Logo
  1. Home
  2. Blog
  3. Cloud Security
  4. Enhancing AWS Route Tables for High Availability and Disaster Recovery

Last updated October 31st, 2024 by Erez Tadmor

To effectively move and secure network traffic using cloud technologies, including those of Amazon Web Services (AWS), you need several critical underlying network management tools. 

One of these is a route table function, which in the AWS ecosystem determines the path of network traffic. Each subnet — private subnets and public subnets — in your AWS Virtual Private Cloud (VPC) is associated with a route table that controls the traffic flow between subnets. 

Tufin ingests AWS route tables for high availability and disaster recovery, and automates configuration management, ensures policy compliance, and provides centralized visibility and control. Through solutions like AWS security policy orchestration and AWS policy automation, Tufin ensures that route tables are secure, compliant, and effectively support network resilience and disaster recovery efforts. 

First, let’s break down what AWS route tables are and why high availability and disaster recovery are important to keep in mind when using them. 

What Is an AWS Route Table? 

A route table contains a set of rules, called routes, that determine the direction of network traffic from your subnet or gateway based on the IP address. Each route in the table specifies a destination (in the form of an IP address or CIDR block) and a target (like an internet gateway (IGW), network interface, or another route table).  

A local route is a special type of route that enables communication within the Amazon Virtual Private Cloud (Amazon VPC). Additionally, your VPC has an implicit router, and you use route tables to control where network traffic is directed. 

You can create a route table in AWS using the AWS Management Console, AWS CLI, AWS API, or the “CreateRouteTable” command. You’ll specify your VPC ID and possibly some custom rules, then associate it with your desired subnets within your Amazon Virtual Private Cloud. 

In general, AWS says that its route tables direct network traffic using the most specific route that matches the traffic, otherwise known as the longest prefix match. If the route table has overlapping or matching routes, more rules apply. Here are some of the priorities AWS route tables take into account:  
 

  • Longest prefix match: Routes to IPv4 and IPv6 addresses or CIDR blocks are independent of each other, according to AWS. Amazon uses the most specific route that matches either IPv4 traffic or IPv6 traffic to determine how to route the traffic. 
  • Static routes: If a virtual private gateway is attached to your VPC and you have enabled route propagation on your subnet route table, routes representing your site-to-site VPN connection automatically appear as propagated routes in your route table, AWS says. If the destination of a propagated route is identical to the destination of a static route, the static route takes priority. 
  • Prefix list routes: Other rules apply if your route table references a prefix list. For example, If your route table contains a static route with a destination CIDR block that overlaps a static route with a prefix list, the static route with the CIDR block takes priority. 
  • Propagated routes: If the destination of a propagated route is identical to the destination of a static route, the static route takes priority. Several resources use static routes, including internet gateways, NAT gateways, instance IDs, gateway VPC endpoints, transit gateways, and VPC peering connections. AWS also supports dynamic routes like Direct Connect BGP routes and VON BGP routes. 

Why Are High Availability and Disaster Recovery Important for AWS Route Tables?

In an AWS environment, route tables, like all components of network traffic routing and management, benefit from high availability to mitigate against misconfigurations that lead to network interruptions. High availability ensures redundancy and reliability for packet-based communications. Here are some AWS-specific elements to consider:  
 

  • AWS Transit Gateway controls how traffic is routed among all the connected spoke networks using route tables, and is highly available by design. The transit gateway automatically comes with a default route table. By default, this route table is the default association route table and the default propagation route table. AWS recommends using a single gateway in each Region for redundancy, but notes that creating multiple gateways can be deployed to limit the impact of a misconfiguration, segregate control plane operations, and make it easier to administer the network. 
  • With the diverse range of infrastructure AWS offers, it’s crucial to anticipate potential failures and ensure that applications can still resolve DNS names even when an AWS Availability Zone fails. 
  • Another consideration is planning application routing, since it’s important to consider how the network will perform during limited routing and service availability. 

In addition to high availability, disaster recovery is also crucial for AWS route tables. With disaster recovery, you can perform a failover to transfer applications to your disaster recovery site, so that your business can continue to function as normal even if the production site is unavailable. 

Disaster recovery is crucial for route tables and other network components because it helps prevent data loss and downtime, and ensure the security and readiness of your AWS recovery site in the event of a catastrophic network issue.  
 
Tools like AWS Elastic Disaster Recovery can automatically replicate your AWS network configuration, including route tables, security groups, subnet CIDR, internet gateways, and network access control lists. Amazon says AWS DRS facilities a recovery time objective (RTO) of minutes. 

How Tufin Enhance AWS Route Tables for High Availability and Disaster Recovery

Tufin simplifies network management across complex environments, including AWS. Tufin’s automation and orchestration tools let you manage and control enterprise security policy across cloud and on-premises networks with a single pane of glass. 

With Tufin’s policy automation tools, you gain comprehensive and consistent visibility to AWS applications, resources and security groups in real time with automated discovery and modeling. You can see when the AWS VPCs have been added or removed. 

Tufin’s automated change management tools allow you to automate approval workflows to ensure that changes are reviewed and approved by the appropriate personnel before implementation, reducing manual effort and minimizing the risk of human error. 
 
This can dramatically reduce the likelihood that manual changes will lead to misconfigurations with AWS route tables, firewalls, and other network routing elements. Ultimately, this helps ensure your networks have the high availability you need to remain resilient and able to recovery from disasters. 

Don't miss out on more Tufin blogs

Subscribe to our weekly blog digest

Ready to Learn More

Get a Demo

In this post:

Background Image