Private Network Connectivity between AWS Regions leveraging AWS Transit Gateway
0 Comments
j

Prasiddha Bista

May 16, 2023

AWS | L300 | Networking

In this article, we will configure Transit Gateway to manage network traffic between two AWS Regions. We will deploy and EC2 instance on either side to demonstrate the private network connectivity between them.

Prerequisites

  • 1. You have a VPC deployed with public and private subnets in 2 distinct regions like “us-east-1” and “ap-southeast-1” as shown below. It can be same account, but to make things interesting, I will use two different accounts as well.
  • You have configured Internet Gateway, NAT Gateway and the routes.
  • Follow the VPC launch wizard from VPC Dashboard for simplicity,
  • Also, deploy an EC2 instance with SSM access role on both region’s private We will use session manager to login to the instances and try communicating across regions via AWS backbone (Transit Gateway).

NOTE: Nat Gateway is required for this demonstration as I will be using AWS Session Manager to login to the instances for testing network connectivity. An alternative would be to create a bastion host to be able to SSH into these instances.

NOTE: Ensure your VPC CIDR blocks are unique on either side. I am utilizing “10.0.0.0/16” and “192.168.0.0/16” CIDR blocks.

Architecture Diagram

Workflow

Assuming you have the VPC and EC2 instances setup as shown in the architecture diagram above, follow these steps to create and configure transit gateway,

1. Choose an AWS Region to start with, I will be starting with “us-east-1”. Navigate to the VPC console and click on Transit Gateways from the left panel. Then click on “Create Transit Gateway”.

2. Configure Transit Gateway with the following details,

  • Name tag: us-east-1-tgw
  • Description: Transit Gateway for Northern Virginia Region
  • Uncheck boxes for Default route table association and Default route table propagation as we will be creating our own route tables and adding routes to it.
  • You can tick the box where it says Auto accept shared attachments which will automatically accept any Transit Gateway connection requests coming from the VPCs. For this demo, we will keep it unchecked so we can go through the flow of accepting the connection request.

By default, AWS will create a route table for us and also propagate routes automatically. You can choose to do so for simplicity, but you have a lot of VPCs talking to each other, and you want to segregate routes based on business requirements, you might have to create your own route tables and also routes. Hopefully, this demonstration will help you configure your own.

Refer to the following diagram for clarity,

NOTE: Follow the same steps on the other side, your other AWS Region as shown in the diagram above.

  • Click on “Create Transit Gateway”.
3. Navigate to Transit Gateway Attachments and click on Create Transit Gateway Attachment.

4. Setup Transit Gateway Attachments for Transit Gateway on both sides with the configuration shown below. We will attach VPC local to each AWS Region to the Transit Gateway in this step.

  • Transit Gateway ID: Choose the appropriate ID of the Transit Gateway you created on step 2.
  • Attachment type: VPC
  • Attachment name tag: us-east-1-local-vpc-attachment
  • VPC ID: Select the VPC you have deployed.
  • Subnet IDs: Choose private subnet(s) from your VPC.
  • Click on “Create Attachment”.
Note: It might take a few minutes for the attachment to become available.

5. Now, let’s configure VPC route tables before we create and configure Transit Gateway Route table and the routes. Navigate to Route Tables and select the route table that has private subnet(s) associated to it. Then click on Routes and “Edit Routes”.

  • Notice the VPC CIDR blocks under routes. Add a route with the destination being the CIDR block of the other region’s VPC and set the Target to be Transit Gateway that we created in step 2. Click on “Save routes”.

6. Let’s create Transit Gateway Peering Attachment between the two AWS Regions. Navigate to “Transit Gateway Attachments” and click on “Create Transit Gateway Attachment”. Choose a region to initiate peering request from so you can accept it from the other side. I will be initiating peering request from “us-east-1”.

  • Transit Gateway ID: Choose the appropriate ID of the Transit Gateway you created on step 2.
  • Attachment type: Peering Connection
  • Attachment name tag: peer-ap-southeast-1
  • Account: Select “Other account”
  • Account ID: Enter the AWS Account ID of the peer account.
  • Region: Enter the AWS Region of peer account.
  • Transit Gateway (acceptor): Enter peer transit gateway ID.
  • Click on “Create Attachment”
7. Navigate to “Transit Gateway Attachments” on the other side (Singapore for me) where you will see a peering attachment in “pending acceptance” state.

  • Select the peering attachment and click on “Actions”, then click on “Accept” and confirm. This will change the state of peering attachment from “pending acceptance” to “pending” and finally to “available”.

8. Since, we have a peering attachment between the two AWS regions, it’s time to create Transit Gateway route tables. The reason we need two transit gateway route tables is to allow granular control over the routes. We will create a route table for local VPC attachment and another one for Peering Attachment on both sides.

  • Navigate to Transit Gateway Route Tables and click on “Create Transit Gateway Route Table”.
  • For local attachment route table, fill in the details as shown below and click on “Create Transit Gateway Route Table”,
  • Click on the local attachment route table and then on “Associations” and finally “Create Association”.
  • For the only available option to add “Choose attachment to associate”, select the local VPC attachment. Then click on “Create association”.
  • Navigate to the “Routes” tab on local VPC attachment and click on “Create Route”. We will be adding a static route pointing to the peer VPC CIDR block and forwarding the traffic via peering attachment.
NOTE: What we just did is associated local VPC attachment to the local VPC TGW route table and said that if any traffic coming from the local VPC that is destined for remote VPC, send it via peering attachment. We will need to do the opposite on Peering Attachment TGW Route table to allow return traffic from remote VPC.

  • For peering attachment route table, fill in the details as shown below and click on “Create Transit Gateway Route Table”,
  • Click on the local attachment route table and then on “Associations” and finally “Create Association”.
  • For the only available option to add “Choose attachment to associate”, select the local VPC attachment. Then click on “Create association”.
  • Navigate to the “Routes” tab on local VPC attachment and click on “Create Route”. We will be adding a static route pointing to the local VPC CIDR block and forwarding the traffic via local VPC attachment.

NOTE: What we just did is associated remote peering attachment to the Peering Attachment TGW route table and said that if any traffic coming from the remote VPC that is destined for local VPC, send it via local VPC attachment.

9. Now that we have everything configured, lets login to EC2 instances on either side and try running TCP traceroute against private IPs of either EC2 instance.

NOTE: You will need to allow TCP traffic on your EC2 instance’s security group.

Congratulations, you have successfully configured Transit Gateway between two AWS Regions which allows private network connectivity between them. The traffic flows through the AWS backbone.

An aviation enthusiast turned IT geek, Prasiddha comes from a hospitality background where he learnt valuable lessons of life in terms of customer engagements. He recently started his career in IT, working as a Software Engineer focused on Cloud and DevOps. Prasiddha values work ethics and customer relationship and always puts customers first.

Prasiddha Bista

Software Engineer, Cloud and DevOps at Versent

Get connected with Prassidha:

0 Comments

Related Articles