I want to connect my on-premises network to the internet using AWS Site-to-Site VPN and the AWS Transit Gateway.
Short description
AWS Site-to-Site VPN allows secured connectivity between AWS resources and the on-premises network such as a data center or a branch office.
AWS Site-to-Site VPN provides two tunnels per connection, using the virtual private gateway or the AWS Transit Gateway. The virtual private gateway provides connectivity to a single Amazon Virtual Private Cloud (Amazon VPC) in a Region. The transit gateway provides connectivity to multiple Amazon VPCs in a region as well as to the internet.
For more information on how AWS Site-to-Site VPN works, see What is AWS Site-to-Site VPN?
Resolution
Establish the Site-to-Site VPN connection through a transit gateway to get centralized internet access from your on-premises network. This centralized setup uses AWS Network Translation Service (NAT gateway) to connect to the internet.
Follow these steps to gain internet access from your on-premises network:
1. Create a transit gateway.
2. Create a Site-to-Site VPN using a transit gateway.
3. Attach your Amazon VPC to a transit gateway in your Region.
4. Create a public NAT gateway in a public subnet in the same Amazon VPC.
5. Create a default-route 0.0.0.0/0 in the VPC’s subnet routing table associated with transit gateway. This route points to the NAT gateway that you created earlier.
Destination Target
0.0.0.0/0 nat-12345678901234567
6. Create a route for the on-premises CIDR in the public subnet routing table you used earlier. This route points to the transit gateway.
Destination Target
10.0.0.0/16 tgw-12345678909876543
0.0.0.0/0 igw-12345678901234567
7. Create a default route 0.0.0.0/0 in the transit gateway routing table associated with VPN attachment. Then, point it to the Amazon VPC attachment:
CIDR Attachment ID Resource ID Resource type Route type Route state Prefix list ID
0.0.0.0 tgw-attach-98765432109876 vpc-987654321 VPC Static Active -
8. Create a route (Static route or propagate) for the on-premises CIDR in the transit gateway routing table associated with the Amazon VPC attachment. Then, point it to the VPN attachment:
CIDR Attachment ID Resource ID Resource type Route type Route state Prefix list ID
10.0.0.0/16 tgw-attach-1234567890123 vpn-1234567897 VPN Static Active -
Note: The Site-to-site VPN encryption domain must allow traffic between the on-premises CIDR and any (0.0.0.0) destination, a policy-based VPN.
Related information
Creating a transit gateway VPN attachment
Transit gateway route tables