Transit gateway Connect attachments and Connect peers - Amazon Virtual Private Cloud

Transit gateway Connect attachments and Connect peers

You can create a transit gateway Connect attachment to establish a connection between a transit gateway and third-party virtual appliances (such as SD-WAN appliances) running in a VPC. A Connect attachment supports the Generic Routing Encapsulation (GRE) tunnel protocol for high performance, and Border Gateway Protocol (BGP) for dynamic routing. After you create a Connect attachment, you can create one or more GRE tunnels (also referred to as Connect peers) on the Connect attachment to connect the transit gateway and the third-party appliance. You establish two BGP sessions over the GRE tunnel to exchange routing information. The two BGP sessions are for redundancy.

A Connect attachment uses an existing VPC or AWS Direct Connect attachment as the underlying transport mechanism. This is referred to as the transport attachment. The transit gateway identifies matched GRE packets from the third-party appliance as traffic from the Connect attachment. It treats any other packets, including GRE packets with incorrect source or destination information, as traffic from the transport attachment.

Connect peers

A Connect peer (GRE tunnel) consists of the following components.

Inside CIDR blocks (BGP addresses)

The inside IP addresses that are used for BGP peering. You must specify a /29 CIDR block from the 169.254.0.0/16 range for IPv4. You can optionally specify a /125 CIDR block from the fd00::/8 range for IPv6. The following CIDR blocks are reserved and cannot be used:

  • 169.254.0.0/29

  • 169.254.1.0/29

  • 169.254.2.0/29

  • 169.254.3.0/29

  • 169.254.4.0/29

  • 169.254.5.0/29

  • 169.254.169.248/29

You must configure the first address from the IPv4 range on the appliance as the BGP IP address. When you use IPv6, if your inside CIDR block is fd00::/125, then you must configure the first address in this range (fd00::1) on the tunnel interface of the appliance.

The BGP addresses must be unique across all tunnels on a transit gateway.

Peer IP address

The peer IP address (GRE outer IP address) on the appliance side of the Connect peer. This can be any IP address. The IP address can be an IPv4 or IPv6 address, but it must be the same IP address family as the transit gateway address.

Transit gateway address

The peer IP address (GRE outer IP address) on the transit gateway side of the Connect peer. The IP address must be specified from the transit gateway CIDR block, and must be unique across Connect attachments on the transit gateway. If you don't specify an IP address, we use the first available address from the transit gateway CIDR block.

You can add a transit gateway CIDR block when you create or modify a transit gateway.

The IP address can be an IPv4 or IPv6 address, but it must be the same IP address family as the peer IP address.

The peer IP address and transit gateway address are used to uniquely identify the GRE tunnel. You can reuse either address across multiple tunnels, but not both in the same tunnel.

You can use different IP address families for the BGP addresses and the GRE outer IP addresses. For example, you can configure IPv4 addresses for the GRE outer IP addresses, and an IPv6 CIDR block for the BGP addresses.

The following example shows a Connect attachment between a transit gateway and an appliance in a VPC.

Transit gateway Connect attachment and
                Connect peer
Diagram component Description
VPC attachment
Connect attachment
GRE tunnel (Connect peer)
BGP peering session

In the preceding example, a transit gateway Connect attachment is created on an existing VPC attachment (the transport attachment). A Connect peer is created on the Connect attachment to establish a connection to an appliance in the VPC. The transit gateway address is 192.0.2.1, and the range of BGP addresses is 169.254.6.0/29. The first IP address in the range (169.254.6.1) is configured on the appliance as the peer BGP IP address.

The subnet route table for VPC C has a route that points traffic destined for the transit gateway CIDR block to the transit gateway.

Destination Target
172.31.0.0/16 Local
192.0.2.0/24 tgw-id

Requirements and considerations

The following are the requirements and considerations for a Connect attachment.

  • The third-party appliance must be configured to send and receive traffic over a GRE tunnel to and from the transit gateway using the Connect attachment.

  • The third-party appliance must be configured to use BGP for dynamic route updates and health checks.

  • The following types of BGP are supported:

    • Exterior BGP (eBGP): Used for connecting to routers that are in a different autonomous system than the transit gateway. If you use eBGP, you must configure ebgp-multihop with a time-to-live (TTL) value of 2.

    • Interior BGP (iBGP): Used for connecting to routers that are in the same autonomous system as the transit gateway. The transit gateway will not install routes from an iBGP peer (third-party appliance), unless the routes are originated from an eBGP peer. The routes advertised by third-party appliance over the iBGP peering must have an ASN.

    • MP-BGP (multiprotocol extensions for BGP): Used for supporting multiple protocol types, such as IPv4 and IPv6 address families.

  • When you create a transit gateway peer, if you do not specify a peer ASN number, we pick the transit gateway ASN number. This means that your appliance and transit gateway will be in the same autonomous system doing iBGP.

