Centralize network connectivity using AWS Transit Gateway
Created by Mydhili Palagummi (AWS) and Nikhil Marrapu (AWS)
Environment: Production | Technologies: Networking | AWS services: AWS Transit Gateway; Amazon VPC |
Summary
This pattern describes the simplest configuration in which AWS Transit Gateway can be used to connect an on-premises network to virtual private clouds (VPCs) in multiple AWS accounts within an AWS Region. Using this setup, you can establish a hybrid network that connects multiple VPC networks in a Region and an on-premises network. This is accomplished by using a transit gateway and a virtual private network (VPN) connection to the on-premises network.
Prerequisites and limitations
Prerequisites
An account for hosting network services, managed as a member account of an organization in AWS Organizations
VPCs in multiple AWS accounts, without overlapping Classless Inter-Domain Routing (CIDR) blocks
Limitations
This pattern does not support the isolation of traffic between certain VPCs or the on-premises network. All the networks attached to the transit gateway will be able to reach each other. To isolate traffic, you need to use custom route tables on the transit gateway. This pattern only connects the VPCs and on-premises network by using a single default transit gateway route table, which is the simplest configuration.
Architecture
Target technology stack
AWS Transit Gateway
AWS Site-to-Site VPN
VPC
AWS Resource Access Manager (AWS RAM)
Target architecture
Tools
AWS services
AWS Resource Access Manager (AWS RAM) helps you securely share your resources across your AWS accounts, organizational units, or your entire organization from AWS Organizations.
AWS Transit Gateway is a central hub that connects virtual private clouds (VPCs) and on-premises networks.
Epics
| Task | Description | Skills required |
|---|---|---|
Create a transit gateway. | In the AWS account where you want to host network services, create a transit gateway in the target AWS Region. For instructions, see Create a transit gateway. Note the following:
| Network administrator |
| Task | Description | Skills required |
|---|---|---|
Set up a customer gateway device for the VPN connection. | The customer gateway device is attached on the on-premises side of the Site-to-Site VPN connection between the transit gateway and your on-premises network. For more information, see Your customer gateway device in the AWS Site-to-Site VPN documentation. Identify or launch a supported on-premises customer device and note its public IP address. VPN configuration is completed later in this epic. | Network administrator |
In the network services account, create a VPN attachment to the transit gateway. | To set up a connection, create a VPN attachment for the transit gateway. For instructions, see Transit gateway VPN attachments. | Network administrator |
Configure the VPN on the customer gateway device in your on-premises network. | Download the configuration file for the Site-to-Site VPN connection associated with the transit gateway and configure VPN settings on the customer gateway device. For instructions, see Download the configuration file. | Network administrator |
| Task | Description | Skills required |
|---|---|---|
In the AWS Organizations management account, turn on sharing. | To share the transit gateway with your organization or with certain organizational units, turn on sharing in AWS Organizations. Otherwise, you would need to share the transit gateway for each account individually. For instructions, see Enable resource sharing within AWS Organizations. | AWS systems administrator |
Create the transit gateway resource share in the network services account. | To allow VPCs in other AWS accounts within your organization to connect to the transit gateway, in the network services account, use the AWS RAM console to share the transit gateway resource. For instructions, see Create a resource share. | AWS systems administrator |
| Task | Description | Skills required |
|---|---|---|
Create VPC attachments in individual accounts. | In the accounts to which the transit gateway has been shared, create transit gateway VPC attachments. For instructions, see Create a transit gateway attachment to a VPC. | Network administrator |
Accept the VPC attachment requests. | In the network services account, accept the transit gateway VPC attachment requests. For instructions, see Accept a shared attachment. | Network administrator |
| Task | Description | Skills required |
|---|---|---|
Configure routes in individual account VPCs. | In each individual account VPC, add routes to the on-premises network and to other VPC networks, using the transit gateway as the target. For instructions, see Add and remove routes from a route table. | Network administrator |
Configure routes in the transit gateway route table. | Routes from VPCs and the VPN connection should be propagated and should appear in the transit gateway default route table. If needed, create any static routes (one example is static routes for the static VPN connection) in the transit gateway default route table. For instructions, see Create a static route. | Network administrator |
Add security group and network access control list (ACL) rules. | For the EC2 instances and other resources in the VPC, ensure that the security group rules and the network ACL rules allow traffic between VPCs as well as the on-premises network. For instructions, see Control traffic to resources using security groups and Add and delete rules from an ACL. | Network administrator |
| Task | Description | Skills required |
|---|---|---|
Test connectivity between VPCs. | Ensure that network ACL and security groups allow Internet Control Message Protocol (ICMP) traffic, and then ping from instances in a VPC to another VPC that is also connected to the transit gateway. | Network administrator |
Test connectivity between VPCs and the on-premises network. | Ensure that network ACL rules, security group rules, and any firewalls allow ICMP traffic, and then ping between the on-premises network and the EC2 instances in the VPCs. Network communication must be initiated from the on-premises network first to bring the VPN connection to | Network administrator |
Related resources
Building a scalable and secure multi VPC AWS Network Infrastructure
(AWS whitepaper) Working with shared resources (AWS RAM documentation)
Working with transit gateways (AWS Transit Gateway documentation)
