SYSTEM Cited by 1 source

Amazon VPC Route Server

Amazon VPC Route Server is an AWS networking primitive that speaks BGP inside a VPC and propagates dynamically-learned routes into AWS-native VPC route tables. It bridges an overlay network (e.g. VMware NSX, or any BGP-capable virtual appliance fleet) to the AWS-native underlay so that AWS-native routing components — subnet route tables, Transit Gateway, firewall attachments — have reachable routes to destinations that actually live on the overlay.

Role in Amazon EVS

The canonical wiki appearance is inside an Amazon EVS deployment. EVS lays down:

• EVS VLAN subnets as the AWS-native underlay (host management, vMotion, vSAN, NSX uplinks).
• NSX overlay segments (e.g. 192.168.0.0/19) as the VM network.

A VPC Route Server deployed in the EVS VPC peers BGP with the NSX edge; when NSX advertises overlay segments, Route Server installs those prefixes into the NSX-uplink-subnet route table and the EVS-VPC private-subnet route table automatically. Without Route Server, the AWS-native RT would have no route to overlay CIDRs, and any centralised-inspection path ( TGW → Network Firewall → back to VPC) would silently blackhole for VM-sourced or VM-destined traffic because TGW and the firewall can only route to what the source-VPC's RT knows about.

Why dynamic routing

Static routes are the default in VPC route tables. That works for AWS-native constructs (subnets, TGW attachments, VPC endpoints, NAT gateways) because those destinations are stable. Overlay networks are not:

• NSX segments are added / removed by VMware admins on a different cadence than the AWS control plane.
• Virtual-router clusters reshard, fail over, and re-advertise.
• Overlay prefixes change as workloads migrate.

Hand-keeping a VPC RT in sync with an NSX overlay via static routes is operationally infeasible. Route Server lets the overlay announce what it has; the VPC route table tracks it.

Stub page

This page is scoped to the EVS / NSX use case captured by the 2025-11-26 post. Route Server also supports generic BGP-capable virtual appliances (third-party routers, SD-WAN appliances) as peers — expand as further sources are ingested.

Seen in

• sources/2025-11-26-aws-secure-amazon-evs-with-aws-network-firewall — VPC Route Server used inside the EVS VPC to BGP-peer with NSX and propagate overlay segment routes (192.168.0.0/19 summary) into the NSX uplink subnet RT and EVS-VPC private subnet RT, enabling AWS-native TGW + Network Firewall to inspect east-west traffic to and from NSX-hosted VMs.

Related

• systems/amazon-evs — canonical consumer.
• systems/aws-transit-gateway — downstream RT consumer of the propagated overlay routes.
• concepts/centralized-network-inspection — broken by missing overlay routes; Route Server is the fix.
• companies/aws