AWS Transit Gateway is a highly available and scalable service that connects VPCs to your on-premises network.AWS Transit Gateway within a Region provides a method for consolidating and centrally managing routeing between VPCs using a hub-and-spoke network architecture.
AWS Transit Gateway supports inter-regional peering with other transit gateways between regions. This is done to make it easier to route network traffic between VPCs in different Regions across the AWS global backbone.This eliminates the need to route traffic through the internet.When a Direct Connect or AWS Site-to-Site VPN connection is connected to the transit gateway, AWS Transit Gateway also integrates with hybrid network configurations.
In contrast to other AWS connectivity types, which only allow one-to-one network connections, transit gateway allows one-to-many network connections.
Transit Gateways alleviate some of the issues associated with VPC Peering.
VPC peering can be used to build a full mesh network that uses individual connections between all networks.
However, as the number of your VPCs grows, this can become very difficult to manage.
AWS Transit Gateway, unlike other AWS connectivity options (which are peer-to-peer), allows you to create a hub-and-spoke network topology.Connect your existing VPCs, data centres, remote offices, and remote gateways to a managed Transit Gateway for complete network routeing and security control.Even if your VPCs, Active Directory, shared services, and other resources span multiple AWS accounts, this is possible.
The lack of transitive peering in VPC peering was the impulse for the creation of AWS Transit Gateway, hence the name Transit Gateway.Transitive networks simplify full, multi-VPC mesh networks in which every node is connected to every other node in the network.
Transit gateway automation using cloud formation stacks
1) Create transit gateway in management account and transitgateway resource share to share it with application vpc's
Transit gaetway
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Transit Gateway for VPC connections'
Parameters:
Principals:
Description: 'The list of principals to associate with the resource share. The possible values are list of IDs of AWS accounts,'
Type: CommaDelimitedList
Default : XXXXXXXXXXX
Resources:
TransitGateway:
Type: "AWS::EC2::TransitGateway"
Properties:
AmazonSideAsn: 65000
Description: "Transit Gateway"
AutoAcceptSharedAttachments: "enable"
DefaultRouteTableAssociation: "enable"
DnsSupport: "enable"
VpnEcmpSupport: "enable"
Tags:
- Key: Application
Value: TransitGateway
TransitGatewayResourceshare:
Type: "AWS::RAM::ResourceShare"
Properties:
Name: "Transit Gateway Resource Share"
ResourceArns:
- !Join
- ''
- - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:transit-gateway/'
- !Ref iTransitGateway
Principals: !Ref Principals
Tags:
- Key: Application
Value: TransitGatewayResourceshare
Outputs:
StackName:
Description: 'Stack name.'
Value: !Sub '${AWS::StackName}'
Export:
Name: !Sub '${AWS::StackName}'
TransitGatewayId:
Description: 'Transit Gateway Id.'
Value: !Ref TransitGateway
Export:
Name: !Sub '${EnvType}-transitGatewayId'
TransitGatewayResourceshareId:
Description: 'Transit Gateway Resource Share Id.'
Value: !Ref TransitGatewayResourceshare
Export:
Name: !Sub '${EnvType}-transitGatewayResourceshareId'
2) Create VPC , Transit gateway attachment ,AWS Transit Gateway route table,Associations and Route propagation
Attachments
AWS Transit Gateway supports the following connections:
- One or more VPCs
- A compatible Software-Defined Wide Area Network (SD-WAN) appliance
- A Direct Connect gateway
- A peering connection with another transit gateway
- A VPN connection to a transit gateway
AWS Transit Gateway MTU
AWS Transit Gateway supports an MTU of 8,500 bytes for:
- VPC connections
- Direct Connect connections
- Connections to other transit gateways
- Peering connections
- AWS Transit Gateway supports an MTU of 1,500 bytes for VPN connections.
AWS Transit Gateway route table
A transit gateway has a default route table and can optionally have additional route tables. A route table includes dynamic and static routes that decide the next hop based on the destination IP address of the packet. The target of these routes can be any transit gateway attachment.
Associations
Each attachment is associated with exactly one route table. Each route table can be associated with zero to many attachments.
