Peer VMware managed TGW to AWS TGW in multi-region and multi-accounts

-

Gilles Chekroun


Lead VMware Cloud on AWS Solutions Architect
---

UPDATED with On-prem connectivity (21 Sept 2021)

VMware Managed Transit Gateway (aka vTGW or VMware Transit Connect) has now the capability to peer with an AWS TGW in a different AWS region.
This is a new capability that will be introduced in the VMC release 1.16 but already available from 1.12 and up latest updates.

TGW peering

This capability has been available for quite some time with AWS Networking.
Today the routing between TGWs is static although AWS recommends to use different ASN in case BGP Dynamic routing will come later.

"To route traffic between the transit gateways, add a static route to the transit gateway route table that points to the transit gateway peering attachment.
We recommend using unique ASNs for the peered transit gateways to take advantage of future route propagation capabilities."

The following post will describe a vTGW to a TGW in multi-region - multi accounts setup.

Peering Link Encryption

Transit gateway peering uses the same network infrastructure as VPC peering and is therefore encrypted by definition. More information here.

Lab Setup

SDDC Grouping

Region A - Oregon

Accounts

In that side, we have the SDDC VMware Account AKA shadow account starting with 8442 and also the AWS Customer account in Oregon starting with 6140.
I will skip the SDDC grouping and VPC attachement as it's been described here
After creating SDDC_GROUP_A and attaching VPC110, the vTGW route table will look like:
Only after updating the VPC120 route tables, a VM inside the SDDC will can ping an EC2 in VPC110 via the vTGW

Region B - Ohio

Accounts

In that side we only have the AWS Customer account in Ohio starting with 0631.
Let's create a TGW and attach VPC 120 to it.

TGW

VPC120 route table

TGW Peering

At this stage we need to peer the vTGW and the Customer TGW.
There is a new TAB in the SDDC Group area on the VMC Console called "External TGW"

AWS TGW attachment

The peer link will be created by the VMC console between the vTGW (VMware account) and the Customer TGW (Customer Account)

Peering TGW route table

Transit Connect route table

VMC System Defined Groups

For simplicity and easy FW configuration, the VMC Console provides "system defined Groups" that will include DXGW, SDDC, VPC and now Customer TGW information

Connectivity 

Now a VM inside the SDDC can reach EC2 on the other region VPC120
EC2 inside VPC120 can ping SDDC VM

Allowed Flows

As a generic rule, traffic allowed over a vTGW MUST have an SDDC as one end of the flow.
For example EC2 in VPC 110 will not reach EC2 in VPC120.

Adding VPN to On-prem

After creating a Route based VPN from the Ohio TGW to on-prem, the TGW routing table is updated with on-prem Networks.
Let's focus on 192.168.200.0/24 and the VM at .50

Ping EC2 at VPC120

Add Static route to on-prem on the peering link

Updated routes in vTGW

Ping from SDDC to on-prem

Ping from on-prem to SDDC vCenter

Costs

All TGW costs and Data charges are described in a previous post here.
AWS TGW pricing details are here
I just wanted to highlight the inter-region peering costs:
  • vTGW account is charged $0.02/GB for "inter-region egress" (Oregon to Ohio)
  • AWS TGW account not charged as data is "ingress" for Ohio region 
and reverse:
  • TGW account is charged $0.02/GB for "inter-region egress" (Ohio to Oregon)
  • vTGW account is not charged as data is "ingress" for Oregon region
Inter region charges depends on Regions - please check this page.

Conclusion

VMware has now very strong networking capabilities with AWS TGW and VMware Managed TGW.
This is allowing very flexible design options.

Thanks for reading.

Comments

  1. AnonymousMay 18, 2022 at 5:54 AM

    Is there a reason you went with VPN to on premise instead of advertising the .50 on premise route over DXGW to TGW

    ReplyDelete

Post a Comment

Populars

Egress VPC and AWS Transit Gateway (Part1)

-
Image
Gilles Chekroun
 Lead VMware Cloud on AWS Solutions Architect --- Usually my blog posts are customer driven and recently I have been working on a design that would include an Egress VPC and AWS Transit Gateway. This customer is going to use both VMware Managed Transit Gateway and also AWS Transit Gateway. I will split this post in 3 parts: The Egress VPC - this article Adding a VMC SDDC to the Egress VPC here Adding VMware Managed Transit Gateway here Why do we need an Egress VPC? Numerous posts on AWS site  will describe how to build an Egress VPC and the subtleties of the various route tables of the TGW and the Egress VPC itself. The main goal is to have ONE Internet gateway only  that will allow workloads to go out to internet on the Egress VPC. One of the most important point is redundancy and multi-availability zones. Applications usually reside in private subnets, while NAT Gateways reside in a public subnet. NAT Gateways To focus the Internet access to a single point, we can cre
Read more

AWS Transitive routing with Transit Gateways in the same region

-
Image
Gilles Chekroun Lead VMware Cloud on AWS Specialist --- At the AWS Re:invent 2019 conference, the long waited TGW peering functionality was announced and available in a few AWS regions. This is an INTER-REGION peering only meaning that the Transit Gateways need to be in different regions. Hoping that AWS will soon release an INTRA-REGION capability I discussed with a few AWS Solutions Architects in Las Vegas, among them Tom Adamski , about using a VPC as a bridge between two TGWs in the same region. Tom assured me that it is possible opening for the first time the transitive routing capability in AWS networking. Well . . . I needed to test that and see by myself. Test bed For a simple test, I will use 2 TGWs in the same regions with 2 VPCs attached each and another VPC as "bridge" connected to both TGWs. Yes you can connect a VPC up to 5 TGWs . The whole idea is to use this "bridging VPC" and point the default route of the TGWs to it. To do that I c
Read more

Costs analysis for Data Transfer via VMware Managed TGW

-
Image
Gilles Chekroun
 Lead VMware Cloud on AWS Solutions Architect --- Every customer design is different but all of them should include a costs analysis specifically when using VMware managed Transit Gateway or AWS Transit Gateway. The AWS page here has very useful information for us to be able to understand costs. Transit Gateway Costs TGW pricing is split in 2 components: A fixed price for infrastructure connectivity per hour. Depending on the attachments, various account owners are charged.  A variable price for processing data via the TGW. Price is per GB. The sending account is charged. Prices depend on regions and range from $0.05 to $0.09 per attachment per hour. Who is charged? See AWS page VPC attachments The VPC account owner is charged and is billed hourly. VPN attachments The TGW account owner is billed hourly. Site-to-Site VPN connection pricing still applies in addition to the VPN TGW attachments. Direct Connect Gateway attachments The DXGW account owner is billed hourly.
Read more