Appendix D: Integration with AWS Direct Connect - Transit Network VPC (Cisco CSR)

Appendix D: Integration with AWS Direct Connect

Customers have different options for connecting on-premises networks to the transit VPC. A common approach is to manually configure the CSR instances with point-to-point VPN or DMVPN connections over the Internet.

Another approach is to leverage a detached virtual private gateway (VGW) to conceptually attach a VGW to a data center. In this approach, a customer creates a VGW, then adds a spoke VPC tag (default tag key transitvpc:spoke, default tag value true) without attaching the VGW to a specific VPC. This will cause the VGW to be automatically connected to the transit VPC CSR instances, which will start broadcasting any routes they have learned to the new VGW. Then, to connect the VGW to remote networks, associate it with an AWS Direct Connect virtual interface or create a standard VGW VPN connection. Once a virtual interface or VPN connection is connected to the VGW, the VGW will start broadcasting any routes that it learned from the CSR instances over the remote connection, as depicted in the following diagram.


We recommend that you use a different Border Gateway Protocol (BGP) Autonomous System Number (ASN) between your corporate data center and the customer gateway than you use for the transit VPC network. This will allow routes to be more easily propagated between your data center and your spoke VPCs.

            Connecting the transit VPC to remote networks

Figure 6: Connecting to remote networks

This is the recommended approach for customers who have up to 1 Gbps AWS Direct Connect connections. For larger AWS Direct Connect connections, we recommend establishing tunnels directly to the transit VPC CSR instances over either a public or private VIF.