Transit Gateway is an awesome feature announced by Amazon Web Service to simplify the network connectivity. In the previous scenario, you had to use VPC Peering or Transit VPC concept to form transitive nature. Using peering connection you had to implement a full mesh topology with the AWS VPC’s to make communication between each other. In VPC Peering you can’t create or connect VPN connections with an on-premises network. To know more about VPC Peering click here.
In Transit VPC concept you need to launch an AWS Marketplace VPN Appliance to the EC2 instance and connect all the network (VPC’s and on-premises) to the VPN Appliance using the VPN connection. This will increase the cost and maintenance. To know more about Transit VPC concept click here.
Using AWS Transit Gateway, you can easily implement the transitive network architecture within a few clicks.
To implement the transitive network using Transit Gateway first, go to the VPC Console and Create VPCs.
Next, create Transit Gateway for that: VPC console → Transit Gateway → Create Transit Gateway
Fill the Field with Name and Description. ASN is the Autonomous System Number of your Transit Gateway, You can use the range from 64512–65534 or 4200000000–4294967294.
Equal-Cost Multi-Path (ECMP) is a routing strategy for forwarding the packets to the next-hop using best path. You can check for creating ‘Default route table association and propagation’ or else you can create it later.
If you are planning to connect the VPCs from a different account you need to check ‘Auto accept shared attachments’ to see the cross-account transit gateway attachments automatically.
After creating the Transit Gateway, you need to attach the VPCs or create VPNs to make transitive nature. For that,
VPC Console → Transit Gateway Attachments → Create Transit Gateway Attachment
Select the Transit Gateway from the ‘Transit Gateway ID’ list and check either VPC or VPN attachment.
In VPC Attachment, specify the attachment name and then select the VPC from the ‘VPC ID’ list which you want to attach with transit gateway. You need to select at least one subnet from the list of subnets, but you can select only one subnet per Availablity Zone.
In VPN Attachment, you need to define Customer Gateway to create a VPN connection to On-Premises or other Routing devices in the cloud. You can create new Customer Gateway or select from the ‘Customer Gateway ID’ if you had already created. After creating the VPN Connection you need to download the configuration file from the ‘VPN Connection’ console. To know more about VPN Connection click here.
Once the attachment is completed, you can see the attached VPCs or VPNs on the ‘Transit Gateway Attachment’ console.
If you had already checked ‘Default route table association’ and ‘Default route table propagation’ in the above steps, it will create automatically ‘Transit Gateway Route Table’ with Propagations and Associations.
If not checked, you need to create ‘Transit Gateway Route Table’ with Associations and Propagations for each Attachment.
You can also create more route entries in the Transit Gateway Route Table with Transit Gateway Attachments. To create new Routes,
Transit Gateway Route Tables → Select ‘Route Table’ → ‘Routes’ Tab
Once you complete this, you need to update VPC Route Table.
VPC Console → Route Tables → Select the route table belonging to the VPC which is attached to Transit Gateway → tab ‘Routes’ → Edit Routes
If you want to connect VPCs to the Transit Gateway from outside of the AWS Account within the same region, you need to share the Transit Gateway using Resource Access Manager. For that,
AWS Console → Resource Access Manager → Resource share → Create resource share.
From the new window, Give the name for the resource to share and ‘select resource type’ as ‘Transit Gateway’. Select the transit gateway which would like to share from the list.
Provide the AWS Account ID of the account for which you want to share the resource and also mention the tag. Then click ‘Save changes’.
Now, Login to the AWS account where you have shared the Resources, and go to the AWS Console → Resource Access Manager → Resource shares.
You will get a resource invitation with account id, from the account which you had shared the resource. Select the resource from the page, and click ‘Accept resource share’ to avail this resource in the AWS Account.
Once you have completed the process, the Transit Gateway which you have shared will be available on this AWS Account.
Now, you can follow the same steps as above to attach the VPC’s and VPN’s of this account to the shared Transit Gateway.
- Transit VPC can’t initiate the Traffic
- You can’t share the Transit Gateway to a different region in a single account or cross-account.
You can easily create a transitive network in the AWS infra using AWS Transit Gateway service instead of using AWS Marketplace VPN Appliance. This way you can easily connect VPC’s and VPN’s to the AWS Transit Gateway within the account or cross-account within the same region.