AWS – Managing a transit gateway

How to Create a Droplet with DigitalOcean

A transit gateway is a brand new service, as of 2019, and it solves a problem that’s faced by many architects who want to create complex environments spanning several networks. To understand the need for transit gateways, first, you need to understand the non-transitive nature of an AWS VPC.

A VPC can peer with other VPCs, which sets up a bi-directional route between those VPCs. However, what’s not supported is transitive routing via an intermediate VPC, as shown in the following diagram:

VPC peering

VPC A and VPC B have a peering relationship. VPC B and VPC C also have a peering relationship. Network traffic can be routed successfully (indicated by the green arrows) from A to B and from B to C, but not from A to C via B (indicated by the red arrow).

Before Transit Gateway was introduced, a complex setup involving a Cisco Cloud Services Router (CSR) was required. While this did enable the creation of a transit VPC (which would allow traffic via the red arrow in the preceding diagram), it was costly and difficult to configure. Transit Gateway solves this problem in an AWS-native way.

Getting ready

To complete this recipe, you will need to create two new EC2 instances in two separate VPCs:

  • Follow the Creating a VPC and subnets recipe in this chapter to create VPCs with non-overlapping CIDR blocks.
  • Follow the Launching an instance recipe in Chapter 4, AWS Compute, to create an EC2 instance in each VPC.

How to do it…

Follow these steps to configure a transit gateway to communicate between two VPCs that do not have a direct peering relationship:

  1. Log in to your account and go to the VPC management console.
  2. Scroll down to the bottom of the menu on the left-hand side of the screen and click Transit Gateways:

Create Transit Gateway
  1. Click Create Transit Gateway.

 

  1. Fill out the Name tag and Description for the transit gateway:

Transit Gateway name and description
  1. In the Configure the Transit Gateway section, leave the defaults as they are:

Configure the Transit Gateway screen
  1. Click Create Transit Gateway.
  2. Immediately after creation, the gateway will be in a pending state:

Gateway pending
  1. Once the gateway is available, select Transit Gateway Attachments from the left-hand menu and click Create Transit Gateway Attachment:

Create Transit Gateway Attachment screen
  1. On the following screen, select the transit gateway from the Transit Gateway ID dropdown. 
  2. Give the attachment an Attachment name tag.
  3. Select one of your VPCs in the VPC ID dropdown.
  4. Select the subnets from that VPC.

 

  1. Click Create Attachment and then repeat steps 9-12 for the other VPC.
  2. Go to Route Tables under the Virtual Private Cloud menu.
  3. Choose one of the VPC route tables and add a route for the IP addresses in the other VPC to point to the transit gateway target. Do the same for the other VPC.
  4. Test the connectivity between the EC2 instances you created in each VPC. Note that the ping command will be blocked by NACL firewall rules that prevent ICMP traffic.
  5. Once you’ve finished, delete the Transit Gateway to avoid any future charges.

How it works…

Transit gateway operates at layer 3 of the Open Systems Interconnection (OSI) model. Layer 3 is the network layer, which sits between the data link layer (layer 2) and the transport layer (layer 4). This layer handles the forwarding of packets and communication with routers along the network path from the origin to the destination.

Transit Gateway greatly simplifies connecting multiple VPCs by allowing you to configure your network as a hub and spoke design, where each VPC (a spoke) only needs to be connected to the gateway (the hub). VPN connections can also be connected to the hub to enable hybrid connectivity scenarios with on-premises networks.

The Transit Gateway default route table is automatically configured with the routes that are needed to connect your VPCs. VPN connection routes are propagated to the network in your data center by means of the Border Gateway Protocol (BGP). You can also create route tables manually in order to segment network traffic.

Using AWS Resource Access Manager (RAM), you can share your Transit Gateway with other accounts so that the VPCs in that account can connect to your networks.

Comments are closed.