Adding VMware Transit Connect to Egress VPC (Part 3)

-

Gilles Chekroun


Lead VMware Cloud on AWS Solutions Architect
---

UPDATE 6 NOV 2020: Github terraform code here

Finally, here is Part 3 of this blog "series" around Egress VPC.

Part 1 is here and Part 2 is here

After setting up the  Egress VPC in part 1 and adding a VPN connected SDDC in part 2 I want to connect the SDDC and the Apps VPCs via a VMware Transit Connect a.k.a. VMware managed Transit gateway.

Lab Setup

Creating an SDDC Group

I have described in deep details the way to create SDDC group and attach Customer VPCs in this article. Let's go and do that quickly.
  1. Create an SDDC group and Attach the SDDC. This step will create the vTGW.
  2. Under "VPC Connectivity" tab, configure the Customer AWS  account number so the vTGW resource can be shared.
  3. On Customer AWS console, go to RAM (Resource Access Manager) and look for "Resources shared  with me"
  4. Accept the vTGW resource

Connecting Apps VPCs

We have now accepted the shared vTGW resource and are able to connect Customer Apps VPCs.

1 - On AWS console, go to VPC, Transit Gateways and select "Transit Gateways Attachments"

2 - Create 2 new attachments and connect the 2 Apps VPCs
3 - The new attachments will be in "pending acceptance" state until we accept them from the VMC console. Since this process is asynchronous, it can take a few mins (I have seen 3 to 10 mins) until we will see the acceptance request in the VMC console. Be patient.

4 - After accepting the VPCs in the VMC console, their state will move to "pending", then "available" and "associated"

Checking the vTGW routes learned in the SDDC

Adding CGW Firewall rules for vTGW

The CGW FW rules will allow traffic to and from the vTGW attached VPCs. We have now a new System Group that includes the VPC prefixes. These rules need to be "Applied to" the Direct Connect interface. It's a bit confusing for now but this is where the SDDC attachment as  "VPC" lives. We are looking to rename it to "DX/vTGW" or something similar.

Update the Apps VPCs route table 

From the Apps VPC point of view we have now 2 TGWs attachments (and by the way the AWS limit is 5). We need to select the proper way out of these VPCs to "TGW-Internet" or vTGW

Tests

Voila. At this stage all is ready.

  • SSH to the Ubuntu VM
  • Ping EC2 in Apps VPC 100
  • Ping EC2 in Apps VPC 200
  • Traceroute to the EC2s and verify that no NAT gateways are in the path.

Connection to On-prem

In my lab, I don't have Direct connect and the connectivity to on-prem would be something like:

Next Step

As many of you know, I am a fan of Terraform and my next project will be to automate this lab creation with Terraform.
I will update this post with a Github link when that's done.

Thanks for reading.

Comments

  1. Ajay KallaOctober 31, 2020 at 7:14 AM

    Very Useful Content , What tool you use to create Diagrams ?

    ReplyDelete
  2. WBandeiraMarch 4, 2021 at 11:32 PM

    Great content Guilles! In the last diagram when you talk about "Connection to On-prem", I can connect DX Gateway up to 3 TGWs according to AWS Documentation. But this TGWs (VMware or not) can be in the same region? Thank you for your attention.

    ReplyDelete
    Replies
    1. Gilles ChekrounMarch 5, 2021 at 8:47 AM

      In my case they should in the same region just because they connect to the same VPCs.
      In general a DXGW is not linked to a region and the 3 associations can come from different regions

      Delete

Post a Comment

Populars

Egress VPC and AWS Transit Gateway (Part1)

-
Image
Gilles Chekroun
 Lead VMware Cloud on AWS Solutions Architect --- Usually my blog posts are customer driven and recently I have been working on a design that would include an Egress VPC and AWS Transit Gateway. This customer is going to use both VMware Managed Transit Gateway and also AWS Transit Gateway. I will split this post in 3 parts: The Egress VPC - this article Adding a VMC SDDC to the Egress VPC here Adding VMware Managed Transit Gateway here Why do we need an Egress VPC? Numerous posts on AWS site  will describe how to build an Egress VPC and the subtleties of the various route tables of the TGW and the Egress VPC itself. The main goal is to have ONE Internet gateway only  that will allow workloads to go out to internet on the Egress VPC. One of the most important point is redundancy and multi-availability zones. Applications usually reside in private subnets, while NAT Gateways reside in a public subnet. NAT Gateways To focus the Internet access to a single point, we can cre
Read more

AWS Transitive routing with Transit Gateways in the same region

-
Image
Gilles Chekroun Lead VMware Cloud on AWS Specialist --- At the AWS Re:invent 2019 conference, the long waited TGW peering functionality was announced and available in a few AWS regions. This is an INTER-REGION peering only meaning that the Transit Gateways need to be in different regions. Hoping that AWS will soon release an INTRA-REGION capability I discussed with a few AWS Solutions Architects in Las Vegas, among them Tom Adamski , about using a VPC as a bridge between two TGWs in the same region. Tom assured me that it is possible opening for the first time the transitive routing capability in AWS networking. Well . . . I needed to test that and see by myself. Test bed For a simple test, I will use 2 TGWs in the same regions with 2 VPCs attached each and another VPC as "bridge" connected to both TGWs. Yes you can connect a VPC up to 5 TGWs . The whole idea is to use this "bridging VPC" and point the default route of the TGWs to it. To do that I c
Read more

Considerations on vTGW to TGW Peering Link

-
Image
   Gilles Chekroun
 Lead VMware Cloud on AWS Solutions Architect --- Recently I was talking with a Customer on designing their VMware Cloud on AWS environment and linking it to their existing AWS infrastructure. The idea was to have 2 SDDCs, Test and Prod, and link them with a VMware Managed TGW and peer it to their existing TGW. The customer requirements were: VMs in each SDDC should have internet access from the SDDC out VMs from Test should be able to talk to VMs in Prod VMs in any SDDC should be able to access their own vCenter but also the other one Some VMs any SDDC should have a Public IP and NAT rule to be accessible from outside VMware traffic should stay within VMware SDDCs Other traffic, like on-prem, should go via the Customer TGW Test Setup Step1 - Create SDDC Group Create an SDDC Group and attach the 2 SDDCs Prod and Test Make sure the proper FireWall rules are open in each SDDC Compute GW. Step 2 - Attach the Customer TGW In the SDDC Groups, under External TGW TAB, add t
Read more