How do I route traffic between VPCs through an on-premises firewall that uses a Direct Connect transit VIF?

3 minute read

I have an Amazon Elastic Cloud Compute (Amazon EC2) instance in a Amazon Virtual Private Cloud (Amazon VPC) that must send traffic to an Amazon EC2 instance in another VPC. I want to know how to route the traffic through an on-premises firewall over a transit virtual interface (VIF).

Resolution

To route traffic between VPCs through an on-premises firewall over a transit VIF, complete the following steps:

Create a transit gateway.
Important: To get a default route table (in this example, TGW RT-1), turn off the default association route table and the propagation route table setting.
Attach your VPCs to your transit gateway. In this example, the VPCs are VPC-A and VPC-B, with VPC attachments VPC-A-Attach and VPC-B-Attach.
Create two AWS Direct Connect gateways. In this example, the gateways are DXGW-1 and DXGW-2.
Create two VIFs on existing Direct Connect connections. In this example, the VIFs are Transit VIF-1 and Transit VIF-2.
Attach Transit VIF-1 to DXGW-1 and Transit VIF-2 to DXGW-2.
Bring the transit VIFs UP. Then, advertise a default route (0.0.0.0/0) or a supernetting route (summarized prefix of all VPC CIDRs) from the Direct Connect router.
To create the attachments, associate DXGW-1 with the transit gateway, and then associate DXGW-2.
Important: When you associate DXGW-1, keep Allowed Prefixes empty so that prefixes aren't advertised to the on-premises Direct Connect router. When you associate DXGW-2, in Allowed Prefixes, enter the VPC-A and VPC-B CIDR ranges that must be advertised to the on-premises Direct Connect router.
Create another transit gateway route table. In this example, the other transit gateway route table is TGW RT-2.
Associate the transit gateway route tables.
First, associate VPC-A-Attach and VPC-B-Attach with TGW RT-1. Then, associate DXGW-1-Attach and DXGW-2-Attach with TGW RT-2.
Propagate the transit gateway route tables.
In TGW RT-1, propagate the route for DXGW-1-Attach without allowed prefixes. In TGW RT-2, propagate the routes for VPC-A-Attach and VPC-B-Attach.
Add a static route in the VPC subnet route tables for the destination VPC CIDR that points to the transit gateway ID.
In the VPC-A subnet route table, add a static route for the VPC-B CIDR. In the VPC-B subnet route table, add a static route for the VPC-A CIDR.
Confirm that the security groups and network access control lists (ACLs) in the VPCs allow connectivity between the source and destination IP addresses.
Note: To route traffic back to the appropriate VPC, configure routing on the Direct Connect router and on-premises firewall.

Topics

Networking & Content Delivery

Relevant content

Routing network traffic between two EC2 instances in the same subnet to a firewall appliance in another VPC
Accepted Answer
AWS-User-7780615
asked 2 years ago
enable communication between multiple VPCs from a single VPN connection attached to my transit gateway
LudovicG
asked 2 years ago
Routing VPC to VPC traffic through an on-prem firewall via Transit Gateway
Accepted Answer
AWS-User-7026455
asked 3 years ago
Public VIF for filetransfer over AWS Direct Connect
Dhaval
asked 8 months ago
routing traffic between VPC
Accepted Answer
AWS-User-8898010
asked 2 years ago
How do I view traffic passing through an Amazon Route 53 resolver outbound endpoint?
AWS OFFICIALUpdated 2 years ago
How can I advertise VPC routes over a Direct Connect connection to a on-premises network over BGP?
AWS OFFICIALUpdated 7 months ago
How can I create a VPC peering connection between two VPCs?
AWS OFFICIALUpdated 2 years ago
How can I allow communication between multiple VPCs from a single VPN connection attached to my transit gateway, without allowing access between the VPCs?
AWS OFFICIALUpdated 2 years ago
How to troubleshoot connectivity issues between AWS VPC and on-premises via AWS Direct Connect Transit VIF
EXPERT
Narinder Singh Kharbanda
published 8 months ago