By using AWS re:Post, you agree to the AWS re:Post Terms of Use

How do I route traffic between VPCs through an on-premises firewall that uses a Direct Connect transit VIF?

3 minute read
0

I have an Amazon Elastic Cloud Compute (Amazon EC2) instance in a Amazon Virtual Private Cloud (Amazon VPC) that must send traffic to an Amazon EC2 instance in another VPC. I want to know how to route the traffic through an on-premises firewall over a transit virtual interface (VIF).

Resolution

To route traffic between VPCs through an on-premises firewall over a transit VIF, complete the following steps:

  1. Create a transit gateway.
    Important: To get a default route table (in this example, TGW RT-1), turn off the default association route table and the propagation route table setting.
  2. Attach your VPCs to your transit gateway. In this example, the VPCs are VPC-A and VPC-B, with VPC attachments VPC-A-Attach and VPC-B-Attach.
  3. Create two AWS Direct Connect gateways. In this example, the gateways are DXGW-1 and DXGW-2.
  4. Create two VIFs on existing Direct Connect connections. In this example, the VIFs are Transit VIF-1 and Transit VIF-2.
  5. Attach Transit VIF-1 to DXGW-1 and Transit VIF-2 to DXGW-2.
  6. Bring the transit VIFs UP. Then, advertise a default route (0.0.0.0/0) or a supernetting route (summarized prefix of all VPC CIDRs) from the Direct Connect router.
  7. To create the attachments, associate DXGW-1 with the transit gateway, and then associate DXGW-2.
    Important: When you associate DXGW-1, keep Allowed Prefixes empty so that prefixes aren't advertised to the on-premises Direct Connect router. When you associate DXGW-2, in Allowed Prefixes, enter the VPC-A and VPC-B CIDR ranges that must be advertised to the on-premises Direct Connect router.
  8. Create another transit gateway route table. In this example, the other transit gateway route table is TGW RT-2.
  9. Associate the transit gateway route tables.
    First, associate VPC-A-Attach and VPC-B-Attach with TGW RT-1. Then, associate DXGW-1-Attach and DXGW-2-Attach with TGW RT-2.
  10. Propagate the transit gateway route tables.
    In TGW RT-1, propagate the route for DXGW-1-Attach without allowed prefixes. In TGW RT-2, propagate the routes for VPC-A-Attach and VPC-B-Attach.
  11. Add a static route in the VPC subnet route tables for the destination VPC CIDR that points to the transit gateway ID.
    In the VPC-A subnet route table, add a static route for the VPC-B CIDR. In the VPC-B subnet route table, add a static route for the VPC-A CIDR.
  12. Confirm that the security groups and network access control lists (ACLs) in the VPCs allow connectivity between the source and destination IP addresses.
    Note: To route traffic back to the appropriate VPC, configure routing on the Direct Connect router and on-premises firewall.
AWS OFFICIAL
AWS OFFICIALUpdated a year ago