BGP - Border Gateway Protocol - is the routing protocol that makes the internet work. Every time a request leaves your browser and traverses the internet to a server, BGP is responsible for determining the path.

Most developers treat networking as a black box below their abstraction level. This is understandable but wrong. BGP failures cause major internet outages, including ones that affect your services. Understanding BGP makes you better at building resilient systems and gives you a mental model for diagnosing problems that would otherwise be inexplicable.

What BGP Does

The internet is not a single network. It is tens of thousands of independently operated networks connected together. Each network is called an Autonomous System (AS), identified by an Autonomous System Number (ASN).

Amazon’s network is an AS. Cloudflare is an AS. Your ISP is an AS. A university’s network is an AS. BGP is the protocol these networks use to tell each other how to route traffic.

BGP allows each AS to announce: “I can reach these IP address ranges (prefixes).” When AS-1 announces that it can reach 203.0.113.0/24, every other AS that hears this announcement learns that packets destined for that range should be forwarded toward AS-1.

The routing table in a core internet router contains hundreds of thousands of these prefix announcements, with multiple paths to many prefixes. BGP chooses the best path based on attributes like path length (how many ASes the traffic passes through), policy preferences, and local configuration.

Why BGP Is Fragile

BGP was designed in an era when the internet’s participants were trusted. The protocol has minimal authentication. An AS can announce any prefix, including ones it does not own.

BGP hijacking is when an AS announces prefixes it does not own, attracting traffic that was meant for another AS. This is either accidental (misconfiguration) or intentional (malicious traffic interception).

The 2010 China Telecom incident: for approximately 18 minutes, China Telecom inadvertently announced 37,000 prefixes belonging to other ASes. Traffic destined for networks in the US, Europe, and Asia was routed through China Telecom’s network. This included traffic for the US military, the US Senate, and major commercial networks.

Route leaks are a different problem: an AS re-advertises routes it has learned to other networks where it should not. This can create suboptimal routing paths or traffic black holes.

The 2019 Verizon-Cloudflare incident: a small ISP in Pennsylvania advertised a summary route through Cloudflare. Cloudflare, not filtering correctly, re-advertised it to Verizon. Verizon, also not filtering, used it. For several hours, large amounts of internet traffic were routed through a network with insufficient capacity, causing significant degradation.

BGP in Practice: What Developers Actually Encounter

Anycast routing. CDNs and DNS providers use BGP anycast to route users to the nearest server. Cloudflare, Akamai, and Fastly announce the same IP address from multiple locations worldwide. BGP routes each user to the nearest announcement. This is how 1.1.1.1 (Cloudflare DNS) works - the same IP is handled by servers on every continent, and BGP routes your DNS query to the nearest one.

Multi-homing. Large organizations connect to multiple ISPs and use BGP to receive traffic on the best available path. If one ISP has an issue, BGP can reroute traffic to the other. This is the network equivalent of multi-cloud strategy.

Traffic engineering. BGP attributes like AS path prepending and community strings let network operators influence how traffic flows through the internet. “Prefer this path for inbound traffic” is expressed through BGP configuration.

AWS Direct Connect / Azure ExpressRoute / Google Cloud Interconnect. These services establish private BGP sessions between your on-premises network and the cloud. Understanding BGP explains how route advertisements work and why sometimes traffic does not take the path you expect.

Reading a Route Table

Network          Next Hop         AS Path
203.0.113.0/24   192.0.2.1        65001 65002 65003
203.0.113.0/24   198.51.100.1     65001 65004

This shows two paths to 203.0.113.0/24. The first goes through AS 65001, 65002, 65003 (three hops). The second goes through 65001, 65004 (two hops). BGP prefers shorter AS paths, so the second path would be preferred.

BGP route selection is more complex in practice (local preference beats path length, MED values, origin type), but the AS path length intuition gets you far.

The Security Improvements: RPKI

Resource Public Key Infrastructure (RPKI) is a cryptographic validation system for BGP routes. With RPKI, IP address holders cryptographically sign Route Origin Authorizations (ROAs) stating which ASes are authorized to announce their prefixes.

Routers with RPKI validation can reject announcements that do not match a valid ROA - catching both hijacks and route leaks.

RPKI adoption has grown significantly. As of 2025, major networks including Google, Cloudflare, AWS, and most tier-1 ISPs implement RPKI validation. Globally, roughly 40-50% of BGP routes have ROA coverage. This is meaningful but incomplete progress.

BGP and Cloud Networking

Understanding BGP helps in cloud networking contexts:

VPC peering and Transit Gateways manage route propagation between networks. When you configure a Transit Gateway attachment, you are configuring which routes are advertised between networks - a BGP concept even when AWS abstracts the protocol.

Multi-region failover often works through Route 53 health checks that modify DNS responses - a higher-layer abstraction of what network engineers do with BGP.

Latency-based routing decisions are made more intelligently if you understand that latency is not just physical distance - BGP path length and peering relationships matter.

What You Can Do With This Knowledge

You cannot directly control BGP unless you operate a large network. But understanding it:

  • Explains why internet outages happen the way they do (a BGP leak or hijack, not just “the internet is down”)
  • Helps you make sense of traceroute output - each hop is an AS boundary or an intra-AS hop
  • Informs multi-CDN and multi-cloud strategies - anycast routing is why redundant providers can share an IP space
  • Makes cloud networking configuration decisions more intuitive

Bottom Line

BGP is the glue of the internet. It is responsible for routing traffic between the tens of thousands of independent networks that make up the global network. It is also responsible for most internet-scale outages when misconfigured or attacked. Understanding BGP - what prefixes are, how ASes advertise routes, why anycast works, and why route leaks cause outages - gives developers a mental model for diagnosing networking problems and building systems that account for the real failure modes of internet routing.