Menu
Transit Network VPC (Cisco CSR)
Transit Network VPC (Cisco CSR)

Step 2. Launch the Stack

This automated AWS CloudFormation template deploys a transit VPC on the AWS Cloud. Please make sure that you’ve selected the proper Cisco CSR in AWS Marketplace before launching the stack and have accepted the software terms. If you plan to add VPCs from an additional AWS account to the transit network, make sure to note its account ID before you launch this stack.

Note

You are responsible for the cost of the AWS services used while running this solution. See the Cost and Licenses section for more details. For full details, see the pricing webpage for each AWS service you will be using in this solution.

  1. Log in to the AWS Management Console and click the button below to launch the transit-vpc-primary-account AWS CloudFormation template.

    
                                Transit VPC solution launch button

    You can also download the template as a starting point for your own implementation.

  2. The template is launched in the US East (N. Virginia) Region by default. To launch the transit VPC in a different AWS Region, use the region selector in the console navigation bar.

    Note

    This solution uses the AWS Lambda service, which is currently available in specific AWS Regions only. Therefore, you must launch this solution an AWS Region where Lambda is available. For the most current AWS Lambda availability by region, see AWS service offerings by region.

  3. On the Select Template page, verify that you selected the correct template and choose Next.

  4. On the Specify Details page, assign a name to your transit VPC in the Stack name field.

  5. Under Parameters, review the parameters for the template and modify them as necessary. This solution uses the following default values.

    Note

    If you use the transit-vpc-primary-account-existing-vpc AWS CloudFormation template, review the template requirements and parameters in Appendix B.

    Parameter Default Description
    CSR Throughput Requirements 2x500Mbps A drop-down box with four options: 2x500Mbps (c4.large), 2x1Gbps (c3.2xlarge), 2x2Gbps (c4.2xlarge), and 2x4.5Gbps (c4.4xlarge)
    SSH Key to access CSR <Requires input> Public/private key pair, which allows you to connect securely to your instance after it launches. When you created an AWS account, this is the key pair you created in your preferred region.
    License Model LicenseIncluded A drop-down box with two choices: LicenseIncluded and BYOL
    Enable Termination Protection Yes Allows termination protection to be enabled on the CSR instances to help prevent accidental CSR termination (we recommend termination protection for production deployments).
    Prefix for S3 Objects vpnconfigs/ The text string you want to use to specify the name of the prefix for the Amazon S3 objects that are created. You must end the string with a forward slash (/).
    Additional AWS Account ID <Optional input> Enter the account ID of one additional AWS account that you want to connect to the transit network. This is necessary to grant that account access to the S3 bucket and the AWS KMS customer master key.

    Note

    Enter one additional account ID in this field. If you want to connect more than one additional AWS account to the transit network, you must manually configure permissions for the remaining accounts. See Appendix C for detailed instructions.

    Transit VPC CIDR Block 100.64.127.224/27 CIDR block for the transit VPC. You can modify the VPC and subnet CIDR address ranges to avoid collisions with your network.
    1st Subnet Network 100.64.127.224/28 CIDR block for the transit VPC subnet created in AZ1
    2nd Subnet Network 100.64.127.240/28 CIDR block for the transit VPC subnet created in AZ2
    Transit VPC BGP ASN 64512 BGP ASN to use for the transit VPC
    Spoke VPC Tag Name transitvpc:spoke Tag name (key) to identify spoke VPCs to connect to the transit VPC. You can modify the tag name to align with any existing naming conventions. Use a name that is not likely to be used on VGWs for a different purpose to ensure you do not mistakenly add a VPC to the transit network.
    Spoke VPC Tag Value true Tag value to determine which spoke VPCs to connect to the transit VPC. You can modify the tag value to align with any existing naming conventions. Be sure to use a value that is easy to understand and implement consistently.
    Preferred VPN Endpoint Tag Name transitvpc:preferred-path Tag name (key) to identify a preferred CSR instance for defining active/passive paths through the transit network. You can modify the tag name to align with any existing naming conventions. For more information about preferred path values and implementation details, see Step 3.
    1st Subnet AZ # 0

    The Availability Zone number for the first public subnet

    Note

    We recommend you keep the default setting for this parameter. However, in some cases, you might have to select a different AZ. For example, change this parameter if the default AZ does not support a service or the instance type required for the solution.

    2nd Subnet AZ # 1

    The Availability Zone number for the second public subnet

    Note

    We recommend you keep the default setting for this parameter. However, in some cases, you might have to select a different AZ. For example, change this parameter if the default AZ does not support a service or the instance type required for the solution.

  6. Choose Next.

  7. On the Options page, you can specify tags (key-value pairs) for resources in your stack and set additional options, and then choose Next.

  8. On the Review page, review and confirm the settings. Be sure to check the box acknowledging that the template will create AWS Identity and Access Management (IAM) resources.

  9. Choose Create to deploy the stack.

    You can view the status of the stack in the AWS CloudFormation console in the Status column. You should see a status of CREATE_COMPLETE in roughly five (5) minutes.

    Note

    This solution relies on stateful Cisco CSR instances to maintain long-running VPN connections to support the transit network. The solution does not support updates to the CloudFormation stack. If you need to modify a stack resource at a later time, we recommend that you relaunch the stack with a new tag value and migrate your VGW connections to the new CSRs.

  10. To see details for the stack resources, choose the Outputs tab. The following tables describes each of these outputs in more detail.

    Key Description
    CSR1 Public IP address for CSR 1, which is necessary for manually configuring CSR instances or connecting the transit VPC to remote networks
    CSR2 Public IP address for CSR 2, which is necessary for manually configuring CSR instances or connecting the transit VPC to remote networks
    ConfigS3Bucket S3 bucket created by this template, and used to store VPN connection information

    Important:

    If you plan on connecting an additional AWS account to the transit VPC, you must note this value. You will enter the name of this S3 bucket as a parameter in the transit-vpc-second-account template that you launch in Step 4.

    BucketPrefix Should match the string you entered in the template’s Prefix for S3 Objects value
    SpokeVPCTag Should match the spoke VPC tag name you entered in the template
    SpokeVPCTagValue Should match the spoke VPC tag value you entered in the template
    PreferredPathTagName Should match the preferred VPN endpoint tag name you entered in the template

    Note

    In addition to the VGW Poller (poller) and Cisco Configurator (configurator) Lambda functions, this solution includes a CloudFormation custom resource Lambda function, (solution-helper), which runs only when the CloudFormation stack is launched, updated, or deleted. When running this solution, you will see all Lambda functions in the AWS Lambda console, but only the two primary solution functions are regularly active. However, do not delete the solution-helper function as it is necessary to manage associated resources.