How do I route traffic between VPCs through an on-premises firewall that uses a Direct Connect transit VIF?
3 minute read
0
I have an Amazon Elastic Cloud Compute (Amazon EC2) instance in a Amazon Virtual Private Cloud (Amazon VPC) that must send traffic to an Amazon EC2 instance in another VPC. I want to know how to route the traffic through an on-premises firewall over a transit virtual interface (VIF).
Resolution
To route traffic between VPCs through an on-premises firewall over a transit VIF, complete the following steps:
Create a transit gateway. Important: To get a default route table (in this example, TGW RT-1), turn off the default association route table and the propagation route table setting.
Create two VIFs on existing Direct Connect connections. In this example, the VIFs are Transit VIF-1 and Transit VIF-2.
Attach Transit VIF-1 to DXGW-1 and Transit VIF-2 to DXGW-2.
Bring the transit VIFs UP. Then, advertise a default route (0.0.0.0/0) or a supernetting route (summarized prefix of all VPC CIDRs) from the Direct Connect router.
To create the attachments, associate DXGW-1 with the transit gateway, and then associate DXGW-2. Important: When you associate DXGW-1, keep Allowed Prefixes empty so that prefixes aren't advertised to the on-premises Direct Connect router. When you associate DXGW-2, in Allowed Prefixes, enter the VPC-A and VPC-B CIDR ranges that must be advertised to the on-premises Direct Connect router.
Associate the transit gateway route tables.
First, associate VPC-A-Attach and VPC-B-Attach with TGW RT-1. Then, associate DXGW-1-Attach and DXGW-2-Attach with TGW RT-2.
Propagate the transit gateway route tables.
In TGW RT-1, propagate the route for DXGW-1-Attach without allowed prefixes. In TGW RT-2, propagate the routes for VPC-A-Attach and VPC-B-Attach.
Add a static route in the VPC subnet route tables for the destination VPC CIDR that points to the transit gateway ID.
In the VPC-A subnet route table, add a static route for the VPC-B CIDR. In the VPC-B subnet route table, add a static route for the VPC-A CIDR.
Confirm that the security groups and network access control lists (ACLs) in the VPCs allow connectivity between the source and destination IP addresses. Note: To route traffic back to the appropriate VPC, configure routing on the Direct Connect router and on-premises firewall.