Create Connection Between VPC (One Region) using AWS Transit Gateway

What is AWS Transit Gateway?

AWS Transit gateway is services that allow customers to interconnect many of Amazon VPCs, AWS accounts, and on-premises networks to a single gateway. This simplifies network and puts an end to complex peering relationships. This can reduce the complexity for connecting VPC peering if there are thousand of VPC that will be connected.

Demo Labs: Connecting 3 VPC using AWS Transit Gateway

Architecture System

Pre-requisite:

1. VPC A, B and C was created and access publicly (can SSH and Ping)
2. Create VM on each VPC

Step by step:

1. Prepare the 3 VPC in different Subnet.

VPC have to access publicly via internet gateway and each of VPC have different subnet, to create the VPC there are 4 simple way:

• create VPC
• Create Subnet for each VPC
• Create Internet Gateway for each VPC
• Change the route table (edit route for targeting the internet gateway and add subnet association)

2. Create Transit Gateway.

From the left panel in VPC section, choose the Transit Gateway and create.

Define the name of Transit Gateway and uncheck the option (Default route table association and Default route table propagation), cause it will be define custom by ourself.

3. Create Transit Gateway Attachment.

From the left panel in VPC section, choose the Transit Gateway attachment and create.

Define the name and choose the Transit Gateway ID that was created before and choose the attachment type is VPC. You can modify the attachment type based on your need like VPN, Peering Connection etc.

Choose the CPV attachment with each VPC, in this example is creating attachment in VPC A, so choose the VPC A.

Repeat the step for creating attachment transit gateway for each VPC (TGW VPC A, B and C).

4. Define Transit Gateway Route Tables.

There are 3 part have to configure:

• Associations (Attach the own transit gateway)
• Propagation (Attach the neighbour transit gateway that will be connected)
• Routes (Route for direct the traffic from the transit gateway, it will be automatically fill after the propagation was defined)

Propagation in VPC A, B and C is same or attach by their own transit gateway.

Cause in this case VPC A can connect just to VPC B, the propagation have to attach the transit gateway from VPC B.

Below the propagation for the VPC B, it will be propagated to the VPC A and B cause in this case VPC B have to connect to the VPC A and B.

And for the VPC C it propagated with VPC B so both of them can connected.

After the transit gateway was propagated the Route will automatically define the IP route for directing traffic from each Transit Gateway.

5. After define the Transit Gateway and Route Tables of each VPC, so basicly the Transit Gateway can directly sent the traffic based on the route tables. But does the each VPC can connectly? No, we have to define the route table in VPC it self. This is like routing in Cisco/Mikrotik if you know, so in each VPC we have to define the route table also for sending traffic to the Transit Gateway.

As you can see, in VPC A it have to create route table for sending traffic to the IP in VPC B (10.40.0.0/24) through the transit gateway. Also in VPC B it have to create route table for sending traffic to the VPC A (10.30.0.0/24) and VPC C (10.50.0.0/24) through the transit gateway.

And it same with VPC C it will be route to the VPC B (10.40.0.0/24) through the transit gateway.

6. After the route tables on each VPC and trasit gateway based on the connectivity that will be solved was configure, the connectivity based on the study case is done. For testing the connectivity is bellow (don’t forget to open the ICMP just from the source IP on the source VPC that we want in the EC2 Security Group):

Security Group on EC2 in VPC-B

Note: do the same things based on the case on other EC2 security group, then test the connectivity.

• VPC A to VPC B

As you can see the VPC A don’t have connectivity to the VPC C (10.50.0.116)

• VPC C to VPC A and VPC C

VPC B succesfully connect to the VPC A and VPC B

• VPC C to VPC A

As you can see the VPC C can connect to the VPC B but cannot connect to the VPC A.

That’s all for creating connection between VPC on same region using AWS Transit Gateway, if you have a thousand of VPC or On Premise network you can easily centralized the connectivity using AWS Transit Gateway. Thanks, have a nice day!

Read more: https://aws.amazon.com/transit-gateway/