# Get started tutorial
This tutorial walks you through the process of setting up and configuring VPC Route Server to enable dynamic routing in your VPC. You'll learn how to create and configure all the necessary components, establish BGP peering, and verify proper operation. The tutorial covers everything from initial IAM setup through testing and cleanup.
Before beginning this tutorial, ensure you have:
+ Administrative access to your AWS account
+ A VPC with at least two subnets where you want to enable dynamic routing
+ Network devices (like firewalls running on EC2 instances) that support BGP and can serve as route server peer devices
+ Basic familiarity with BGP concepts and AWS networking
The steps can be completed using either the AWS Management Console or AWS CLI. Both methods are provided for each step.
Estimated time to complete: 15-30 minutes
**Topics**
+ [Step 1: Configure required IAM Role permissions](route-server-iam.md)
+ [Step 2: Create a route server](route-server-tutorial-create.md)
+ [Step 3: Associate route server with a VPC](route-server-tutorial-associate.md)
+ [Step 4: Create route server endpoints](route-server-tutorial-create-endpoints.md)
+ [Step 5: Enable route server propagation](route-server-tutorial-enable-prop.md)
+ [Step 6: Create route server peer](route-server-tutorial-create-peer.md)
+ [Step 7: Initiate BGP sessions from the devices](route-server-tutorial-initiate-bgp.md)
+ [Step 8: Cleanup](route-server-tutorial-cleanup.md)
# Step 1: Configure required IAM Role permissions
To use VPC Route Server, ensure that the IAM user or role you are using has the required IAM permissions. Below is a guide to which permissions are required for each API:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CreateRouteServer",
"Effect": "Allow",
"Action": [
"sns:CreateTopic"
],
"Resource": "*"
},
{
"Sid": "DeleteRouteServer",
"Effect": "Allow",
"Action": [
"sns:DeleteTopic"
],
"Resource": "*"
},
{
"Sid": "CreateRouteServerEndpoint",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:CreateNetworkInterfacePermission",
"ec2:CreateSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": "*"
},
{
"Sid": "DeleteRouteServerEndpoint",
"Effect": "Allow",
"Action": [
"ec2:DeleteNetworkInterface",
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupIngress",
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": "*"
},
{
"Sid": "CreateRouteServerPeer",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress"
],
"Resource": "*"
},
{
"Sid": "DeleteRouteServerPeer",
"Effect": "Allow",
"Action": [
"ec2:RevokeSecurityGroupIngress"
],
"Resource": "*"
}
]
}
```
------
# Step 2: Create a route server
Complete the steps in this section to create a route server.
The route server component updates your VPC and internet gateway route tables with the IPv4 or IPv6 routes in your Forwarding Information Base (FIB). The route server represents a single FIB and Routing Information Base (RIB).
------
#### [ AWS Management Console ]
**To create a route server**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **Virtual private cloud**, choose **Route servers**.
1. On the **Route servers** page, choose **Create route server**.
1. On the **Create route server** page, configure the following settings:
+ For **Name**, enter a name for your route server (e.g., "my-route-server-01"). The name must be 255 characters or less in length.
+ For **Amazon Side ASN**, enter a BGP ASN value. This value must be in the range of 1-4294967295. We recommend using a private ASN in the 64512–65534 (16-bit ASN) or 4200000000–4294967294 (32-bit ASN) range.
+ For **Persist routes**, choose either **Enable** or **Disable**. This option determines whether routes should be maintained after all BGP sessions are terminated:
+ If enabled: Routes will be preserved in the route server's routing database even if all BGP sessions end
+ If disabled: Routes will be removed from the routing database when all BGP sessions end
+ If you enabled persist routes, for **Persist duration**, enter a value between 1-5 minutes. This duration specifies how long the route server will wait after BGP is re-established to unpersist the routes. For example, if you set it to 1 minute, your device has 1 minute after re-establishing BGP to relearn and advertise its routes before the route server resumes normal functionality. While 1 minute is typically sufficient, you can set up to 5 minutes if your BGP network needs more time to fully re-establish and re-learn all routes.
+ (Optional) To enable SNS notifications for BGP status changes, toggle the **Enable SNS notifications** switch. Enabling SNS notifications persists BGP or BFD session status changes on route server peers and maintenance notifications for route server endpoints to an SNS topic provisioned by AWS. For details about these notifications, see the **SNS notification details** table below.
