A VPN connection relies on two types of routes:
- VPC routes: traffic inside the VPC, between the instances and the virtual private gateway. Information about these routes is returned by the DescribeRouteTables method. For more information, see Getting Information About Your Route Tables.
- VPN routes: traffic inside the VPN tunnel, between the virtual private gateway and the customer gateway. Information about these routes is returned by the DescribeVpnConnections method. For more information, see Getting Information About Your VPN Connections.
Both types of routes use the CIDR of your corporate network as destination, and the ID of the virtual private gateway as target.
VPN Connection Routes
Static and Dynamic Routing
To enable instances in your VPC to reach the customer gateway, you must specify the type of routing for the VPN connection, and update the route table in the subnet of the VPC accordingly:
- For static routing, you need to create new VPN routes. For more information, see Creating a VPN Connection Route.
- For dynamic routing, you do not need to create VPN routes. However, you must use devices that support the Border Gateway Protocol (BGP). For more information, see the BGP ASN section below.
- You cannot change the type of routing after creating the VPN connection.
- You can use a default or custom route table.
VPN Connection Routing Flowchart
You can enable route propagation to a route table associated with a subnet of the VPC. This action automatically updates the route table to include routes from the VPC pointing to the virtual private gateway. Route propagation is not mandatory, and works for both static and dynamic routing. You can use a default or custom route table. For more information, see Enabling Route Propagation.
Otherwise, you need to manually update the route table with each route using the CreateRoute method. For more information, see Creating a Route.
The Border Gateway Protocol (BGP) is a dynamic routing protocol that relies on Autonomous System Numbers (ASN). In a VPN connection using BGP, the customer gateway advertises an ASN to help the virtual private gateway find a path to it through the Internet.
To use BGP, your resources must support dynamic routing. The BGP is not mandatory: you can choose static routing, even though your resources do support dynamic routing.
If you connect several customer gateways in the same network with a single virtual private gateway, these customer gateways must all use the same BGP ASN.
Otherwise, you need to create new VPN routes manually, using the CreateVpnConnectionRoute method. For more information, see Creating a VPN Connection Route.