Taking the Headache Out of VPC Transitive Networking in AWS using CSR Automation
In AWS or any cloud environment, two of the biggest issues are visibility and control. Routing in AWS isn’t very flexible. In a secure environment, visibility is paramount, and so all routes need to be controlled by the customer. On top of these needs, networking can quickly become complicated when peering VPCs, especially if you are running multiple VPC’s across multiple accounts.
So how can we combat these issues? Meet the AWS Transit VPC.
With Transitive networking within AWS, a Transit VPC is used as the central point to connect the On-Premises datacenter and the other VPC’s. A hub and spoke design is used to make adding additional spoke VPC’s and creating a high availability network easy.
In the past, setting up a transitive VPC was a daunting task because of the manual work required to peer all of the spoke VPC’s to the hub/transit VPC as well as setup the VPN connection back to the datacenter. Now, there are many automated solutions to complete this, including the one we will go through today.
Launching the Stack
There are many ways to automate transit VPC standup, but today we will be covering the automated deployment of a hub and spoke topology using Cisco CSR routers. The solution will launch a stack with two Cisco CSR routers in a new transit VPC. Configuration for the routers will sit in a vpnconfigs bucket on S3 for boot up.
To Begin launching the stack use the automated template provided here.
On the following screen, select next as the default settings are usually ok. If you created the template on your own and uploaded it to your own S3 bucket, specify this here and then click next.
On the next screen give your stack a name and then fill out the template appropriately for your environment. The variables are listed below with their values.
Once the stack has completed launching, the status will be CREATE_COMPLETE
With the stack standup completed, we are now ready to tag the spoke VPC’s to create a VPN connection from the previous VPC’s in your cloud to the new transit VPC.
Select VPC and then go to Virtual Private Gateways
Under Edit Tags, add the spoke VPC tag that we predefined in the above template. For the above template we used the tag transitvpc:spoke. With this in mind, add the correct tag to the spoke VPC’s to allow them to connect back to the transit VPC.
Within a minute or so, the Lambda poller that is part of the deployment will read the VPC tags and create a VPN connection back to the transit VPC CSR. To check this, navigate to Site-to-Site VPN connections on the left hand pane. The VPN connections will be in a pending state for some time while the VPN comes up.
Once the state goes from pending to Available, the VPN configuration is complete. All Spoke VPC’s will be peered to the new headend VPN CSR configuration with high availability. Any custom configurations or routing rules can now be completed on the CSR just as you would configure any Cisco Router. Your site-to-site VPN screen should look like the one below:
Tunnel details will show both tunnels up with BGP routes to the new CSR stack.
