Task Statement 2.1: Implement routing and connectivity between on-premises networks and the AWS Cloud.
📘AWS Certified Advanced Networking – Specialty
1. What This Topic Means
This section focuses on:
👉 How to prepare and configure your existing on-premises network so it can securely and reliably connect to AWS.
You are not just creating AWS resources—you are also modifying your internal network (data center, office network, etc.) to work with AWS.
2. Key Connectivity Options to AWS
Before configuring your on-prem network, you must understand the two main connection types:
2.1 AWS Site-to-Site VPN
- Uses the internet
- Encrypted connection (IPsec VPN)
- Faster to set up
- Lower cost
2.2 AWS Direct Connect
- Dedicated private connection
- Does not use the internet
- More stable and predictable performance
- Higher cost and setup effort
2.3 Hybrid Approach (Very Important for Exam)
- Use Direct Connect + VPN backup
- Provides high availability and failover
3. Core Components on the On-Premises Side
To connect to AWS, your on-prem network must include:
3.1 Customer Gateway (CGW)
- Your physical or virtual router/firewall
- Must support:
- IPsec VPN
- BGP (preferred)
- Public IP address required
3.2 Internal Network Infrastructure
- Routers
- Firewalls
- Switches
- Internal subnets
3.3 IP Addressing Plan
- Must not overlap with AWS VPC CIDR blocks
❗ Exam Tip:
Overlapping IP ranges = connection failure
4. Key Configuration Steps (Very Important Section)
4.1 IP Address Planning
You must:
- Define on-prem CIDR blocks
- Define AWS VPC CIDR blocks
- Ensure no overlap
Example (IT-style, not abstract):
- On-prem:
10.0.0.0/16 - AWS VPC:
172.31.0.0/16
4.2 Routing Configuration
You must configure routing on both sides.
Two Types of Routing:
A. Static Routing
- Manually define routes
- Simple but not scalable
Example:
- Route AWS VPC network → VPN tunnel
B. Dynamic Routing (BGP) ⭐ (Highly Important)
Uses Border Gateway Protocol (BGP):
- Automatically exchanges routes
- Supports failover
- Required for Direct Connect
Advantages:
- Automatic route updates
- High availability
- Better scalability
❗ Exam Tip:
BGP is preferred in almost all enterprise hybrid setups
4.3 Firewall Configuration
Your on-prem firewall must allow:
- IPsec traffic:
- UDP 500 (IKE)
- UDP 4500 (NAT-T)
- ESP (protocol 50)
Also allow:
- Traffic between on-prem network and AWS CIDR
4.4 VPN Tunnel Configuration
For Site-to-Site VPN:
You must configure:
- Pre-shared key (PSK)
- Encryption algorithms
- Tunnel interfaces
- Routing (static or BGP)
AWS provides a configuration file for:
- Cisco
- Juniper
- Fortinet
- etc.
4.5 BGP Configuration (If Using Dynamic Routing)
You must configure:
- ASN (Autonomous System Number)
- AWS uses private ASN (e.g., 64512)
- Your router also needs ASN
- Neighbor relationship:
- AWS Virtual Private Gateway (VGW) or Transit Gateway (TGW)
- Route advertisement:
- Advertise on-prem networks to AWS
- Receive AWS VPC routes
4.6 High Availability Design ⭐
Very important for exam.
You must design:
For VPN:
- AWS provides 2 tunnels per VPN
- Configure both tunnels on your router
For Direct Connect:
- Use multiple connections
- Use different locations
Hybrid:
- Direct Connect (primary)
- VPN (backup)
5. DNS Configuration
To enable name resolution between environments:
Options:
5.1 Use Amazon Route 53 Resolver
- Create inbound/outbound endpoints
- Forward DNS queries
5.2 Use On-Prem DNS Servers
- Configure forwarding rules to AWS
6. Network Address Translation (NAT)
Sometimes required when:
- IP ranges overlap
- Private addressing conflicts exist
Types:
- Source NAT (SNAT)
- Destination NAT (DNAT)
❗ Exam Tip:
NAT is used as a workaround for overlapping CIDR, but best practice is to avoid overlap
7. Security Considerations
7.1 Encryption
- VPN uses IPsec encryption
- Direct Connect does NOT encrypt by default
- You must add VPN over DX if needed
7.2 Access Control
- Use:
- Firewalls
- Security Groups
- Network ACLs
7.3 Least Privilege Networking
- Only allow required ports and traffic
8. Monitoring and Troubleshooting
8.1 Monitoring Tools
- CloudWatch (VPN metrics)
- VPC Flow Logs
- On-prem monitoring tools
8.2 Common Issues
Issue 1: Tunnel Down
- Check:
- PSK mismatch
- Firewall blocking ports
Issue 2: No Traffic Flow
- Check:
- Routing tables
- Security rules
Issue 3: BGP Not Establishing
- Check:
- ASN mismatch
- Neighbor IP configuration
9. Integration with AWS Services
Your on-prem network often connects to:
- VPC (via VGW or TGW)
- Transit Gateway (hub architecture)
- Multiple AWS accounts
10. Best Practices (Exam Critical)
✔ Use BGP instead of static routing
✔ Avoid overlapping IP ranges
✔ Use redundant tunnels and connections
✔ Monitor continuously
✔ Use hybrid connectivity (DX + VPN)
✔ Secure traffic with encryption and firewalls
✔ Use Transit Gateway for scalability
11. Simple End-to-End Flow (IT-Based Explanation)
- On-prem router (Customer Gateway) initiates connection
- VPN or Direct Connect link established
- Routes exchanged using BGP
- Traffic flows between:
- On-prem subnets
- AWS VPC subnets
- DNS resolves internal resources
- Monitoring ensures availability
12. What to Focus on for the Exam ⭐
Make sure you clearly understand:
- Customer Gateway configuration
- Static vs Dynamic routing (BGP is key)
- VPN vs Direct Connect differences
- High availability designs
- IP addressing (non-overlapping CIDR)
- Firewall and security requirements
- DNS integration
- Common troubleshooting steps
Final Summary
Configuring on-premises networks for AWS connectivity involves:
- Preparing your network infrastructure
- Configuring routing (preferably BGP)
- Setting up VPN or Direct Connect
- Ensuring security, availability, and monitoring
