Open in app

Sign in

Write

Sign in

Centralised Network Connectivity with AWS Transit Gateway

Nanthan Rasiah
5 min readFeb 15, 2021

--

This purpose of this post is to explain AWS network design using AWS Transit Gateway. It provides examples and cloud formation templates to help you design AWS network across regions.

AWS Transit Gateway is a network transit hub that you can use to interconnect your virtual private clouds (VPCs) and on-premises networks .It simplifies the network architecture with centralised control, management and security. It is fully managed regional service from AWS and provides a hub and spoke pattern for connecting VPCs within the same AWS region across multiple AWS accounts and on-premises networks.

AWS Transit Gateway allows to create peering connections between Transit Gateways in different AWS Regions. This enables building global AWS networks spanning multiple AWS Regions. Transit Gateways within an AWS Region cannot be peered.

Amazon VPCs and on-premises locations (either via a VPN tunnel or AWS Direct Connect) connect to AWS Transit Gateway via transit gateway attachments.

VPC transit gateway attachment requires one subnet from each availability zone to route traffic via Transit Gateway to all the subnets in that availability zone. Default route table of Transit Gateway automatically get populated with destination IP addresses of the attached Amazon VPC. Routing through a transit gateway operates at layer 3, where the packets are sent to a specific next-hop attachment, based on their destination IP addresses. A VPC’s Security Groups are not accessible from resources in other VPC via Transit Gateway.

To connect on premise location to transit gateway using VPN tunnel,Customer Gateway needs to be created in AWS which represent customer gateway device in on-premises locations. VPN transit gateway attachment is set up using Customer Gateway.

To connect on premise location to transit gateway using AWS Direct Connect, Direct Connect gateway that is created in AWS with virtual transit interface needs to be associated with Transit Gateway.

Let’s consider a hypothetical example. Company ABC Ltd. has main office in Sydney and branch office in Singapore. ABC Ltd. wants to migrate all the workloads to AWS. Each department of the company wants to maintain its own AWS account for logical separation. Each AWS account contains a number of VPCs for different purposes. ABC Ltd. wish to have all the VPCs and on-premises locations to be inter connected to provide private access to applications/services in AWS and on-premises. Sydney office needs private direct connection to AWS and Singapore office allowed to have IPsec VPN connection over the internet .

The following network diagram provides proposed solutions for the above use case.

  1. A Network Service Account needs to be created to serve as central hub for network routing.
  2. A Transit Gateway needs to be created in Sydney and Singapore region in Network Service Account.
  3. A Transit Gateway Peering Attachment needs to be created on the transit gateway in Sydney region, and specify a transit gateway in Singapore region as accepter.
  4. Transit Gateway in Sydney region is shared with all VPCs in Account A and Account B.
  5. Transit Gateway in Singapore region is shared with all VPCs in Account C and Account D.
  6. Transit Gateway Attachment needs to be created in all the VPCs as shown above in the diagram.
  7. Route Tables in the VPCs need to updated with rules to pass traffic via Transit Gateway
  8. AWS Direct Connect Gateway needs to be created with Transit Virtual Interface in Network Service Account. This is needed to establish connection between transit gateway and AWS direct connect.
  9. AWS Direct Connect Gateway needs to be associated with Transit Gateway in Sydney Region to provide direct connection to office in Sydney.
  10. AWS Customer Gateway needs to created in Network Service Account. This is needed for VPN connection.
  11. VPN connection is attached to Transit Gateway in Singapore to provide IPSec connection to office in Singapore.

The above described AWS networking simplifies networking across the organisation significantly and remove complex VPC to VPC peering connections. All services/applications in AWS Sydney and Singapore regions and On-Premises are accessible privately. All the traffic stay within AWS network except for the traffic to on-premises location in Singapore. This networking pattern also allows to add new VPCs and on-premises locations easily with minimal configuration.

Here is the Cloud Formation Template to create Transit Gateway and share it with other AWS accounts using AWS Resource Access Manager (RAM).

AWSTemplateFormatVersion: '2010-09-09'
Description: 'Transit Gateway for VPC connections'

Parameters:

  Principals:
    Description: 'The list of principals to associate with the resource share. The possible values are list of IDs of AWS accounts,'
    Type: CommaDelimitedList
    Default : 344780674736

Resources:
  TransitGateway:
    Type: "AWS::EC2::TransitGateway"
    Properties:
      AmazonSideAsn: 65000
      Description: "Transit Gateway"
      AutoAcceptSharedAttachments: "enable"
      DefaultRouteTableAssociation: "enable"
      DnsSupport: "enable"
      VpnEcmpSupport: "enable"
      Tags:
        - Key: Application
          Value: TransitGateway

  TransitGatewayResourceshare:
    Type: "AWS::RAM::ResourceShare"
    Properties:
      Name: "Transit Gateway Resource Share"
      ResourceArns:
        - !Join
          - ''
          - - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:transit-gateway/'
            - !Ref iTransitGateway
      Principals: !Ref Principals
      Tags:
        - Key: Application
          Value: TransitGatewayResourceshare