1. (Optional) To add tags to your route server, scroll down to the **Tags - optional** section and choose **Add new tag**. Enter a key and an optional value for each tag. You can add up to 50 tags.
1. Review your settings and choose **Create route server**.
1. Wait for the route server to be created. Once complete, you will be redirected to the **Route servers** page, where you can see your new route server listed with a status of *Available*.
------
#### [ Command line ]
Use the following procedure to create a new route server to manage dynamic routing in a VPC.
For `--amazon-side-asn`, enter a BGP ASN value. This value must be in the range of 1-4294967295. We recommend using a private ASN in the 64512–65534 (16-bit ASN) or 4200000000–4294967294 (32-bit ASN) range.
1. Command:
```
aws ec2 create-route-server --amazon-side-asn 65000
```
Response:
```
{
"RouteServer": {
"RouteServerId": "rs-1",
"AmazonSideAsn": 65000,
"State": "pending"
}
}
```
1. Wait for the route server to be available.
Command:
```
aws ec2 describe-route-servers
```
Response:
```
{
"RouteServer": {
"RouteServerId": "rs-1",
"AmazonSideAsn": 65000,
"State": "available"
}
}
```
------
**SNS notification details**
The following table shows details about the messages that Amazon VPC Route Server will send using Amazon SNS:
| Standard fields | | Message attributes (Metadata) | | | |
| --- | --- | --- | --- | --- | --- |
| Message | When it is sent | timestamp | eventCode | routeServerEndpointId | affectedRouteServerPeerIds |
| Route Server Endpoint [ENDPOINT ID] is now undergoing maintenance. BFD and BGP sessions may be impacted. | Route server endpoint maintenance | Format: 2025-02-17T15:55:00Z | ROUTE\$1SERVER\$1ENDPOINT\$1MAINTENANCE | Affected endpoint ID | List of affected peer IDs |
| Message | When it is sent | timestamp | eventCode | routeServerPeerId | newBgpStatus |
| BGP for Route Server Peer [PEER ID] is now [UP/DOWN]. | Route server peer BGP status change | Format: 2025-02-17T15:55:00Z | ROUTE\$1SERVER\$1PEER\$1BGP\$1STATUS\$1CHANGE | Affected peer ID | UP or DOWN |
| Message | When it is sent | timestamp | eventCode | routeServerPeerId | newBfdStatus |
| BFD for Route Server Peer [PEER ID] is now [UP/DOWN]. | Route server peer BFD status change | Format: 2025-02-17T15:55:00Z | ROUTE\$1SERVER\$1PEER\$1BFD\$1STATUS\$1CHANGE | Affected peer ID | UP or DOWN |
# Step 3: Associate route server with a VPC
Complete the steps in this section to associate the route server with a VPC.
A route server association is the connection established between a route server and a VPC. This is a fundamental configuration step that enables the route server to work with appliances in your VPC.
When you create a route server association:
+ It links the route server to a specific VPC.
+ It enables the route server to interact with route tables within the VPC’s subnets.
+ It allows the route server to receive and propagate routes within the associated VPC.
+ It establishes the scope of where the route server can operate.
Key aspects of a route server association:
+ Each route server can be associated with one VPC. Each VPC can have up to 5 separate route server associations by default. For more information about quotas, see [Route server quotas](amazon-vpc-limits.md#vpc-limits-route-servers).
+ The association must be created before the route server can manage routes.
+ The association can be monitored to track its state (such as associating and associated).
+ The association can be removed (disassociated) if you no longer want the route server to operate in that VPC.
------
#### [ AWS Management Console ]
**Associate a route server with a VPC**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **Virtual private cloud**, choose **Route servers**.
1. Select the route server you want to associate with a VPC.
1. On the **Association tab**, choose **Associate route server**.
1. In the Associate route server dialog box:
+ The **Route server ID** field is automatically populated with your selected route server
+ For **VPC ID**, choose the VPC you want to associate from the dropdown list
1. Choose **Associate route server**.
1. Wait for the association to complete. Once finished, the **State** will show as *Associated* on the **Association** tab.
------
#### [ Command line ]
Use the following procedure to associate a route server with a VPC.
1. Command:
```
aws ec2 associate-route-server --route-server-id rs-1 --vpc-id vpc-1
```
Response:
```
{
"RouteServerAssociation": {
"RouteServerId": "rs-1",
"VpcId": "vpc-1",
"State": "associating"
}
}
```
1. Wait for the association to complete.
Command:
```
aws ec2 get-route-server-associations --route-server-id rs-1
```
Response:
```
{
"RouteServerAssociation": {
"RouteServerId": "rs-1",
"VpcId": "vpc-1",
"State": "associated"
}
}
```
------
# Step 4: Create route server endpoints
Complete the steps in this section to create route server endpoints. Create two endpoints per subnet for redundancy.
A route server endpoint is an AWS-managed component inside a subnet that facilitates [BGP (Border Gateway Protocol)](https://en.wikipedia.org/wiki/Border_Gateway_Protocol) connections between your route server and your BGP peers.
Route server endpoints are the "contact points" where your network devices establish BGP sessions with the route server. They're the components that actually handle the BGP connections, while the route server itself manages the routing decisions and route propagation.
**Note**
Route server endpoints are charged \$10.75 per hour.
------
#### [ AWS Management Console ]
**To create route server endpoints**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **Virtual private cloud**, choose **Route servers**.
1. Select the route server for which you want to create endpoints.
1. In the lower pane, choose the **Route server endpoints** tab.
1. Choose **Create route server endpoint**.
1. On the **Create route server endpoint** page, configure the following settings:
+ For **Name**, enter a descriptive name for your endpoint.
+ For **Route server**, confirm that the correct route server is selected.
+ For **Subnet**, select the subnet in which you want to create the endpoint.
1. (Optional) To add tags to your route server endpoint, scroll down to the **Tags - optional** section and choose **Add new tag**. Enter a key and an optional value for each tag.
1. Review your settings and choose **Create route server endpoint**.
1. Wait for the endpoint to be created. Once complete, you will see a success message.
1. Repeat steps 5-9 to create a second endpoint in the same subnet, using a different name.
1. Repeat steps 5-10 for each subnet where you need route server endpoints.
1. After creating the endpoints, return to the **Route server endpoints** tab for your route server.
1. Verify that you see two endpoints listed for each subnet.
1. Check that the **State** for each endpoint is *Available*.
------
#### [ Command line ]
Use the following procedure to create a route server endpoint.
1. Command:
```
aws ec2 create-route-server-endpoint --route-server-id rs-1 --subnet-id subnet-1
```
Response:
```
{
"RouteServerEndpoint": {
"RouteServerId": "rs-1",
"RouteServerEndpointId": "rse-1",
"VpcId": "vpc-1",
"SubnetId": "subnet-1",
"State": "pending"
}
}
```
1. You may need to wait a few minutes for the endpoints to become fully available after creation.
Command:
```
aws ec2 describe-route-server-endpoints
```
Response:
```
{
"RouteServerEndpoint": {
"RouteServerId": "rs-1",
"RouteServerEndpointId": "rse-1",
"VpcId": "vpc-1",
"SubnetId": "subnet-1",
"EniId": "eni-123",
"EniAddress": "10.1.2.3",
"State": "available"
}
}
```
Repeat the steps to create a second endpoint in the same subnet using a different name and create endpoints for each subnet where you need route server endpoints.
------
# Step 5: Enable route server propagation
Complete this step to enable route server propagation.
When enabled, route server propagation installs the routes in the FIB on the route table you've specified. Route server supports IPv4 and IPv6 route propagation.
Route server propagation is the mechanism that automates route table updates - instead of manually updating route tables, the route server automatically propagates the appropriate routes to the configured route tables with routes from the FIB.
Key aspects of route server propagation:
+ Configuration
+ Links a route server to specific route tables
+ Determines which route tables will receive dynamic route updates
+ Can be enabled or disabled per route table
+ Functionality
+ Automatically updates route tables with routes learned from BGP peers
+ Propagates the best available routes based on BGP attributes
+ Maintains route consistency across specified route tables
+ Updates routes dynamically when network conditions change
+ States
+ Can be enabled (routes are being propagated)
+ Can be disabled (routes are not being propagated)
------
#### [ AWS Management Console ]
**To enable route server propagation**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. Select the route server for which you want to enable propagation.
