId": "rse-1",
"VpcId": "vpc-1",
"SubnetId": "subnet-1",
"State": "pending"
}
}
```
1. You may need to wait a few minutes for the endpoints to become fully available after creation.
Command:
```
aws ec2 describe-route-server-endpoints
```
Response:
```
{
"RouteServerEndpoint": {
"RouteServerId": "rs-1",
"RouteServerEndpointId": "rse-1",
"VpcId": "vpc-1",
"SubnetId": "subnet-1",
"EniId": "eni-123",
"EniAddress": "10.1.2.3",
"State": "available"
}
}
```
Repeat the steps to create a second endpoint in the same subnet using a different name and create endpoints for each subnet where you need route server endpoints.
------
# Step 5: Enable route server propagation
Complete this step to enable route server propagation.
When enabled, route server propagation installs the routes in the FIB on the route table you've specified. Route server supports IPv4 and IPv6 route propagation.
Route server propagation is the mechanism that automates route table updates - instead of manually updating route tables, the route server automatically propagates the appropriate routes to the configured route tables with routes from the FIB.
Key aspects of route server propagation:
+ Configuration
+ Links a route server to specific route tables
+ Determines which route tables will receive dynamic route updates
+ Can be enabled or disabled per route table
+ Functionality
+ Automatically updates route tables with routes learned from BGP peers
+ Propagates the best available routes based on BGP attributes
+ Maintains route consistency across specified route tables
+ Updates routes dynamically when network conditions change
+ States
+ Can be enabled (routes are being propagated)
+ Can be disabled (routes are not being propagated)
------
#### [ AWS Management Console ]
**To enable route server propagation**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. Select the route server for which you want to enable propagation.
1. Choose the **Propagations** tab in the route server details panel.
1. Choose **Enable propagation**.
1. In the **Enable propagation** dialog:
+ The **Route server ID** will be pre-populated.
+ Under **Route table**, select the destination route table from the dropdown menu for newly propagated routes.
1. Choose **Enable propagation** to confirm.
1. Wait for the propagation status to change to Available in the **Propagations** list.
1. Verify that the selected route table appears in the **Propagations** list with a state of *Available*.
------
#### [ Command line ]
Use the following procedure to enable route server propagation.
1. Command:
```
aws ec2 enable-route-server-propagation --route-table-id rtb-1 --route-server-id rs-1
```
Response:
```
{
"RouteServerRoutePropagation": {
"RouteServerId": "rs-1",
"RouteTableId": "rtb-1",
"State": "pending"
}
}
```
1. Wait for the propagation state to change to available.
Command:
```
aws ec2 get-route-server-propagations --route-server-id rs-1
```
Response:
```
{
"RouteServerRoutePropagation": {
"RouteServerId": "rs-1",
"RouteTableId": "rtb-1",
"State": "available"
}
}
```
------
# Step 6: Create route server peer
A route server peer is a session between a route server endpoint and the device deployed in AWS (such as a firewall appliance or other network security function running on an EC2 instance). The device must meet these requirements:
+ Have an elastic network interface in the VPC
+ Support BGP (Border Gateway Protocol)
+ Can initiate BGP sessions
**Note**
We recommend you create one route server peer per route server endpoint for redundancy.
------
#### [ AWS Management Console ]
**To create a route server peer**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation path, choose **VPC** > **Route server peers** > **Create route server peer**.
1. Under **Details**, configure the following:
+ **Name**: Enter a name for your route server peer (up to 255 characters). Example: my-route-server-peer-01
+ **Route server endpoint ID**: Choose a route server endpoint from the dropdown. Optionally, choose **Create a route server endpoint** to create a new one.
+ **Peer address**: Enter the IPv4 address of the peer. Must be a valid IP address. The peer address must be reachable from the route server endpoint.
+ **Peer ASN**: Enter the ASN (Autonomous System Number) for the BGP peer. Value must be in range of 1-4294967295. The ASN should typically use private ranges (64512-65534 for 16-bit or 4200000000-4294967294 for 32-bit)
+ **Peer liveness detection**:
+ **BGP keepalive** (default): Standard BGP keep alive mechanism
+ **BFD**: Bidirectional Forwarding Detection for faster failover
+ (Optional) Under **Tags**, choose **Add new tag** to add key-value pair tags. Tags help identify and track AWS resources.
1. Review your settings and choose **Create route server peer**.
------
#### [ Command line ]
Use the following procedure to create a route server peer.
1. Command:
```
aws ec2 create-route-server-peer --route-server-endpoint-id rse-1 --peer-address 10.0.2.3 --bgp-options PeerAsn=65001,PeerLivenessDetection=bfd
```
Response:
In the response, the state values can be `pending|available|deleting|deleted`.