  • To use equal-cost multi-path (ECMP) routing between multiple appliances, you must configure the appliance to advertise the same prefixes to the transit gateway with the same BGP AS-PATH attribute. For the transit gateway to choose all of the available ECMP paths, the AS-PATH and Autonomous System Number (ASN) must match. The transit gateway can use ECMP between Connect peers for the same Connect attachment or between Connect attachments on the same transit gateway. The transit gateway cannot use ECMP between the BGP peerings of the same Connect peer.

  • Static routes are not supported.

  • Connect attachments are currently supported in the following AWS Regions: US East (N. Virginia), US West (N. California), US West (Oregon), and Europe (Ireland).

  • With a Connect attachment, the routes are propagated to a transit gateway route table by default.

Create a transit gateway Connect attachment

To create a Connect attachment, you must specify an existing attachment as the transport attachment. You can specify a VPC attachment or an AWS Direct Connect attachment as the transport attachment.

To create a Connect attachment using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Transit Gateway Attachments.

  3. Choose Create Transit Gateway Attachment.

  4. For Transit Gateway ID, choose the transit gateway for the attachment.

  5. For Attachment type, choose Connect.

  6. (Optional) For Attachment name tag, specify a name tag for the attachment.

  7. For Transport Attachment ID, choose the ID of an existing attachment (the transport attachment).

  8. Choose Create attachment.

To create a Connect attachment using the AWS CLI

Use the create-transit-gateway-connect command.

Create a Connect peer (GRE tunnel)

You can create a Connect peer (GRE tunnel) for an existing Connect attachment. Before you begin, ensure that you have configured a transit gateway CIDR block. You can configure a transit gateway CIDR block when you create or modify a transit gateway.

When you create the Connect peer, you must specify the GRE outer IP address on the appliance side of the Connect peer.

To create a Connect peer using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Transit Gateway Attachments.

  3. Select the Connect attachment, and choose Actions, Create Connect peer.

  4. (Optional) For Connect Peer name tag, specify a name tag for the Connect peer.

  5. (Optional) For Transit Gateway GRE Address, specify the GRE outer IP address for the transit gateway. By default, the first available address from the transit gateway CIDR block is used.

  6. For Peer GRE Address, specify the GRE outer IP address for the appliance side of the Connect peer.

  7. For BGP Inside CIDR blocks IPv4, specify the range of inside IPv4 addresses that are used for BGP peering. Specify a /29 CIDR block from the 169.254.0.0/16 range.

  8. (Optional) For BGP Inside CIDR blocks IPv6, specify the range of inside IPv6 addresses that are used for BGP peering. Specify a /125 CIDR block from the fd00::/8 range.

  9. (Optional) For Peer ASN, specify the Border Gateway Protocol (BGP) Autonomous System Number (ASN) for the appliance. You can use an existing ASN assigned to your network. If you do not have one, you can use a private ASN in the 64512–65534 range.

    The default is the same ASN as the transit gateway. If you configure the Peer ASN to be different than the transit gateway ASN (eBGP), you must configure ebgp-multihop with a time-to-live (TTL) value of 2.

  10. Choose Create.

To create a Connect peer using the AWS CLI

Use the create-transit-gateway-connect-peer command.

View your transit gateway Connect attachments and Connect peers

You can view your transit gateway Connect attachments and Connect peers.

To view your Connect attachments and Connect peers using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Transit Gateway Attachments.

  3. Select the Connect attachment.

  4. To view the Connect peers for the attachment, choose the Connect Peers tab.

To view your Connect attachments and Connect peers using the AWS CLI

Use the describe-transit-gateway-connects and describe-transit-gateway-connect-peers commands.

Modify your Connect attachment and Connect peer tags

You can modify the tags for your Connect attachment.

To modify your Connect attachment tags using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Transit Gateway Attachments.

  3. Select the Connect attachment, and then choose Actions, Add/Edit tags.

  4. To add a tag, choose Create tag and specify the key name and key value.

  5. To remove a tag, choose Delete ("X") for the tag.

  6. Choose Save.

You can modify the tags for your Connect peer.

To modify your Connect peer tags using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Transit Gateway Attachments.

  3. Select the Connect attachment, and then choose Connect peers.

  4. Select the Connect peer and then choose Actions, Add/Edit tags.

  5. To add a tag, choose Create tag and specify the key name and key value.

  6. To remove a tag, choose Delete ("X") for the tag.

  7. Choose Save.

To modify your Connect attachment and Connect peer tags using the AWS CLI

Use the create-tags and delete-tags commands.

Delete a Connect peer

If you no longer need a Connect peer, you can delete it.

To delete a Connect peer using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Transit Gateway Attachments.

  3. Select the Connect attachment.

  4. In the Connect Peers tab, select the Connect peer and choose Actions, Delete Connect peer.

To delete a Connect peer using the AWS CLI

Use the delete-transit-gateway-connect-peer command.

Delete a transit gateway Connect attachment

If you no longer need a transit gateway Connect attachment, you can delete it. You must first delete any Connect peers for the attachment.

To delete a Connect attachment using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Transit Gateway Attachments.

  3. Select the Connect attachment, and choose Actions, Delete.

  4. When prompted for confirmation, choose Delete.

To delete a Connect attachment using the AWS CLI

Use the delete-transit-gateway-connect command.