1. Choose the **Propagations** tab in the route server details panel.
1. Choose **Enable propagation**.
1. In the **Enable propagation** dialog:
+ The **Route server ID** will be pre-populated.
+ Under **Route table**, select the destination route table from the dropdown menu for newly propagated routes.
1. Choose **Enable propagation** to confirm.
1. Wait for the propagation status to change to Available in the **Propagations** list.
1. Verify that the selected route table appears in the **Propagations** list with a state of *Available*.
------
#### [ Command line ]
Use the following procedure to enable route server propagation.
1. Command:
```
aws ec2 enable-route-server-propagation --route-table-id rtb-1 --route-server-id rs-1
```
Response:
```
{
"RouteServerRoutePropagation": {
"RouteServerId": "rs-1",
"RouteTableId": "rtb-1",
"State": "pending"
}
}
```
1. Wait for the propagation state to change to available.
Command:
```
aws ec2 get-route-server-propagations --route-server-id rs-1
```
Response:
```
{
"RouteServerRoutePropagation": {
"RouteServerId": "rs-1",
"RouteTableId": "rtb-1",
"State": "available"
}
}
```
------
# Step 6: Create route server peer
A route server peer is a session between a route server endpoint and the device deployed in AWS (such as a firewall appliance or other network security function running on an EC2 instance). The device must meet these requirements:
+ Have an elastic network interface in the VPC
+ Support BGP (Border Gateway Protocol)
+ Can initiate BGP sessions
**Note**
We recommend you create one route server peer per route server endpoint for redundancy.
------
#### [ AWS Management Console ]
**To create a route server peer**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation path, choose **VPC** > **Route server peers** > **Create route server peer**.
1. Under **Details**, configure the following:
+ **Name**: Enter a name for your route server peer (up to 255 characters). Example: my-route-server-peer-01
+ **Route server endpoint ID**: Choose a route server endpoint from the dropdown. Optionally, choose **Create a route server endpoint** to create a new one.
+ **Peer address**: Enter the IPv4 address of the peer. Must be a valid IP address. The peer address must be reachable from the route server endpoint.
+ **Peer ASN**: Enter the ASN (Autonomous System Number) for the BGP peer. Value must be in range of 1-4294967295. The ASN should typically use private ranges (64512-65534 for 16-bit or 4200000000-4294967294 for 32-bit)
+ **Peer liveness detection**:
+ **BGP keepalive** (default): Standard BGP keep alive mechanism
+ **BFD**: Bidirectional Forwarding Detection for faster failover
+ (Optional) Under **Tags**, choose **Add new tag** to add key-value pair tags. Tags help identify and track AWS resources.
1. Review your settings and choose **Create route server peer**.
------
#### [ Command line ]
Use the following procedure to create a route server peer.
1. Command:
```
aws ec2 create-route-server-peer --route-server-endpoint-id rse-1 --peer-address 10.0.2.3 --bgp-options PeerAsn=65001,PeerLivenessDetection=bfd
```
Response:
In the response, the state values can be `pending|available|deleting|deleted`.
```
{
"RouteServerPeer": {
"RouteServerPeerId": "rsp-1",
"RouteServerId": "rs-1",
"VpcId": "vpc-1",
"SubnetId": "subnet-1",
"State": "pending",
"EndpointEniId": "eni-2,
"EndpointEniAddress": "10.0.2.4",
"PeerEniId": "eni-1",
"PeerAddress": "10.0.2.3",
"BgpOptions": {
"PeerAsn": 65001,
"PeerLivenessDetection": "bfd"
},
"BgpStatus": {
"Status": "Up"
}
}
}
```
1. Wait for the propagation state to change to available.
Command:
```
aws ec2 describe-route-server-peers
```
Response:
```
{
"RouteServerPeer": {
"RouteServerPeerId": "rsp-1",
"RouteServerId": "rs-1",
"VpcId": "vpc-1",
"SubnetId": "subnet-1",
"State": "available",
"EndpointEniId": "eni-2,
"EndpointEniAddress": "10.0.2.4",
"PeerEniId": "eni-1",
"PeerAddress": "10.0.2.3",
"BgpOptions": {
"PeerAsn": 65001,
"PeerLivenessDetection": "bfd"
},
"BgpStatus": {
"Status": "down"
}
}
}
```
------
# Step 7: Initiate BGP sessions from the devices
When the status of route server peer is available, configure your workload to initiate the BGP session with the route server endpoint.
