Transit Gateway Connect attachments and Transit Gateway Connect peers - Amazon VPC
Connect peersRequirements and considerationsCreate a Connect attachmentCreate a Connect peer (GRE tunnel)View your Connect attachments and Connect peersModify your Connect attachment and Connect peer tagsDelete a Connect peerDelete a Connect attachment

Transit Gateway Connect attachments and Transit Gateway Connect peers

You can create a Transit Gateway Connect attachment to establish a connection between a transit gateway and third-party virtual appliances (such as SD-WAN appliances) running in a VPC. A Connect attachment supports the Generic Routing Encapsulation (GRE) tunnel protocol for high performance, and Border Gateway Protocol (BGP) for dynamic routing. After you create a Connect attachment, you can create one or more GRE tunnels (also referred to as Transit Gateway Connect peers) on the Connect attachment to connect the transit gateway and the third-party appliance. You establish two BGP sessions over the GRE tunnel to exchange routing information.

Important

A Transit Gateway Connect peer consists of two BGP peering sessions terminating on AWS-managed infrastructure. The two BGP peering sessions provide routing plane redundancy, ensuring that losing one BGP peering session does not impact your routing operation. The routing information received from both BGP sessions is accumulated for the given Connect peer. The two BGP peering sessions also protect against any AWS infrastructure operations such as routine maintenance, patching, hardware upgrades, and replacements. If your Connect peer is operating without the recommended dual BGP peering session configured for redundancy, it might experience a momentary loss of connectivity during AWS infrastructure operations. We strongly recommend that you configure both the BGP peering sessions on your Connect peer. If you have configured multiple Connect peers to support high availability on the appliance side, we recommend that you configure both the BGP peering sessions on each of your Connect peers.

A Connect attachment uses an existing VPC or Direct Connect attachment as the underlying transport mechanism. This is referred to as the transport attachment. The transit gateway identifies matched GRE packets from the third-party appliance as traffic from the Connect attachment. It treats any other packets, including GRE packets with incorrect source or destination information, as traffic from the transport attachment.

Note

To use a Direct Connect attachment as a transport mechanism, you'll first need to integrate Direct Connect with AWS Transit Gateway. For the steps to create this integration, see Integrate SD-WAN devices with AWS Transit Gateway and AWS Direct Connect.

Connect peers

A Connect peer (GRE tunnel) consists of the following components.

Inside CIDR blocks (BGP addresses)

The inside IP addresses that are used for BGP peering. You must specify a /29 CIDR block from the 169.254.0.0/16 range for IPv4. You can optionally specify a /125 CIDR block from the fd00::/8 range for IPv6. The following CIDR blocks are reserved and cannot be used:

  • 169.254.0.0/29

  • 169.254.1.0/29

  • 169.254.2.0/29

  • 169.254.3.0/29

  • 169.254.4.0/29

  • 169.254.5.0/29

  • 169.254.169.248/29

You must configure the first address from the IPv4 range on the appliance as the BGP IP address. When you use IPv6, if your inside CIDR block is fd00::/125, then you must configure the first address in this range (fd00::1) on the tunnel interface of the appliance.

The BGP addresses must be unique across all tunnels on a transit gateway.

Peer IP address

The peer IP address (GRE outer IP address) on the appliance side of the Connect peer. This can be any IP address. The IP address can be an IPv4 or IPv6 address, but it must be the same IP address family as the transit gateway address.

Transit gateway address

The peer IP address (GRE outer IP address) on the transit gateway side of the Connect peer. The IP address must be specified from the transit gateway CIDR block, and must be unique across Connect attachments on the transit gateway. If you don't specify an IP address, we use the first available address from the transit gateway CIDR block.

You can add a transit gateway CIDR block when you create or modify a transit gateway.

The IP address can be an IPv4 or IPv6 address, but it must be the same IP address family as the peer IP address.

The peer IP address and transit gateway address are used to uniquely identify the GRE tunnel. You can reuse either address across multiple tunnels, but not both in the same tunnel.

