When we have many environments (development, quality and production) on AWS and we separate in different VPCs or AWS accounts, we can have a Transit Gateway; however, when we require an on-premise scenario using Direct Connect with less than 1GB to Transit Gateway native is not supported but, in the following description we’ll see an option of how we can solve it applying the mentioned services with AWS Direct Connect of 100Mbps.
Important
In the next scenario we are using a telecommunications provider that offers connections lower than 1GB on AWS Direct Connect.
Definition
AWS Direct Connect “AWS Direct Connect links your internal network to an AWS Direct Connect location over a standard Ethernet fiber-optic cable. One end of the cable is connected to your router, the other to an AWS Direct Connect router. With this connection, you can create virtual interfaces directly to public AWS services (for example, to Amazon S3) or to Amazon VPC, bypassing internet service providers in your network path. An AWS Direct Connect location provides access to AWS in the Region with which it is associated. You can use a single connection in a public Region or AWS GovCloud (US) to access public AWS services in all other public Regions.” 1
AWS Transit Gateway “A transit gateway is a network transit hub that you can use to interconnect your virtual private clouds (VPCs) and on-premises networks. As your cloud infrastructure expands globally, inter-Region peering connects transit gateways together using the AWS Global Infrastructure. Your data is automatically encrypted and never travels over the public internet.” 2
AWS VPN “AWS Virtual Private Network solutions establish secure connections between your on-premises networks, remote offices, client devices, and the AWS global network. AWS VPN is comprised of two services: AWS Site-to-Site VPN and AWS Client VPN. Each service provides a highly-available, managed, and elastic cloud VPN solution to protect your network traffic. AWS Site-to-Site VPN creates encrypted tunnels between your network and your Amazon Virtual Private Clouds or AWS Transit Gateways. For managing remote access, AWS Client VPN connects your users to AWS or on-premises resources using a VPN software client.” 3
SOPHOS “Sophos XG Firewall is the only network security solution that is able to fully identify the user and source of an infection on your network and automatically limit access to other network resources in response. ... Using Security Heartbeat, we can do much more than just see the health status of an endpoint.” 4
Diagram description
First, we are using AWS Control Tower to segment accounts; we have three AWS accounts in the diagram, an account with the name: Networking; it will be used for interconnection with on-premise and AWS. We also associate the transit gateway attached to the other AWS accounts.
There is a connection from on-premise to AWS using Direct Connect 100Mbps with BGP and VIF (Virtual Interfaces) private.
We create and configure a floating VPC (Virtual Private Gateway), and this point is very important since it’s floating is not associated with any VPC .
We create a transit VPC, it will have four subnets, two private and two public subnets.
Deploy and configure two Sophos XG EC2 instances to our communication routers between Direct Connect and Transit Gateway. You can obtain Sophos XG from AWS Marketplace. We use two Sophos XG with HA (high availability) in two different availability zones.
As previously presented, when the template is deployed it assigns an Elastic IP reserved to each Sophos XG, which we will use for creating VPC connection.
We Configure Transit Gateway on the AWS account of name: “Networking” and we associate the VPC’s AWS accounts QA/DEV and PROD, also the “transit” VPC which have the Sophos XG.
We Create and configure a VPN connection with AWS on each Sophos XG using Elastic IP reserved on the EC2 instances. It’s important that at the moment of configuring, we do not use the option of Transit Gateway given, we use floating VPG (Virtual Private Gateway)
In Sophos XG
We create and configure a VPN connection with AWS and associate the routes for the BGP that we obtained from the configuration file on AWS-VPN console.
We configure firewall policy and routes.
In the route table of VPC and AWS
Previously, the VPCs that we will use from the three AWS accounts were associated with the Transit Gateway, so now, we only must modify the routing tables to go through Transit Gateway.
At this point, we have a solution created and configured using AWS Direct Connect of 100Mbps with AWS Transit Gateway.
Comments and recommendations
Understand the use of Transit Gateway, VPN and Direct Connect.
Take Transit Gateway Workshops, this is an important service to execute AWS configurations.
You can use any router brand (for example: Forti, Checkpoint, etc.).
Activate VPC Flow Logs and review blocked and accepted traffic on VPCs.
In my case I created a Sandbox VPC in the same region as the AWS account “Networking” to do tests and simulations with other VPC.
References
https://aws.amazon.com/blogs/networking-and-content-delivery/integrating-sub-1-gbps-hosted-connections-with-aws-transit-gateway/
https://aws.amazon.com/marketplace/pp/prodview-ga4qvij427bvw?sr=0-5&ref_=beagle&applicationId=AWSMPContessa
Top comments (1)
Nice.