Routing and Traffic Management Across Multiple AWS Accounts and VPCs with Transit Gateway and Cisco Meraki vMX

0

Hello everyone,

I have issues with the routing. The scenario is below.

Scenario: I have a multi-account setup on AWS with the following structure:

Accounts:

Dev Account Prod Account Network Account

VPCs: Three VPCs have been deployed in the Network account:

  • vpcDev: Shared with the Dev account via AWS RAM
  • vpcProd: Shared with the Prod account via AWS RAM
  • vpcNetwork: Acts as the central VPC for networking

Connections:

  • vpcDev is connected to vpcNetwork via a Transit Gateway.
  • vpcProd is connected to vpcNetwork via a Transit Gateway.
  • vpcDev and vpcProd have only private subnets.
  • vpcNetwork has two public subnets and two private subnets.

NAT Gateway:

A NAT Gateway is deployed in the vpcNetwork to handle internet access for the private subnets in vpcDev and vpcProd.

Cisco Meraki vMX:

A Cisco Meraki vMX instance is deployed in the vpcNetwork to configure Auto VPN with Azure (10.0.0.0/24).

Objective: The goal is to route all inbound and outbound traffic through the vpcNetwork, including internet access from the private subnets of vpcDev and vpcProd. I want to ensure that traffic uses the NAT Gateway in vpcNetwork for internet access and that the Cisco Meraki vMX instance is utilized for secure VPN connectivity to Azure.

Issues: Routing Setup:

How should I configure the routing tables for vpcDev, vpcProd, and vpcNetwork to ensure that all outbound traffic from the private subnets in vpcDev and vpcProd is routed through vpcNetwork and utilizes the NAT Gateway?

Transit Gateway Configuration: What are the best practices for configuring the Transit Gateway attachments and route tables to achieve the desired traffic flow?

NAT Gateway Usage: How can I confirm that the private subnets in vpcDev and vpcProd are correctly using the NAT Gateway in vpcNetwork for outbound internet traffic? Cisco Meraki vMX Integration:

Are there any specific recommendations or best practices for integrating the Cisco Meraki vMX with this AWS setup to ensure proper routing of traffic between AWS and Azure? Any insights, configuration tips, or best practices that the community can provide would be greatly appreciated!

2 Answers
2

in vpcDev and vpcProd, have default routes for all subnets that point to the Transit Gateway attachment in the AZs where the subnets are. You don't need anything else in those VPCs and it answers the question about how you can confirm that those VPCs are using the vpcNetwork for their traffic - because of the default route there is no other way for the traffic to go.

For a network of this size, in Transit Gateway have a single route table which has three routes in it:

  • vpcDev CIDR range -> vpcDev
  • vpcProd CIDR range -> vpcProd
  • Default route -> vpcNetwork

Associate the route table with all three VPCs.

You should have a Transit Gateway attachment subnet in vpcNetwork but the private subnets will do just as well. In the private (or Transit Gateway attachment) subnets of vpcNetwork use the following route table:

  • Default route -> NAT Gateway

In the public subnets of vpcNetwork use the following route table:

  • Default route -> Internet Gateway

I'm going to assume that the Meraki appliance is in a public subnet. In that case, add the following route to the private subnet route table:

  • 10.0.0.0/24 -> Meraki appliance

Make sure that the Meraki appliance has source/destination check disabled.

profile pictureAWS
EXPERT
answered a month ago
profile picture
EXPERT
reviewed a month ago
profile picture
EXPERT
reviewed a month ago
  • I setup the routing and I can ping VM on the Azure side, but it is not working in the opposite way from Azure VM to EC2 instance in vpcDev.

  • You either have a firewall in the path or something performing a NAT operation. Run a tcpdump on the Azure VM and look at the source IP when you ping it. If it is the same as the EC2 instance then you have a firewall that is filtering traffic; if it is different then something is doing NAT.

  • I will try that. Also, from the Azure VM we can ping CIsco Meraki EC2 instance (vpcNetwork), but not the EC2 instance in vpcDev.

0

I setup the routing and I can ping VM on the Azure side, but it is not working in the opposite way from Azure VM to EC2 instance in vpcDev.

nmos
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions