By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How do I allow communication between multiple VPCs from a single VPN connection attached to my transit gateway, but not allow the VPCs to access each other?

5 minute read
0

My on-premises users need access to two virtual private clouds (VPCs) through a single VPN connection. I want to establish network connectivity between the VPCs and the on-premises network through the single VPN connection. But, I don't want the VPCs to have access to each other.

Resolution

Create a transit gateway, and then attach your VPCs and a Site-to-Site VPN

Complete the following steps:

  1. Open the Amazon Virtual Private Cloud (Amazon VPC) console.
  2. Create a transit gateway.
    Note: Turn off the Default route table association setting when you create your transit gateway.
  3. Attach your VPCs to your transit gateway.
  4. Create an AWS Site-to-Site VPN connection and attach it to your transit gateway.
    Note: To automatically propagate VPN routes to the transit gateway route table, choose Dynamic for Routing option. This option requires Border Gateway Protocol (BGP).

Create a transit gateway route table and associate it with your VPCs

Complete the following steps:

  1. Open the Amazon VPC console.
  2. In the navigation pane, choose Transit gateways.
  3. Verify that the Default route table association setting for your transit gateway is set to Disable.
    Note: If Default route table association is set to Enable, then delete the VPN and VPCs associations from default transit gateway route table first.
  4. Choose Transit gateway route tables.
  5. Choose Create transit gateway route table, and then complete the following steps:
    For Name tag, enter Route Table A.
    For Transit gateway ID, choose your transit gateway's ID.
  6. Choose Create transit gateway route table.
  7. Select the route table.
  8. Choose Associations, then choose Create association.
  9. For Choose attachment to associate, choose the transit gateway attachment IDs for your VPCs.
  10. Choose Create association. Repeat steps 9 and 10 until all of your VPCs appear under Associations.

Create a second transit gateway route table and associate it with your VPN connection

Complete the following steps:

  1. Open the Amazon VPC console.
  2. In the navigation pane, choose Transit gateway route tables.
  3. Choose Create transit gateway route table, and then complete the following steps:
    For Name tag, enter Route Table B.
    For Transit gateway ID, choose your transit gateway's ID.
  4. Choose Create transit gateway route table.
  5. Select the route table.
  6. Choose Associations, and then choose Create association.
  7. For Choose attachment to associate, choose the transit gateway attachment ID for your VPN connection.
  8. Choose Create association.

Propagate routes from your VPCs and VPN to respective route tables

Complete the following steps:

  1. Open the Amazon VPC console.
  2. In the navigation pane, choose Transit gateway route tables.
  3. Select Route Table A.
  4. Choose Propagations, and then choose Create propagation.
  5. For Choose attachment to propagate, choose the propagation for the VPN connection. 
    Important: If you created a static route VPN connection, then create a static route for the on-premises network to the VPN on Route Table A. For policy-based static VPN connections, only one pair of security associations (SAs) is allowed. Consolidate the on-premises CIDR and the VPCs CIDR to a single SA. For more information, see How do I troubleshoot connection problems between an AWS VPN endpoint and a policy-based VPN?
  6. Choose Create propagation.
  7. In the transit gateway route tables, select Route table B.
  8. Choose Propagations, and then choose Create propagation.
  9. For Choose attachment to propagate, choose the transit gateway attachment IDs for your VPCs.
  10. Choose Create propagation. Repeat steps 9 and 10 until all of your VPCs appear under Propagations.

Configure the route table that's associated with your VPC and attachment subnet

Complete the following steps:

  1. In the Amazon VPC console.
  2. In the navigation pane, choose Route tables.
  3. Choose the route table that's attached to the source Amazon Elastic Compute Cloud (Amazon EC2) instance subnet.
  4. Choose the Routes tab, and then choose Edit routes.
  5. Choose the Add route tab, and then complete the following steps:
    For Destination, choose the subnet of the on-premises network.
    For Target, choose your transit gateway.
  6. Choose Save routes.

If you must have restrictive access between your VPCs, then create a separate route table for each VPC and configure the routes. Transit gateway route table routing is based on the association of the transit gateway attachment and the transit gateway route table. You can configure routes to any destination transit gateway attachment in any transit gateway route table. You don't need to associate the destination transit gateway attachment the specific route table.

Related information

How do I troubleshoot on-premises to VPC connectivity through Transit Gateway?

Why can't I connect to Amazon VPC when I use a Site-to-Site VPN that terminates on a transit gateway?

Topics
Networking & Content Delivery
Tags
AWS Transit Gateway
Language
English
AWS OFFICIAL
AWS OFFICIALUpdated 3 months ago
No comments

Relevant content