Transit VPC Using Cisco CSR 1000v — AWS
This Blog has been moved from Medium to blogs.tensult.com. All the latest content will be available there. Subscribe to our newsletter to stay updated.
To Achieve a transitive network in your architecture you can use the transit VPC concept. To know more about the other use cases click here.
In Transit VPC you use public subnet which contains the host-based VPN appliance on Amazon EC2 instance. You can choose VPN appliance from the Amazon Marketplace such as CISCO CSR, Juniper vSRX, etc… and spin the instance using that AMI. To know more about the VPN appliance types and pricing click here.
Here I am using the Cisco Cloud Services Router — Cisco CSR 1000v as VPN appliance. This AMI runs Cisco IOS XE technology features and uses AWS instances with direct I/O path for higher & more consistent performance. To know more about this Cisco CSR 1000v click here.
Cisco CSR 1000v has been configured in a public subnet of Transit VPC. By default, Cisco CSR 1000v contains a single network interface, where the private IP and public IP are assigned on it. All the Spoke VPCs and On-premises networks are connected to the Cisco CSR instance on transit VPC through VPN connection (Figure — 1).
AWS managed VPN is configured in all the spoke VPCs and connected with the Cisco CSR. Here the public IP of the Cisco CSR acts as a customer gateway of all the spoke VPCs. Static and BGP are the routing protocols used to form the neighbors with each other.
After AWS VPN is set up in every VPCs, download the configuration file of the other end of the device which is provided by AWS and configure it in the Cisco CSR on the Transit VPC.
Here (Figure — 2) you can configure the shared services in any of the VPCs and it would be accessible for everyone from everywhere with low latency. On-premises DC and transit VPC are connected with GRE and IPSec VPN. Also, you can configure of multi-AZ setup to get high availability and redundancy.
VPN Setup: Transit VPC — Spoke VPC
- Setup an AWS managed VPN Connection in all the spoke VPCs by using the public IP of the Cisco CSR as Customer Gateway. To know more about to creating AWS managed VPN click here.
- After that, the following figure will help you to launch the Cisco CSR 1000v
Select the Cisco CSR 1000v AMI from the AWS marketplace.
Select the VPC
You may add more storage if needed else go to “Add Tags” and add the tags then click on the “Configure Security Group”
You can add more Rules in the security group depending upon your requirements.
After reviewing click on “Launch” and select or create the key pair to access the instance in a secure manner.
3. After the launch, you need a public IP to access the instance. Here you had disabled the “auto-assign public IP”, To create Elastic IP and associate IP with this Cisco CSR instance.
After allocation of the Public IP, select that IP and go to Action and associate the IP to the Cisco CSR instance
You can associate the Elastic IP into the interface or the instance
4. After allocating the EIP address to an instance you can access the instance by “ssh” using your private key
For Ex. : if the EIP of an instance is 1.2.3.4 and the name of the key pair — aws.pem then to access the instance
“ssh -I aws.pem ec2-user@1.2.3.4”
once you have accessed successfully, you will enter into the Cisco CSR router. Enter as “configure terminal” to enable the configuration mode.
After entering into the configuration mode, configure the VPN connection between the spoke VPCs and Transit VPC by using the downloaded files of the AWS managed VPN configuration of the spoke VPCs. The downloaded file will be a “.txt” file. Open it and edit the interface name and paste the entire configuration into the Cisco CSR. To know more about Cisco CSR VPN configuration click here.
5. After all, configurations, check the status of the VPN tunnel by moving to the “VPN Connection” console
VPC → VPN Connection → Select the VPN connection → Tunnel Details Tab
6. Change the Source/Destination Check to Disable mode. By default EC2 instance performs source/destination checks. This means that the instance must be the source or destination of any traffic it sends or receives. Therefore, you must disable source/destination checks.
For that go to EC2 instance console and select the Cisco CSR instance → click on Action → Networking → Change Source/Dest. Check and disable it by “Yes, Disable”.
Now all the spoke VPCs can communicate with transit VPC and also spoke VPCs can also talk to each other.
Setup: Transit VPC — On-premises DC
Now you need to configure VPN connection between the on-premises network to transit VPC. To know more about the VPN configuration setup click here.
Related Blogs:
To know more about Redundancy best practice (Multi VPN setup) click here.
