AWS Transit Gateway (TGW) is a service that enables customers to connect their Amazon VPCs and their on-premises networks to a single gateway.
With AWS Transit Gateway, you only have to create and manage a single connection from the central gateway in to each Amazon VPC, on-premises data centre, or remote office across your network. Transit Gateway acts as a hub that controls how traffic is routed among all the connected networks which act like spokes. This hub and spoke model significantly simplifies management and reduces operational costs because each network only has to connect to the Transit Gateway and not to every other network.
Any new VPC is simply connected to the Transit Gateway and is then automatically available to every other network that is connected to the Transit Gateway. This ease of connectivity makes it easy to scale your network as you grow.
Scenario
Let's say we have 2 VPCs in two different AWS accounts and an on-prem data centre. We want to enable communication between them using TGW.
- VPC-1 can access VPC2, 192.168.1.0/24 and 192.168.2.0/24
- VPC-2 can only access VPC-1 and 192.168.1.0/24
Step 1 - Create a Transit Gateway in Account-1
When you create a transit gateway, AWS creates a default transit gateway route table and use it as the default association route table and the default propagation route table. I disabled Default route table association and Default route table propagation. Default route table association automatically associate transit gateway attachments with the default route table for the transit gateway.
I will show you how to create a multiple Route tables in the next slides for traffic segmentation. This enables us to create isolated networks inside a transit gateway similar to virtual routing and forwarding (VRFs) in traditional networks.
Step 2 - Share the TGW with Account-2 via RAM
Resource Access Manager is not required if you are attaching the VPCs in the same account.
A transit gateway works across AWS accounts, and you can use AWS Resource Access Manager to share your transit gateway with other accounts. After you share a transit gateway with another AWS account, the account owner can attach their VPCs to your transit gateway. A user from either account can delete the attachment at any time.
- Go to "Resource Access Manager" console
- Choose Create a resource share.
- For Select resource type, choose Transit Gateways. Select the transit gateway.
4. Check Allow external accounts, and add the 12 digit AWS account ID of Account-2
5. Choose "Create Resource Share"
Step 3 - Accept the resource share on Account-2
Step 4 - Create site-to-site VPN to on-prem ASA
VPN need to br created from Account-1 which owns the TGW
Step 5 - Transit Gateway VPN attachments
After creating the Transit Gateway, you need to attach the VPCs/VPN with TGW to make a transitive nature.We created the VPN on TGW, so, it was automatically attached to the TGW
Step 6 - Transit Gateway VPC attachment
When you attach a VPC to a transit gateway, you must specify one subnet from each Availability Zone to be used by the transit gateway to route traffic. Specifying one subnet from an Availability Zone enables traffic to reach resources in every subnet in that Availability Zone.
As you can see above, TGW is placed in two AZs in VPC-1.
Repeat the same for VPC-2.
Step 7 - Configure Subnet routing table
VPC-1 Route table
VPC-2 Route table
Step 8 - Create TGW route table
I'm going to create 3 x route tables and associate VPCs and VPN attachments with them.
- VPC-1 R-TABLE is associated with VPC-1
- VPC-2 R-TABLE is associated with VPC-2
- VPN R-TABLE is associated with VPN
To associate a transit gateway route table using the console
- Open the Amazon VPC console
- On the navigation pane, choose Transit Gateway Route Tables.
- Select the route table.
- In the lower part of the page, choose the Associations tab.
- Choose Create association.
- Choose the attachment to associate and then choose Create association.
Create a static route
You can create a static route for a VPC, VPN, or transit gateway peering attachment, or you can create a blackhole route that drops traffic that matches the route.
Route table for VPC-1
- Open the Amazon VPC console
- On the navigation pane, choose Transit Gateway Route Tables.
- Select the route table for which to create a route.
- Choose Actions, Create route.
- On the Create route page, enter the CIDR block for which to create the route.
- Choose the attachment for the route.
- Choose Create route.
Basically, you are telling VPC-1 "if you want to reach 10.0.0.0/16 you go to VPC-2 TGW attachment"
Route table for VPC-2
Note - Route for 192.168.2.0/24 is not added as per the requirement. Or you can create a blackhole route that drops traffic that matches the route.
Route table for VPN attachment
We are adding routes to reach both VPC CIDR ranges which are being advertised to on-prem ASA via BGP.
ASA# show route bgp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 1.1.1.1 to network 0.0.0.0
B 10.0.0.0 255.255.0.0 [20/100] via 169.254.20.1, 00:06:19
B 10.22.0.0 255.255.0.0 [20/100] via 169.254.20.1, 00:31:19
That's it. We now have connectivity between 3 x attachments.