Centralize network connectivity using AWS Transit Gateway - AWS Prescriptive Guidance

Centralize network connectivity using AWS Transit Gateway

Created by Mydhili Palagummi (AWS) and Nikhil Marrapu (AWS)

Environment: Production

Technologies: Networking

AWS services: AWS Transit Gateway; Amazon VPC

Summary

This pattern describes the simplest configuration in which AWS Transit Gateway can be used to connect an on-premises network to virtual private clouds (VPCs) in multiple AWS accounts within an AWS Region. Using this setup, you can establish a hybrid network that connects multiple VPC networks in a Region and an on-premises network. This is accomplished by using a transit gateway and a virtual private network (VPN) connection to the on-premises network.

Prerequisites and limitations

Prerequisites 

  • An account for hosting network services, managed as a member account of an organization in AWS Organizations

  • VPCs in multiple AWS accounts, without overlapping Classless Inter-Domain Routing (CIDR) blocks

Limitations 

This pattern does not support the isolation of traffic between certain VPCs or the on-premises network. All the networks attached to the transit gateway will be able to reach each other. To isolate traffic, you need to use custom route tables on the transit gateway. This pattern only connects the VPCs and on-premises network by using a single default transit gateway route table, which is the simplest configuration.

Architecture

Target technology stack  

  • AWS Transit Gateway

  • AWS Site-to-Site VPN

  • VPC

  • AWS Resource Access Manager (AWS RAM)

Target architecture 

AWS Transit Gateway connects on-premises network to VPCs in multiple AWS accounts within a Region.

Tools

AWS services

  • AWS Resource Access Manager (AWS RAM) helps you securely share your resources across your AWS accounts, organizational units, or your entire organization from AWS Organizations.

  • AWS Transit Gateway is a central hub that connects virtual private clouds (VPCs) and on-premises networks.

Epics

TaskDescriptionSkills required

Create a transit gateway.

In the AWS account where you want to host network services, create a transit gateway in the target AWS Region. For instructions, see Create a transit gateway. Note the following:

  • Select Default route table association.

  • Select Default route table propagation.

Network administrator
TaskDescriptionSkills required

Set up a customer gateway device for the VPN connection.

The customer gateway device is attached on the on-premises side of the Site-to-Site VPN connection between the transit gateway and your on-premises network. For more information, see Your customer gateway device in the AWS Site-to-Site VPN documentation. Identify or launch a supported on-premises customer device and note its public IP address. VPN configuration is completed later in this epic.

Network administrator

In the network services account, create a VPN attachment to the transit gateway.

To set up a connection, create a VPN attachment for the transit gateway. For instructions, see Transit gateway VPN attachments.

Network administrator

Configure the VPN on the customer gateway device in your on-premises network.

Download the configuration file for the Site-to-Site VPN connection associated with the transit gateway and configure VPN settings on the customer gateway device. For instructions, see Download the configuration file.

Network administrator
TaskDescriptionSkills required

In the AWS Organizations management account, turn on sharing.

To share the transit gateway with your organization or with certain organizational units, turn on sharing in AWS Organizations. Otherwise, you would need to share the transit gateway for each account individually. For instructions, see Enable resource sharing within AWS Organizations.

AWS systems administrator

Create the transit gateway resource share in the network services account.

To allow VPCs in other AWS accounts within your organization to connect to the transit gateway, in the network services account, use the AWS RAM console to share the transit gateway resource. For instructions, see Create a resource share.

AWS systems administrator
TaskDescriptionSkills required

Create VPC attachments in individual accounts.

In the accounts to which the transit gateway has been shared, create transit gateway VPC attachments. For instructions, see Create a transit gateway attachment to a VPC.

Network administrator

Accept the VPC attachment requests.

In the network services account, accept the transit gateway VPC attachment requests. For instructions, see Accept a shared attachment.

Network administrator
TaskDescriptionSkills required

Configure routes in individual account VPCs.

In each individual account VPC, add routes to the on-premises network and to other VPC networks, using the transit gateway as the target. For instructions, see Add and remove routes from a route table.

Network administrator

Configure routes in the transit gateway route table.

Routes from VPCs and the VPN connection should be propagated and should appear in the transit gateway default route table. If needed, create any static routes (one example is static routes for the static VPN connection) in the transit gateway default route table. For instructions, see Create a static route.

Network administrator

Add security group and network access control list (ACL) rules.

For the EC2 instances and other resources in the VPC, ensure that the security group rules and the network ACL rules allow traffic between VPCs as well as the on-premises network. For instructions, see Control traffic to resources using security groups and Add and delete rules from an ACL.

Network administrator
TaskDescriptionSkills required

Test connectivity between VPCs.

Ensure that network ACL and security groups allow Internet Control Message Protocol (ICMP) traffic, and then ping from instances in a VPC to another VPC that is also connected to the transit gateway.

Network administrator

Test connectivity between VPCs and the on-premises network.

Ensure that network ACL rules, security group rules, and any firewalls allow ICMP traffic, and then ping between the on-premises network and the EC2 instances in the VPCs. Network communication must be initiated from the on-premises network first to bring the VPN connection to UP status.

Network administrator

Related resources