Scribd
Upload
137 views9 pages

16 Transit VPC

The document describes how to use a transit gateway to enable communication between multiple VPCs and on-premises networks. It outlines setting up a transit gateway with attachments for 3 VPCs to allow inter-VPC communication. It then describes adding a VPN attachment to the same transit gateway to establish a site-to-site VPN with an on-premises network, allowing communication between the VPCs and on-premises resources. The steps provided configure routing and security to test connectivity in both directions across the transit gateway.

Uploaded by

Y
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
137 views9 pages

16 Transit VPC

The document describes how to use a transit gateway to enable communication between multiple VPCs and on-premises networks. It outlines setting up a transit gateway with attachments for 3 VPCs to allow inter-VPC communication. It then describes adding a VPN attachment to the same transit gateway to establish a site-to-site VPN with an on-premises network, allowing communication between the VPCs and on-premises resources. The steps provided configure routing and security to test connectivity in both directions across the transit gateway.

Uploaded by

Y
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

Transit VPC

The problem ...Network for 4 VPCs interconnections

Customer
VPC A VPC B Gateway

VGW VGW
6 VPC On-premise DC # 1
Peering
Connections

VPC C VPC D
Direct
VGW VGW
Connect
On-premise DC # 2

www.kvriksh.com
Solution 1 : Transit VPC (Introduced in 2016)

HUB AND SPOKE TOPOLOGY

VPC A VPC B VPC C VPC D ● Simplifies Network


VGW VGW VGW VGW ● Need fewer connections
● Reduces overall cost of physical
network devices
● Reduces time and efforts
● Allows deploying IPS/IDS

Cisco
CSRCisco Transit VPC
1000v
CSR
1000v

Direct Customer
Customer
Connect Gateway
Gateway

On-premise DC # 1 On-premise DC # 2 www.kvriksh.com


The problem with VPC peering & Transit VPC
VPC Peering:
● Point-to-point connection between VPCs
● Non transitive traffic flow
● Separate connection for each VPC for on-premise VPN or Direct Connect

Transit VPC:
● Instance based (Cisco CSR 1000V)
● Additional EC2 cost
● Software Licensing cost
● Availability issues
● Bandwidth limitations of EC2

www.kvriksh.com
Solution 2: Transit Gateway (2018 Re:Invent)
HUB AND SPOKE TOPOLOGY

VPC A VPC B VPC C VPC D ● Fully managed gateway


● Scales automatically
● Highly Available
● Supports attaching upto 5000
VPCs
● Bandwidth upto 50 gbps

Transit Gateway

Customer
Gateway

Direct
Connect Customer
Gateway
On-premise DC # 1 On-premise DC # 2 www.kvriksh.com
Exercise: Setup Transit Gateway

VPC A VPC B VPC C

● 3 VPCs in same AWS Region


● VPN connection
Transit Gateway

Customer
Gateway

On-premise DC # 1 www.kvriksh.com
Internet

VPC A 10.10.0.0/16 VPC B 10.20.0.0/16 VPC C 10.30.0.0/16


IGW

Public Subnet Private Subnet Private Subnet


10.10.0.0/24 10.20.0.0/24 A 10.30.0.0/24
EC2-A EC2-B EC2-C
AZ1 AZ1 AZ1

VPC VPC
VPC Attachment Attachment
VPN-VPC 192.168.0.0/16
Attachment

Public Subnet 192.168.0.0/24

VPN Openswan
Attachment
Customer
Gateway EC2
Transit Gateway On-premise DC # 1

www.kvriksh.com
Steps - Part 1 - Inter VPC communication
1. Create VPC-A (10.10.0.0/16) with single Public Subnet in Region A (Mumbai)
2. Create VPC-B (10.20.0.0/16) with single Private Subnet in Region A
3. Create VPC-C (10.30.0.0/16) with single Private Subnet in Region A
4. Create VPC-VPN (192.168.0.0/16) with single Public Subnet in Region B (N.Virginia)
5. Launch EC2 instance in each of the subnets created above. Total 4 EC2 instance. Make sure you
open Security group rule for ICMP inbound for source 10.0.0.0/8 (for all other VPCs)
6. Login to EC2-A (ssh using Public IP) and try to ping EC2-B, EC2-C or EC2-VPN Private IPs. This
does not work.
7. Create a Transit Gateway in Region A
8. Create 3 Attachments for VPC-A, VPC-B and VPC-C
9. Modify the VPC-A Subnet, VPC-B Subnet and VPC-C Subnet to route traffic to destination
10.0.0.0/8 through transit gateway
10. Verify that, now traffic starts flowing from EC2-A to EC2-B and EC2-C over Private IP address
11. Congratulations !!
12. Extend the VPC-A CIDR by attaching one more CIDR e.g 10.40.0.0/16
13. Verify in Transit Gateway Route table that this new route is automatically propagated
www.kvriksh.com
Steps - Part 2 - VPN communication
1. For same Transit Gateway, create a VPN attachment
2. Provide the IP address of EC2-VPN for Customer Gateway.
3. Choose Static Route
4. After creation of Site-to-Site VPN connection, Download the VPN configurations for Openswan.
5. Login to EC2-VPN over SSH using Public IP
6. Setup the VPN using OpenSWAN (Refer the Site-To-Site VPN exercise)
7. After successfully configuring ipsec, start the ipsec service
8. Verify that in Region A, Site-to-Site VPN shows that 1 Tunnel is UP
9. Try to ping to EC2-VPN from EC2-A. This does not work as there is no route in VPC-A Subnet
Route table
10. Add a route for destination 192.168.0.0/16 in the Route table of VPC-A Public subnet RT
11. Now the traffic starts flowing to EC2-VPN from EC2-A. Congratulations !!
12. Ping EC2-A from EC2-VPN. This does not work as you might not have open SG of EC2-A
13. Open the SG for inbound ICMP for source 192.168.0.0/16.
14. Now traffic also flows from EC2-VPN to EC2-A i.e from On-premise to AWS VPC
15. Be happy..you just did it :). Don’t forget to terminate everything that you created for this exercise.
www.kvriksh.com

You might also like