AWS SiteSite VPN, dynamic and static routing

In the context of AWS Site-to-Site VPN, dynamic and static routing refer to two different methods of determining how traffic is routed between your on-premises network and your virtual private cloud (VPC) in AWS.

1. Static Routing:

   • With static routing, you manually configure the routes on both your on-premises router/firewall and the AWS VPN gateway.
   • You explicitly specify which subnets in your VPC are reachable via the VPN connection and specify the corresponding routes on your on-premises network.
   • Static routing is relatively straightforward to set up and manage, especially for smaller networks or when the network topology is simple and changes infrequently.
   • However, it can become cumbersome to manage as your network grows or if there are frequent changes in your network topology, as each change requires manual intervention to update the routes.

2. Dynamic Routing:

   • Dynamic routing protocols, such as Border Gateway Protocol (BGP), allow the automatic exchange of routing information between your on-premises network and the AWS VPN gateway.
   • With dynamic routing, routes are automatically propagated and updated based on changes in the network topology. This means that if a new subnet is added to your VPC, the route to that subnet will be automatically advertised to your on-premises network.
   • BGP is commonly used for dynamic routing in AWS Site-to-Site VPN configurations due to its flexibility and scalability.
   • Dynamic routing is particularly beneficial for larger, more complex networks where manual route configuration would be impractical.
   • However, it requires more initial configuration and maintenance compared to static routing, as you need to set up and configure the BGP peering sessions between your on-premises router/firewall and the AWS VPN gateway.

In summary, static routing offers simplicity and ease of configuration but may become cumbersome to manage as your network grows. Dynamic routing, on the other hand, provides automation and scalability but requires more initial setup and ongoing maintenance. The choice between static and dynamic routing depends on factors such as network size, complexity, and the frequency of changes in network topology.

Here's an example configuration for both static and dynamic routing using AWS Site-to-Site VPN with a FortiGate firewall on the customer's side. In this scenario, we'll assume the following:

• The instance in AWS is in a private subnet within a VPC.
• The customer's on-premises network consists of two networks (Network A and Network B).
• The FortiGate firewall is responsible for handling the VPN connection on the customer's side.

Static Routing Configuration:

AWS Side Configuration:

1. AWS VPN Gateway Configuration:

   • Create a Virtual Private Gateway (VGW) and attach it to your VPC.
   • Create a Customer Gateway (CGW) and specify the public IP address of the FortiGate firewall.
   • Create a VPN connection between the VGW and CGW, using static routing.
   • Configure the static routes for the on-premises networks (Network A and Network B) to point to the VPN connection.

2. Route Table Configuration:

   • Update the route table associated with the private subnet where your instance resides to include a route to the on-premises networks (Network A and Network B) via the VPN connection.

Customer Side Configuration (FortiGate Firewall):

1. VPN Configuration:
   • Configure a VPN tunnel on the FortiGate firewall using the public IP address of the AWS VPN gateway.
   • Set up the tunnel to use static routing.
   • Define the static routes for the VPC CIDR block and any additional subnets within the VPC.
   • Ensure that the static routes for the VPC CIDR block point to the VPN tunnel interface.

Dynamic Routing Configuration:

AWS Side Configuration:

1. AWS VPN Gateway Configuration:

   • Follow steps 1 and 2 from the static routing configuration.
   • However, instead of using static routing, configure the VPN connection to use dynamic routing with BGP.

2. Route Table Configuration:

   • Follow step 2 from the static routing configuration.
   • No changes are needed in the route table since BGP will automatically advertise the routes to the on-premises networks.

Customer Side Configuration (FortiGate Firewall):

1. VPN Configuration:
   • Configure a VPN tunnel on the FortiGate firewall using the public IP address of the AWS VPN gateway.
   • Set up the tunnel to use dynamic routing with BGP.
   • Configure BGP peering with the AWS VPN gateway and exchange routing information.
   • Ensure that the FortiGate firewall is configured to accept BGP routes advertised by the AWS VPN gateway.

By following these configurations, the instance in the private subnet within your VPC will be able to access the customer's networks (Network A and Network B) via the Site-to-Site VPN tunnel, along with accessing the internet through your VPC's internet gateway.

config vpn ipsec phase1-interface     edit "AWS_VPN"         set type static         set interface "wan1"         set local-gw 52.0.0.100         set keylife 28800         set proposal aes128-sha1     next end
config vpn ipsec phase2-interface     edit "AWS_VPN_Phase2"         set phase1name "AWS_VPN"         set proposal aes128-sha1         set dhgrp 2         set src-addr-type subnet         set src-start-ip 192.168.1.0         set src-end-ip 192.168.2.255         set dst-addr-type subnet         set dst-start-ip 10.0.0.0         set dst-end-ip 10.0.255.255         set keylife 3600     next end
config router static     edit 1         set dst 10.0.0.0 255.255.0.0         set device "AWS_VPN_Phase2"     next     edit 2         set dst 10.0.1.0 255.255.255.0         set device "AWS_VPN_Phase2"     next end