Appendix B: Existing VPC Template - Transit Network VPC (Cisco CSR)

Appendix B: Existing VPC Template

This solution includes an AWS CloudFormation template that allows you to use an existing VPC as the transit VPC. Click the button to the right to launch the solution for an existing VPC.

Review the following prerequisites before deploying the solution for an existing VPC:

  • This solution’s Lambda function requires access to an Amazon Simple Storage Service (Amazon S3) bucket that will store VPN connection information. Therefore, you must configure the Amazon VPC-provided Domain Name System (DNS) feature or a customer-provided DNS forwarder to allow the solution’s Lambda functions to resolve Amazon S3 domain names.

  • By default, this template creates a new Amazon S3 endpoint and updates an existing VPC route table to provide Amazon S3 access to the solution’s Lambda functions. You can opt to use an existing Amazon S3 endpoint, a NAT gateway, a proxy server, or a corporate network instead, which you must configure in advance.

Click the button below to launch the transit-vpc-primary-account-existing-vpc AWS CloudFormation template.

                    Transit VPC solution launch button

You can also download the template.

Review the template parameters and modify them as necessary for your implementation.

Parameter Default Description
CSR Throughput Requirements 2x500Mbps A drop-down box with four options: 2x500Mbps (c4.large), 2x1Gbps (c3.2xlarge), 2x2Gbps (c4.2xlarge), and 2x4.5Gbps (c4.4xlarge)
SSH Key to access CSR <Requires input> Public/private key pair, which allows you to connect securely to your instance after it launches. When you created an AWS account, this is the key pair you created in your preferred region.
License Model LicenseIncluded A drop-down box with two choices: LicenseIncluded and BYOL
Enable Termination Protection Yes Allows termination protection to be enabled on the CSR instances to help prevent accidental CSR termination (we recommend termination protection for production deployments).
Prefix for S3 Objects vpnconfigs/ The text string you want to use to specify the name of the prefix for the Amazon S3 objects that are created. You must end the string with a forward slash (/).
Additional AWS Account ID <Optional input> Enter the account ID of one additional AWS account that you want to connect to the transit network. This is necessary to grant that account access to the S3 bucket and the AWS KMS customer master key.

Enter one additional account ID in this field. If you want to connect more than one additional AWS account to the transit network, you must manually configure permissions for the remaining accounts. See Appendix C for detailed instructions.

Existing VPC ID <Requires input> The ID of the existing VPC where you want to deploy the CSR instances.
1st Subnet Network <Requires input> CIDR block for the transit VPC subnet for the first CSR instance.
2nd Subnet Network <Requires input> CIDR block for the transit VPC subnet for the second CSR instance.
Create S3 Endpoint? Yes Specify whether you want the solution to create an S3 endpoint in your VPC. If you provide alternative network connectivity to Amazon S3 from your VPC, choose No.
Route Table ID rtb-12345678

The route table ID for the S3 endpoint to update with S3 routes.


Use this parameter only if you choose Yes to Create S3 Endpoint. If you choose No, ignore this parameter.

Transit VPC BGP ASN 64512 BGP ASN to use for the transit VPC
Spoke VPC Tag Name transitvpc:spoke Tag name (key) to identify spoke VPCs to connect to the transit VPC. You can modify the tag name to align with any existing naming conventions. Use a name that is not likely to be used on VGWs for a different purpose to ensure you do not mistakenly add a VPC to the transit network.
Spoke VPC Tag Value true Tag value to determine which spoke VPCs to connect to the transit VPC. You can modify the tag value to align with any existing naming conventions. Be sure to use a value that is easy to understand and implement consistently.
Preferred VPN Endpoint Tag Name transitvpc:preferred-path Tag name (key) to identify a preferred CSR instance for defining active/passive paths through the transit network. You can modify the tag name to align with any existing naming conventions. For more information about preferred path values and implementation details, see Step 3.
SendAnonymousData Yes Send anonymous data to AWS to help us understand solution usage and related cost savings across our customer base as a whole. To opt out of this feature, select No. For more information, see Appendix E.