Transit Gateway Connect for the BGP peering only supports Multiprotocol BGP (MP-BGP), where IPv4 Unicast addressing is required to also establish a BGP session for IPv6 Unicast. You can use both IPv4 and IPv6 addresses for the GRE outer IP addresses.

The following example shows a Connect attachment between a transit gateway and an appliance in a VPC.

Transit gateway Connect attachment and Connect peer
Diagram component Description
Shows how VPC attachments are represented in the example diagram.
VPC attachment
Shows how Connect attachments are represented in the example diagram.
Connect attachment
Shows how GRE tunnels are represented in the example diagram.
GRE tunnel (Connect peer)
Shows how BGP peering sessions are represented in the example diagram.
BGP peering session

In the preceding example, a Connect attachment is created on an existing VPC attachment (the transport attachment). A Connect peer is created on the Connect attachment to establish a connection to an appliance in the VPC. The transit gateway address is 192.0.2.1, and the range of BGP addresses is 169.254.6.0/29. The first IP address in the range (169.254.6.1) is configured on the appliance as the peer BGP IP address.

The subnet route table for VPC C has a route that points traffic destined for the transit gateway CIDR block to the transit gateway.

Destination Target
172.31.0.0/16 Local
192.0.2.0/24 tgw-id

Requirements and considerations

The following are the requirements and considerations for a Connect attachment.

  • For information about what Regions support Connect attachments, see the AWS Transit Gateways FAQ.

  • The third-party appliance must be configured to send and receive traffic over a GRE tunnel to and from the transit gateway using the Connect attachment.

  • The third-party appliance must be configured to use BGP for dynamic route updates and health checks.

  • The following types of BGP are supported:

    • Exterior BGP (eBGP): Used for connecting to routers that are in a different autonomous system than the transit gateway. If you use eBGP, you must configure ebgp-multihop with a time-to-live (TTL) value of 2.

    • Interior BGP (iBGP): Used for connecting to routers that are in the same autonomous system as the transit gateway. The transit gateway will not install routes from an iBGP peer (third-party appliance), unless the routes are originated from an eBGP peer and should have next-hop-self configured. The routes advertised by third-party appliance over the iBGP peering must have an ASN.

    • MP-BGP (multiprotocol extensions for BGP): Used for supporting multiple protocol types, such as IPv4 and IPv6 address families.

  • The default BGP keep-alive timeout is 10 seconds and the default hold timer is 30 seconds.

  • IPv6 BGP peering is not supported; only IPv4-based BGP peering is supported. IPv6 prefixes are exchanged over IPv4 BGP peering using MP-BGP.

  • Bidirectional Forwarding Detection (BFD) is not supported.

  • BGP graceful restart is not supported.

  • When you create a transit gateway peer, if you do not specify a peer ASN number, we pick the transit gateway ASN number. This means that your appliance and transit gateway will be in the same autonomous system doing iBGP.

  • A Connect peer using the BGP AS-PATH attribute is the preferred route when you have two Connect peers.

    To use equal-cost multi-path (ECMP) routing between multiple appliances, you must configure the appliance to advertise the same prefixes to the transit gateway with the same BGP AS-PATH attribute. For the transit gateway to choose all of the available ECMP paths, the AS-PATH and Autonomous System Number (ASN) must match. The transit gateway can use ECMP between Connect peers for the same Connect attachment or between Connect attachments on the same transit gateway. The transit gateway cannot use ECMP between both of the redundant BGP peerings a single peer establishes to it.

  • With a Connect attachment, the routes are propagated to a transit gateway route table by default.

  • Static routes are not supported.

  • Ensure that your third-party appliance external interface (tunnel source) Maximum Transmission Unit (MTU) either

    • matches the MTU of the GRE tunnel interface, or

    • should be greater than that of the GRE tunnel interface.

Create a Connect attachment

To create a Connect attachment, you must specify an existing attachment as the transport attachment. You can specify a VPC attachment or a Direct Connect attachment as the transport attachment.

To create a Connect attachment using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Transit gateway attachments.

  3. Choose Create transit gateway attachment.

  4. (Optional) For Name tag, specify a name tag for the attachment.