Outputs:
  StackName:
    Description: 'Stack name.'
    Value: !Sub '${AWS::StackName}'
    Export:
      Name: !Sub '${AWS::StackName}'
  TransitGatewayId:
    Description: 'Transit Gateway Id.'
    Value: !Ref TransitGateway
    Export:
      Name: !Sub '${EnvType}-transitGatewayId'
  TransitGatewayResourceshareId:
    Description: 'Transit Gateway Resource Share Id.'
    Value: !Ref TransitGatewayResourceshare
    Export:
      Name: !Sub '${EnvType}-transitGatewayResourceshareId'

Here is the Cloud Formation to create Transit Gateway Attachment in a VPC and to update Route Tables to transit traffic via Transit Gateway. It doesn’t provide detailed VPC implementation.

AWSTemplateFormatVersion: '2010-09-09'
Description: 'Template to create transit gateway attachment'

Parameters:

  TransitGatewayId:
    Description: 'network service transit gateway shared with this account'
    Type: String

Resources:

  VPC:
    Type: 'AWS::EC2::VPC'
    Properties:
      CidrBlock: 10.0.0.0/16'
      EnableDnsSupport: true
      EnableDnsHostnames: true
      InstanceTenancy: default
  SubnetA:
    Type: 'AWS::EC2::Subnet'
    Properties:
      AvailabilityZone: !Select [0, !GetAZs '']
      CidrBlock: !Sub '10.0.1.0/24'
      VpcId: !Ref VPC
  SubnetB:
    Type: 'AWS::EC2::Subnet'
    Properties:
      AvailabilityZone: !Select [1, !GetAZs '']
      CidrBlock: !Sub '10.0.2.0/24'
      VpcId: !Ref VPC
  SubnetC:
    Type: 'AWS::EC2::Subnet'
    Properties:
      AvailabilityZone: !Select [ 0, !GetAZs '' ]
      CidrBlock: !Sub '10.0.3.0/24'
      VpcId: !Ref VPC
  RouteTableA:
    Type: 'AWS::EC2::RouteTable'
    Properties:
      VpcId: !Ref VPC
  RouteTableB:
    Type: 'AWS::EC2::RouteTable'
    Properties:
      VpcId: !Ref VPC
  RouteTableC:
    Type: 'AWS::EC2::RouteTable'
    Properties:
      VpcId: !Ref VPC
  RouteTableAssociationA:
    Type: 'AWS::EC2::SubnetRouteTableAssociation'
    Properties:
      SubnetId: !Ref SubnetA
      RouteTableId: !Ref RouteTableA
  RouteTableAssociationB:
    Type: 'AWS::EC2::SubnetRouteTableAssociation'
    Properties:
      SubnetId: !Ref SubnetB
      RouteTableId: !Ref RouteTableB
  RouteTableAssociationC:
    Type: 'AWS::EC2::SubnetRouteTableAssociation'
    Properties:
      SubnetId: !Ref SubnetC
      RouteTableId: !Ref RouteTableC
  TransitGatewayAttachment:
    Type: AWS::EC2::TransitGatewayAttachment
    Properties:
      SubnetIds:
        - !Ref SubnetA
        - !Ref SubnetB
        - !Ref SubnetC
      Tags:
        - Key: Application
          Value: NetworkServiceTransitGateway
      TransitGatewayId: !Ref TransitGatewayId
      VpcId: !Ref VPC

  RouteTableEcsATransitGatewayRoute:
    Type: 'AWS::EC2::Route'
    DependsOn: TransitGatewayAttachment
    Properties:
      RouteTableId: !Ref RouteTableA
      DestinationCidrBlock: '10.0.0.0/8'
      TransitGatewayId: !Ref TransitGatewayId
  RouteTableEcsBTransitGatewayRoute:
    Type: 'AWS::EC2::Route'
    DependsOn: TransitGatewayAttachment
    Properties:
      RouteTableId: !Ref RouteTableA
      DestinationCidrBlock: '10.0.0.0/8'
      TransitGatewayId: !Ref TransitGatewayId
  RouteTableEcsCTransitGatewayRoute:
    Type: 'AWS::EC2::Route'
    DependsOn: TransitGatewayAttachment
    Properties:
      RouteTableId: !Ref RouteTableC
      DestinationCidrBlock: '10.0.0.0/8'
      TransitGatewayId: !Ref TransitGatewayId
Aws Transit Gateway
Aws Direct Connect
Vpn Connection
Cloudformation

--

--

Nanthan Rasiah
Nanthan Rasiah

Written by Nanthan Rasiah

51 Followers
2 Following

Ex. AWS APN Ambassador | Architect | AWS Certified Pro | GCP Certified Pro | Azure Certified Expert | AWS Certified Security & Machine Learning Specialty

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams