Transit Network VPC (Cisco CSR)
Transit Network VPC (Cisco CSR)

Step 3. Tag the Spoke VPCs

After the transit VPC stack launch completes, you can apply tags to existing VGWs that you wish to add to the transit network. Make sure to use the tag name and tag value that you specified during the stack creation. These VGWs will be automatically connected to the transit VPC within a few minutes.


For each subnet you intend to connect to the transit VPC network, make sure that you either enable route propagation or create a static routing entry in its route table. For more information, see Route Tables for a Virtual Private Gateway in the Amazon VPC User Guide.

For illustration purposes, assume you want to add a developer-environment VPC to your transit network, which has a VGW named devVPC-VGW.

  1. In the left navigation pane of the Amazon VPC console, choose Virtual Private Gateways.

  2. Select the VGW you want to modify, choose the Tags tab, and choose Edit.

  3. Add the spoke VPC tag key and value that you defined in the AWS CloudFormation template. For our example, we didn’t change the default values for these parameters, so we will enter the Key transitvpc:spoke and the Value true.

                        Adding a tag to a spoke VPC

    Within a minute or less, the VGW Poller Lambda function will find the tag and create a VPN connection from the spoke VGW to the CSR instances located in the transit VPC.

  4. Optional: Apply the preferred VPN endpoint tag that you defined in the AWS CloudFormation template. This setting is especially useful when integrating a transit VPC with stateful firewalls that require symmetric routing and need active/passive network paths.

    The default value for this Key is transitvpc:preferred-path and its Value can be blank, none, CSR1, or CSR2. The following table describes the behavior of each value.

    Value Description
    none or <blank> If a VGW does not have a preferred VPN endpoint tag, or has one with a value that is blank or set to ‘none’, then both CSR instances are viewed as equal and each spoke VPC will independently choose to send traffic through either CSR instance.
    CSR1 The transit VPC will configure CSR1 as the preferred route by this spoke VGW. AS path prepending will be used to make CSR1 a more attractive route than CSR2.
    CSR2 The transit VPC will configure CSR2 as the preferred route by this spoke VGW. AS path prepending will be used to make CSR2 a more attractive route than CSR1.
  5. In the left navigation pane, choose VPN Connections to confirm the spoke VPC was successfully added to the transit network.

                        Confirming spoke VPCs

    You should see two new VPN connections in pending state. This should soon change to available.

  6. To see the tunnel status and BGP routes received, choose the Tunnel Details tab.

                        Confirming tunnels
  7. To test connectivity in your new transit network, we recommend pinging between EC2 instances (with appropriate security group configurations) in two spoke VPCs.