I want to configure AWS Direct Connect as the primary link to my on-premises resources. I also want to configure a VPN as the secondary link to the same resources. How can I do this with AWS Transit Gateway?
Resolution
Task 1:Create a transit gateway
Task 2: Attach your VPC to your transit gateway
Task 3: Create an AWS Site-to-Site VPN and attach it to your transit gateway
Note: If you have a static VPN, make sure that the defined static routes use a less specific CIDR than any dynamic propagated routes. For routes that use the same CIDR, static routes have a higher precedence than dynamic propagated routes in the Transit Gateway route evaluation order.
Task 4: Attach your Direct Connect gateway to your transit gateway
For each VPC as an attachment to your transit gateway, you must add the VPC CIDR range to the Direct Connect Gateway allowed prefix interaction. After the prefixes are added, they're advertised to the remote side over Transit Virtual Interface. You can have a maximum of 20 prefixes per AWS Transit Gateway from AWS to on-premises on a transit virtual interface. This quota can't be increased. For more information, see AWS Direct Connect quotas. If you have more than 20 VPCs, summarize the routes for multiple VPCs into a single CIDR range. Enter the summarized routes in the Direct Connect Gateway allowed prefix interaction section.
If you create a summarized route for VPC CIDRs, then the CIDRs advertised over VPN are more specific than the CIDRs advertised over Direct Connect. As a result, the customer gateway prioritizes the VPN over the Direct Connect connection.
To resolve this issue:
- Add the summarized route associated with the Direct Connect Gateway. For the target attachment, select a VPC with a CIDR that's part of the summarized route to the Site-to-Site VPN attachment transit gateway route table. The summarized route and specific routes are now both advertised over the Site-to-Site VPN.
- In the customer gateway, filter out the specific routes advertised over the Site-to-Site VPN. The customer gateway now has the same summarized routes over both connections. The gateway prefers the Direct Connect connection.
Task 5: Create transit gateway route tables, and then turn on route propagation for all attachments
Note: Be sure to advertise the same prefix on the Border Gateway Protocol (BGP) session on the Direct Connect Transit Virtual Interface (VIF). Or, advertise the same prefix on the BGP session over the VPN.
- Open the Amazon Virtual Private Cloud (Amazon VPC) console.
- From the navigation pane, choose Transit Gateways.
- Verify that the Default association route table setting for your transit gateway is set to False.
Note: If the setting is set to True, skip to task 6.
- Choose Transit Gateway Route Tables.
- Choose Create Transit Gateway Route Table and then complete the following:
For Name tag, enter Route Table A.
For Transit Gateway ID, choose the Transit Gateway ID for your transit gateway.
Choose Create Transit Gateway Route Table.
- Choose Route Table A (or the default route table of your transit gateway) and choose Associations, Create Association.
- For Choose attachment to associate, choose the association IDs for your VPCs and choose Create Association. Repeat this step until your Direct Connect gateway, VPN, and VPCs all display under Association.
- Choose Route Table Propagation.
- Choose Propagation. For Choose attachment to propagate, choose your Direct Connect gateway, VPN, and VPCs.
Task 6: Configure the route table associated with your VPC and attachment subnet
- Open the Amazon VPC console.
- From the navigation pane, choose Route Tables.
- Choose the route table that's attached to the attachment subnet.
- Choose the Routes tab and choose Edit Routes.
- Choose the Add Route tab and then complete the following:
For Destination, choose the subnet of the on-premises network.
For Target, choose your transit gateway.
Choose Save routes.