  5. For Transit gateway ID, choose the transit gateway for the attachment.

  6. For Attachment type, choose Connect.

  7. For Transport attachment ID, choose the ID of an existing attachment (the transport attachment).

  8. Choose Create transit gateway attachment.

To create a Connect attachment using the AWS CLI

Use the create-transit-gateway-connect command.

Create a Connect peer (GRE tunnel)

You can create a Connect peer (GRE tunnel) for an existing Connect attachment. Before you begin, ensure that you have configured a transit gateway CIDR block. You can configure a transit gateway CIDR block when you create or modify a transit gateway.

When you create the Connect peer, you must specify the GRE outer IP address on the appliance side of the Connect peer.

To create a Connect peer using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Transit gateway attachments.

  3. Select the Connect attachment, and choose Actions, Create connect peer.

  4. (Optional) For Name tag, specify a name tag for the Connect peer.

  5. (Optional) For Transit gateway GRE Address, specify the GRE outer IP address for the transit gateway. By default, the first available address from the transit gateway CIDR block is used.

  6. For Peer GRE address, specify the GRE outer IP address for the appliance side of the Connect peer.

  7. For BGP Inside CIDR blocks IPv4, specify the range of inside IPv4 addresses that are used for BGP peering. Specify a /29 CIDR block from the 169.254.0.0/16 range.

  8. (Optional) For BGP Inside CIDR blocks IPv6, specify the range of inside IPv6 addresses that are used for BGP peering. Specify a /125 CIDR block from the fd00::/8 range.

  9. (Optional) For Peer ASN, specify the Border Gateway Protocol (BGP) Autonomous System Number (ASN) for the appliance. You can use an existing ASN assigned to your network. If you do not have one, you can use a private ASN in the 64512–65534 (16-bit ASN) or 4200000000–4294967294 (32-bit ASN) range.

    The default is the same ASN as the transit gateway. If you configure the Peer ASN to be different than the transit gateway ASN (eBGP), you must configure ebgp-multihop with a time-to-live (TTL) value of 2.

  10. Choose Create connect peer.

To create a Connect peer using the AWS CLI

Use the create-transit-gateway-connect-peer command.

View your Connect attachments and Connect peers

You can view your Connect attachments and Connect peers.

To view your Connect attachments and Connect peers using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Transit gateway attachments.

  3. Select the Connect attachment.

  4. To view the Connect peers for the attachment, choose the Connect Peers tab.

To view your Connect attachments and Connect peers using the AWS CLI

Use the describe-transit-gateway-connects and describe-transit-gateway-connect-peers commands.

Modify your Connect attachment and Connect peer tags

You can modify the tags for your Connect attachment.

To modify your Connect attachment tags using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Transit Gateway Attachments.

  3. Select the Connect attachment, and then choose Actions, Manage tags.

  4. To add a tag, choose Add new tag and specify the key name and key value.

  5. To remove a tag, choose Remove.

  6. Choose Save.

You can modify the tags for your Connect peer.

To modify your Connect peer tags using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Transit Gateway Attachments.

  3. Select the Connect attachment, and then choose Connect peers.

  4. Select the Connect peer and then choose Actions, Manage tags.

  5. To add a tag, choose Add new tag and specify the key name and key value.

  6. To remove a tag, choose Remove.

  7. Choose Save.

To modify your Connect attachment and Connect peer tags using the AWS CLI

Use the create-tags and delete-tags commands.

Delete a Connect peer

If you no longer need a Connect peer, you can delete it.

To delete a Connect peer using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Transit gateway attachments.

  3. Select the Connect attachment.

  4. In the Connect Peers tab, select the Connect peer and choose Actions, Delete connect peer.

To delete a Connect peer using the AWS CLI

Use the delete-transit-gateway-connect-peer command.

Delete a Connect attachment

If you no longer need a Connect attachment, you can delete it. You must first delete any Connect peers for the attachment.

To delete a Connect attachment using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Transit gateway attachments.

  3. Select the Connect attachment, and choose Actions, Delete transit gateway attachment.

  4. Enter delete and choose Delete.

To delete a Connect attachment using the AWS CLI

Use the delete-transit-gateway-connect command.