Considerations on vTGW to TGW Peering Link

-

  Gilles Chekroun


Lead VMware Cloud on AWS Solutions Architect
---

Recently I was talking with a Customer on designing their VMware Cloud on AWS environment and linking it to their existing AWS infrastructure.
The idea was to have 2 SDDCs, Test and Prod, and link them with a VMware Managed TGW and peer it to their existing TGW.
The customer requirements were:
  • VMs in each SDDC should have internet access from the SDDC out
  • VMs from Test should be able to talk to VMs in Prod
  • VMs in any SDDC should be able to access their own vCenter but also the other one
  • Some VMs any SDDC should have a Public IP and NAT rule to be accessible from outside
  • VMware traffic should stay within VMware SDDCs
  • Other traffic, like on-prem, should go via the Customer TGW

Test Setup

Step1 - Create SDDC Group

Create an SDDC Group and attach the 2 SDDCs Prod and Test
Make sure the proper FireWall rules are open in each SDDC Compute GW.

Step 2 - Attach the Customer TGW

In the SDDC Groups, under External TGW TAB, add the details from the customer side:
  • AWS Account
  • TGW ID
  • TGW Region
  • SDDC Region
  • Peer Link prefixes (up to 250)
Note the RFC 1918 prefixes on the Peering Link

Step 3 - Accept the peering attachment in AWS console

Accept the peering attachment and wait until "AVAILABLE" status is shown.
Verify the connectivity under SDDC Groups in VMC console

Note that it can take 10-15 mins until "CONNECTED" status

Step 4 - Check the routing tables

In the SDDC Groups, look for the Routing Tab.
Check also each SDDC Learned routes in the "Networking & Security" "Transit Connect" area.

Step 5 - Time for some Ping tests

VMs in SDDC_Prod and SDDC_Test can :
  • ping each other
  • ping the respective vCenters
  • ping external IP like amazon.com
  • use Public IP to SSH or HTTP/HTTPS
Prod Virtual Machine IP : 10.123.160.2
Test Virtual Machine IP  : 10.123.192.5

From Prod Virtual Machine:
Ping SDDC_Test VM and amazon.com
Ping SDDC_Test vCenter
Request a public IP and create a NAT rule
Verify access from outside

What about a 0.0.0.0/0 on the Peering Link?

Having RFC 1918 address on the peering link is great and covers about 2.3 Billion addresses.
Since we have all static routes entries in the routing tables, the most specific entries will take precedence.

If we code a 0.0.0.0/0 on the peering link, many things happen:
  • VMs in any SDDC can still communicate
  • VMs in any SDDC can still access the vCenters
  • VMs in any SDDC can NOT ping external IPs like amazon.com
  • Accessing VMs from outside with Public IPs will not be allowed
Basically anything that is NOT SDDC prefixes will be sent to the customer TGW.
Usually that is what customers wants and they will have the ability to control internet access on an Egress VPC and/or inspect traffic using a NGFW product.
vTWG route table

Conclusion

According to what the Customer wants to achieve it is very important to plan the Peering Link prefixes properly.
Today VMware Managed TGW has a soft limit of 250 prefixes.
All routes are static and even if the Customer TGW has a route table populated with all their prefixes, there is no protocol on the Peering Link that will allow these routes to be transferred to the vTGW.
It's been over 3 years that AWS is eluding about supporting BGP on the peering link and even strongly suggest to use different Autonomous System Numbers for each TGW, but until now, it's still static routes.

AWS. . . are you here???

Comments

  1. AnonymousOctober 14, 2022 at 11:54 PM

    Hi, just wondering if vTGW supports VPN attachment now?

    ReplyDelete
  2. AnonymousOctober 30, 2023 at 2:18 AM

    Can you choose a custom ASN on vTGW so when AWS supports BGP over TGW peering, setting ASN on vTGW is supported by VMC as well?

    ReplyDelete
    Replies
    1. Gilles ChekrounOctober 30, 2023 at 4:50 AM

      ASN on vTGW is hard coded today. Not sure if there are plans to change it

      Delete

Post a Comment

Populars

Egress VPC and AWS Transit Gateway (Part1)

-
Image
Gilles Chekroun
 Lead VMware Cloud on AWS Solutions Architect --- Usually my blog posts are customer driven and recently I have been working on a design that would include an Egress VPC and AWS Transit Gateway. This customer is going to use both VMware Managed Transit Gateway and also AWS Transit Gateway. I will split this post in 3 parts: The Egress VPC - this article Adding a VMC SDDC to the Egress VPC here Adding VMware Managed Transit Gateway here Why do we need an Egress VPC? Numerous posts on AWS site  will describe how to build an Egress VPC and the subtleties of the various route tables of the TGW and the Egress VPC itself. The main goal is to have ONE Internet gateway only  that will allow workloads to go out to internet on the Egress VPC. One of the most important point is redundancy and multi-availability zones. Applications usually reside in private subnets, while NAT Gateways reside in a public subnet. NAT Gateways To focus the Internet access to a single point, we can cre
Read more

Build a VMware Cloud on AWS Content Library using AWS S3

-
Image
Gilles Chekroun Lead NSX Systems Engineer - VMware Europe --- What is a Content Library? DISCLAIMER: External content libraries are not supported by VMware GSS ! vSphere Content Library is a repository where you can store VM templates, vApp templates and other kind of files like ISO.  Administrators can use the templates to deploy VMs and vApps. Each item library can contain multiple files. The basis is  .ovf   together with the description files like .mf and .vmdk If you have .ova files, you can simply un-compress them using the linux command:  tar -xvf SomeFile.ova There are two kind of Libraries: Local and Subscribed. Local Library Local Library stores items in a single vCenter. VM and vApp templates are stored as OVF file format. Subscribed Library You can create a Subscribed Library in the same vCenter and to ensure the content is up-to-date, the library can automatically sync with the source on a regular basis. You can also use the option to download co
Read more

AWS Transitive routing with Transit Gateways in the same region

-
Image
Gilles Chekroun Lead VMware Cloud on AWS Specialist --- At the AWS Re:invent 2019 conference, the long waited TGW peering functionality was announced and available in a few AWS regions. This is an INTER-REGION peering only meaning that the Transit Gateways need to be in different regions. Hoping that AWS will soon release an INTRA-REGION capability I discussed with a few AWS Solutions Architects in Las Vegas, among them Tom Adamski , about using a VPC as a bridge between two TGWs in the same region. Tom assured me that it is possible opening for the first time the transitive routing capability in AWS networking. Well . . . I needed to test that and see by myself. Test bed For a simple test, I will use 2 TGWs in the same regions with 2 VPCs attached each and another VPC as "bridge" connected to both TGWs. Yes you can connect a VPC up to 5 TGWs . The whole idea is to use this "bridging VPC" and point the default route of the TGWs to it. To do that I c
Read more