```
{
"RouteServerPeer": {
"RouteServerPeerId": "rsp-1",
"RouteServerId": "rs-1",
"VpcId": "vpc-1",
"SubnetId": "subnet-1",
"State": "pending",
"EndpointEniId": "eni-2,
"EndpointEniAddress": "10.0.2.4",
"PeerEniId": "eni-1",
"PeerAddress": "10.0.2.3",
"BgpOptions": {
"PeerAsn": 65001,
"PeerLivenessDetection": "bfd"
},
"BgpStatus": {
"Status": "Up"
}
}
}
```
1. Wait for the propagation state to change to available.
Command:
```
aws ec2 describe-route-server-peers
```
Response:
```
{
"RouteServerPeer": {
"RouteServerPeerId": "rsp-1",
"RouteServerId": "rs-1",
"VpcId": "vpc-1",
"SubnetId": "subnet-1",
"State": "available",
"EndpointEniId": "eni-2,
"EndpointEniAddress": "10.0.2.4",
"PeerEniId": "eni-1",
"PeerAddress": "10.0.2.3",
"BgpOptions": {
"PeerAsn": 65001,
"PeerLivenessDetection": "bfd"
},
"BgpStatus": {
"Status": "down"
}
}
}
```
------
# Step 7: Initiate BGP sessions from the devices
When the status of route server peer is available, configure your workload to initiate the BGP session with the route server endpoint.
Initiating a BGP session from the devices in your subnets is outside the scope of this guide. The route server endpoint does not initiate the BGP session.
You can check that the VPC Route Server feature is working by verifying that the route table contains the best routes propagated by route server.
# Step 8: Cleanup
The building portion of the tutorial is complete. Complete the steps in this section to remove the VPC Route Server components that you created.
**7.1: Withdraw BGP advertisement on the devices**
Withdrawing BGP advertisement on the devices in your subnets is outside the scope of this guide. Refer to your third-party vendor for your BGP configurations as needed.
**7.2: Disable route server propagation**
Use the following procedure to disable route server propagation.
------
#### [ AWS Management Console ]
****
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. Select the route server for which you want to disable propagation.
1. Choose **Actions > Modify route server**.
1. Choose the **Propagations** tab in the route server details panel.
1. Choose the propagation you want to disable and then choose **Disable propagation**.
1. In the dialog box, choose **Disable route server propagation**.
------
#### [ Command line ]
1. Disable propagation:
```
aws ec2 disable-route-server-route-propagation --route-table-id rtb-1 --route-server-id rs-1
```
1. Confirm that the propagation has been deleted:
```
aws ec2 get-route-server-route-propagations --route-server-id rs-1 [--route-table-id rtb-1]
```
------
**7.3: Delete route server peers**
Use the following procedure to delete route server peers.
------
#### [ AWS Management Console ]
****
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation path, choose **Route servers** > **Route server peers**.
1. Select a route server peer.
1. Choose **Actions** > **Delete route server peer**.
------
#### [ Command line ]
1. Delete peers:
```
aws ec2 delete-route-server-peer --route-server-peer-id rsp-1
```
1. Confirm the deletion:
```
aws ec2 describe-route-server-peers [--route-server-peer-ids rsp-1] [--filters Key=RouteServerId|RouteServerEndpointId|VpcId]
```
------
**7.4: Delete route server endpoints**
Use the following procedure to delete route server endpoints.
------
#### [ AWS Management Console ]
****
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. Select the route server for which you want to delete endpoints.
1. Choose **Route server endpoints**.
1. Select the endpoint and choose **Actions** > **Delete route server endpoint**.
1. Enter delete and choose **Delete**.
------
#### [ Command line ]
1. Describe endpoints:
```
aws ec2 describe-route-server-endpoints
```
1. Delete route server endpoints:
```
aws ec2 delete-route-server-endpoint --route-server-endpoint-id rse-1
```
1. Confirm that the endpoints have been deleted:
```
aws ec2 describe-route-server-endpoints [--route-server-endpoint-ids rsp-1] [--filters Key=RouteServerId|VpcId|SubnetId]
```
------
**7.5: Disassociate route server from VPC**
Use the following procedure to disassociate the route server from the VPC.
------
#### [ AWS Management Console ]
****
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. Select the route server for which you want to disassociate.
1. Choose **Association**.
1. Choose **Disassociate route server**.
1. Confirm the changes that will be made and choose **Disassociate route server**.
------
#### [ Command line ]
1. Disassociate route server from the VPC:
```
aws ec2 disassociate-route-server --route-server-id rs-1 --vpc-id vpc-1
```
1. Confirm the disassociation:
```
aws ec2 get-route-server-associations --route-server-id rs-1
```
------
**7.6 Delete route server**
Use the following procedure to delete the route server.
------
#### [ AWS Management Console ]
****
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. Select the route server to delete.
1. Choose **Actions** > **Delete route server**.
1. Enter *delete* and choose **Delete**.
------
#### [ Command line ]
1. Delete route server:
```
aws ec2 delete-route-server --route-server-id rs-1
```
1. Confirm the deletion:
```
aws ec2 describe-route-servers [--route-server-ids rs-1] [--filters Key=VpcId]
```
------
The Amazon VPC Route Server tutorial is complete.