AWS Transitive routing with Transit Gateways in the same region

-
Gilles Chekroun
Lead VMware Cloud on AWS Specialist
---
At the AWS Re:invent 2019 conference, the long waited TGW peering functionality was announced and available in a few AWS regions. This is an INTER-REGION peering only meaning that the Transit Gateways need to be in different regions.
Hoping that AWS will soon release an INTRA-REGION capability I discussed with a few AWS Solutions Architects in Las Vegas, among them Tom Adamski, about using a VPC as a bridge between two TGWs in the same region. Tom assured me that it is possible opening for the first time the transitive routing capability in AWS networking.

 Well . . . I needed to test that and see by myself.

Test bed


 For a simple test, I will use 2 TGWs in the same regions with 2 VPCs attached each and another VPC as "bridge" connected to both TGWs. Yes you can connect a VPC up to 5 TGWs.
The whole idea is to use this "bridging VPC" and point the default route of the TGWs to it. To do that I create 2 subnets on the bridging VPC and adapt the route tables as described below.

Step 1 - Create 2 TGWs in the same region

If TGWs were in different regions, then TGW peering is available since early Dec 2019. But here we want to concentrate on TGWs in the same region.
Give separate ASN to both TGWs and keep default route propagation and association enabled.

Step 2 - Create VPCs and attach them respectively

For each VPC, I have 1 subnet in 1 AZ and an EC2 to do the networking tests. I also attach an IGW so I can SSH to my EC2 from outside.
CIDR will be 172.201, 202, 203, 204.0.0/16

Step 3 - Create "Bridging VPC"

The Bridging VPC will need 2 subnets and will be VPC attached to each TGW. No EC2. No NAT. just simple routing tables.

Step 4 - VPC Route Tables

For VPCs 1 and 2, all routes will point to TGW_A. For VPCs 3 and 4, all routes will point to TGW_B. Default  route 0.0.0.0/0 points to IGW.

Step 5 - Bridging VPC Route Table

On the bridging VPC, the route table will point VPC1 and 2 to TGW_A and VPC3 and 4 to TGW_B

TGWs Route Table Associations and Propagations

This is really where we need to be careful. We should leave the TGW Route table association and propagation ON for VPC1,2,3,4 but DISABLE Route Table propagation for the Bridging VPC
And similarly for TGW_B

Add a Global Static Route to point to Bridging VPC

On both TGW_A and TGW_B we need to add a global static route 0.0.0.0/0 that will point to the Bridging VPC.

Ping Tests

Ping from EC2 in VPC1 to EC2 in VPC3
Ping from EC2 in VPC4 to EC2 in VPC2

Re-deploy the test bed easily

I am a big fan of Terraform and did a complete setup of this test bed using AWS provider.
Complete Terraform code here. Please update the terraform.tfvars with your credentials.


Comments

  1. UnknownMarch 17, 2021 at 7:57 PM

    nice write up!

    ReplyDelete
  2. KIVagantAugust 26, 2021 at 8:42 PM

    Thank you for the topic

    ReplyDelete
  3. AnonymousOctober 21, 2021 at 12:38 PM

    Very interesting. I have been told that Intra Region TGW connections will be allowed soon, but this might be a useful work around until that happens.

    ReplyDelete
    Replies
    1. GillesOctober 21, 2021 at 1:51 PM

      Indeed but until now peering is only Inter-region. Will see ;)

      Delete
    2. EvgenyDecember 13, 2021 at 3:09 AM

      Transit Gateway Intra-Region peering is available now. Thank you for the blog post. Would be great if you could add a banner and direct folks to https://aws.amazon.com/blogs/networking-and-content-delivery/aws-transit-gateway-now-supports-intra-region-peering/ for the new capability (or even better write another blog post). :)

      Delete

Post a Comment

Populars

Egress VPC and AWS Transit Gateway (Part1)

-
Image
Gilles Chekroun
 Lead VMware Cloud on AWS Solutions Architect --- Usually my blog posts are customer driven and recently I have been working on a design that would include an Egress VPC and AWS Transit Gateway. This customer is going to use both VMware Managed Transit Gateway and also AWS Transit Gateway. I will split this post in 3 parts: The Egress VPC - this article Adding a VMC SDDC to the Egress VPC here Adding VMware Managed Transit Gateway here Why do we need an Egress VPC? Numerous posts on AWS site  will describe how to build an Egress VPC and the subtleties of the various route tables of the TGW and the Egress VPC itself. The main goal is to have ONE Internet gateway only  that will allow workloads to go out to internet on the Egress VPC. One of the most important point is redundancy and multi-availability zones. Applications usually reside in private subnets, while NAT Gateways reside in a public subnet. NAT Gateways To focus the Internet access to a single point, we can cre
Read more

Considerations on vTGW to TGW Peering Link

-
Image
   Gilles Chekroun
 Lead VMware Cloud on AWS Solutions Architect --- Recently I was talking with a Customer on designing their VMware Cloud on AWS environment and linking it to their existing AWS infrastructure. The idea was to have 2 SDDCs, Test and Prod, and link them with a VMware Managed TGW and peer it to their existing TGW. The customer requirements were: VMs in each SDDC should have internet access from the SDDC out VMs from Test should be able to talk to VMs in Prod VMs in any SDDC should be able to access their own vCenter but also the other one Some VMs any SDDC should have a Public IP and NAT rule to be accessible from outside VMware traffic should stay within VMware SDDCs Other traffic, like on-prem, should go via the Customer TGW Test Setup Step1 - Create SDDC Group Create an SDDC Group and attach the 2 SDDCs Prod and Test Make sure the proper FireWall rules are open in each SDDC Compute GW. Step 2 - Attach the Customer TGW In the SDDC Groups, under External TGW TAB, add t
Read more