Initiating a BGP session from the devices in your subnets is outside the scope of this guide. The route server endpoint does not initiate the BGP session.
You can check that the VPC Route Server feature is working by verifying that the route table contains the best routes propagated by route server.
# Step 8: Cleanup
The building portion of the tutorial is complete. Complete the steps in this section to remove the VPC Route Server components that you created.
**7.1: Withdraw BGP advertisement on the devices**
Withdrawing BGP advertisement on the devices in your subnets is outside the scope of this guide. Refer to your third-party vendor for your BGP configurations as needed.
**7.2: Disable route server propagation**
Use the following procedure to disable route server propagation.
------
#### [ AWS Management Console ]
****
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. Select the route server for which you want to disable propagation.
1. Choose **Actions > Modify route server**.
1. Choose the **Propagations** tab in the route server details panel.
1. Choose the propagation you want to disable and then choose **Disable propagation**.
1. In the dialog box, choose **Disable route server propagation**.
------
#### [ Command line ]
1. Disable propagation:
```
aws ec2 disable-route-server-route-propagation --route-table-id rtb-1 --route-server-id rs-1
```
1. Confirm that the propagation has been deleted:
```
aws ec2 get-route-server-route-propagations --route-server-id rs-1 [--route-table-id rtb-1]
```
------
**7.3: Delete route server peers**
Use the following procedure to delete route server peers.
------
#### [ AWS Management Console ]
****
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation path, choose **Route servers** > **Route server peers**.
1. Select a route server peer.
1. Choose **Actions** > **Delete route server peer**.
------
#### [ Command line ]
1. Delete peers:
```
aws ec2 delete-route-server-peer --route-server-peer-id rsp-1
```
1. Confirm the deletion:
```
aws ec2 describe-route-server-peers [--route-server-peer-ids rsp-1] [--filters Key=RouteServerId|RouteServerEndpointId|VpcId]
```
------
**7.4: Delete route server endpoints**
Use the following procedure to delete route server endpoints.
------
#### [ AWS Management Console ]
****
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. Select the route server for which you want to delete endpoints.
1. Choose **Route server endpoints**.
1. Select the endpoint and choose **Actions** > **Delete route server endpoint**.
1. Enter delete and choose **Delete**.
------
#### [ Command line ]
1. Describe endpoints:
```
aws ec2 describe-route-server-endpoints
```
1. Delete route server endpoints:
```
aws ec2 delete-route-server-endpoint --route-server-endpoint-id rse-1
```
1. Confirm that the endpoints have been deleted:
```
aws ec2 describe-route-server-endpoints [--route-server-endpoint-ids rsp-1] [--filters Key=RouteServerId|VpcId|SubnetId]
```
------
**7.5: Disassociate route server from VPC**
Use the following procedure to disassociate the route server from the VPC.
------
#### [ AWS Management Console ]
****
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. Select the route server for which you want to disassociate.
1. Choose **Association**.
1. Choose **Disassociate route server**.
1. Confirm the changes that will be made and choose **Disassociate route server**.
------
#### [ Command line ]
1. Disassociate route server from the VPC:
```
aws ec2 disassociate-route-server --route-server-id rs-1 --vpc-id vpc-1
```
1. Confirm the disassociation:
```
aws ec2 get-route-server-associations --route-server-id rs-1
```
------
**7.6 Delete route server**
Use the following procedure to delete the route server.
------
#### [ AWS Management Console ]
****
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. Select the route server to delete.
1. Choose **Actions** > **Delete route server**.
1. Enter *delete* and choose **Delete**.
------
#### [ Command line ]
1. Delete route server:
```
aws ec2 delete-route-server --route-server-id rs-1
```
1. Confirm the deletion:
```
aws ec2 describe-route-servers [--route-server-ids rs-1] [--filters Key=VpcId]
```
------
The Amazon VPC Route Server tutorial is complete.