Route propagation
- A VPC, VPN connection, or Direct Connect gateway can dynamically propagate routes to a transit gateway route table. With a Direct Connect attachment, the routes are propagated to a transit gateway route table by default.
- With a VPC, you must create static routes to send traffic to the transit gateway.
- With a VPN connection or a Direct Connect gateway, routes are propagated from the transit gateway to your on-premises router using BGP.
- With a peering attachment, you must create a static route in the transit gateway route table to point to the peering attachment.
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Template to create transit gateway attachment'
Parameters:
TransitGatewayId:
Description: 'network service transit gateway shared with this account'
Type: String
Resources:
VPC:
Type: 'AWS::EC2::VPC'
Properties:
CidrBlock: '10.0.0.0/16'
EnableDnsSupport: true
EnableDnsHostnames: true
InstanceTenancy: default
SubnetA:
Type: 'AWS::EC2::Subnet'
Properties:
AvailabilityZone: !Select [0, !GetAZs '']
CidrBlock: !Sub '10.0.1.0/24'
VpcId: !Ref VPC
SubnetB:
Type: 'AWS::EC2::Subnet'
Properties:
AvailabilityZone: !Select [1, !GetAZs '']
CidrBlock: !Sub '10.0.2.0/24'
VpcId: !Ref VPC
SubnetC:
Type: 'AWS::EC2::Subnet'
Properties:
AvailabilityZone: !Select [ 2, !GetAZs '' ]
CidrBlock: !Sub '10.0.3.0/24'
VpcId: !Ref VPC
RouteTableA:
Type: 'AWS::EC2::RouteTable'
Properties:
VpcId: !Ref VPC
RouteTableB:
Type: 'AWS::EC2::RouteTable'
Properties:
VpcId: !Ref VPC
RouteTableC:
Type: 'AWS::EC2::RouteTable'
Properties:
VpcId: !Ref VPC
RouteTableAssociationA:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
SubnetId: !Ref SubnetA
RouteTableId: !Ref RouteTableA
RouteTableAssociationB:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
SubnetId: !Ref SubnetB
RouteTableId: !Ref RouteTableB
RouteTableAssociationC:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
SubnetId: !Ref SubnetC
RouteTableId: !Ref RouteTableC
TransitGatewayAttachment:
Type: AWS::EC2::TransitGatewayAttachment
Properties:
SubnetIds:
- !Ref SubnetA
- !Ref SubnetB
- !Ref SubnetC
Tags:
- Key: Application
Value: NetworkServiceTransitGateway
TransitGatewayId: !Ref TransitGatewayId
VpcId: !Ref VPC
RouteTableEcsATransitGatewayRoute:
Type: 'AWS::EC2::Route'
DependsOn: TransitGatewayAttachment
Properties:
RouteTableId: !Ref RouteTableA
DestinationCidrBlock: '10.0.0.0/8'
TransitGatewayId: !Ref TransitGatewayId
RouteTableEcsBTransitGatewayRoute:
Type: 'AWS::EC2::Route'
DependsOn: TransitGatewayAttachment
Properties:
RouteTableId: !Ref RouteTableB
DestinationCidrBlock: '10.0.0.0/8'
TransitGatewayId: !Ref TransitGatewayId
RouteTableEcsCTransitGatewayRoute:
Type: 'AWS::EC2::Route'
DependsOn: TransitGatewayAttachment
Properties:
RouteTableId: !Ref RouteTableC
DestinationCidrBlock: '10.0.0.0/8'
TransitGatewayId: !Ref TransitGatewayId
AWS Transit Gateway inter-regional peering
For routing traffic between VPCs in different Regions, AWS provides two types of peering connections: VPC peering and transit gateway peering.
Both types of peering are one-to-one, but transit gateway peering connections have a more simplified network design and more centralised management.
Assume a customer has several VPCs in three different Regions.
To allow network traffic to route between each VPC, 72 VPC peering connections must be established.
Each VPC requires eight distinct routeing configurations and security policies.
The same environment requires only three peering connections when using AWS Transit Gateway.Each Region's transit gateway facilitates network traffic routeing to all VPCs in its Region.
Because the transit gateway manages all routeing, the customer only needs to maintain three routeing configurations, simplifying management.
Top comments (0)