Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Enable communication from VPC A to on-premise through VPC B

0

Hello, I am currently trying to setup AWS <-> On-prem Data Center communication using Direct Connect. Direct Connection, VPCs all exists in same account and region.
We have 2 VPCs VPC A is main one where our applications are running, VPC B acts as interconnect VPC which isolates the main VPC while connecting with third parties in this case on-prem.

Created Private VIFs, DXGW and then VGW on VPC B but then confused on how to connect VPC A to VPC B and route to DXGW for on-prem. I have understood that peering is not useful as its not transitive. So i guess only other option Transit Gateway, when using Transit Gateway is it mandatory to have Transit VIFs instead of Private VIFs ? Also what will be traffic path will it be VPC A -> TGW -> VPC B -> DXGW -> On-prem or does it require any NVA devices like Firewall in VPC B ? ( I would like avoid this if possible)
Can i perform SNAT in the VPC B so that on-prem thinks traffic originated from VPC B and not VPC A ?
Appreciate any suggestions or resources.

Thanks.

Topics
Networking & Content Delivery
Tags
VPC Virtual Private GatewayAmazon VPCAWS Transit GatewayAWS Direct Connect
Language
English
asked a year ago425 views
2 Answers
1

To enable communication from VPC A to your on-premises network through VPC B using Direct Connect, you'll need to use AWS Transit Gateway (TGW) as VPC peering doesn't support transitive routing. Here's how you can set this up:

  1. Create a Transit Gateway and attach both VPC A and VPC B to it.

  2. Associate the Direct Connect Gateway (DXGW) with the Transit Gateway. This allows the Transit Gateway to route traffic to your on-premises network via Direct Connect.

  3. Configure route tables in VPC A to send traffic destined for on-premises networks to the Transit Gateway.

  4. In the Transit Gateway route table, configure routes to send traffic for on-premises networks to the Direct Connect Gateway.

  5. Ensure that VPC B's route tables are configured to allow traffic between the Transit Gateway attachment and the Direct Connect Gateway.

Regarding your questions:

  • It's not mandatory to use Transit Virtual Interfaces (VIFs) instead of Private VIFs when using a Transit Gateway. You can continue using your existing Private VIFs.

  • The traffic path will be: VPC A -> TGW -> DXGW -> On-prem. VPC B is not directly in this path unless you specifically route traffic through it.

  • You don't necessarily need Network Virtual Appliances (NVAs) like firewalls in VPC B for this setup. However, if you want to implement additional security measures or network address translation, you could route traffic through NVAs in VPC B.

  • If you want to perform Source Network Address Translation (SNAT) so that on-premises networks see traffic as originating from VPC B, you would need to route traffic through a NAT instance or NAT Gateway in VPC B. This would change the traffic flow to: VPC A -> TGW -> VPC B (NAT) -> DXGW -> On-prem.

Remember to properly configure security groups and network ACLs to allow the necessary traffic between your VPCs and on-premises network. Also, ensure that your on-premises network is configured to route return traffic back through the Direct Connect connection.
Sources
Can VPC B Access On-Prem Network via VPC A with Direct Connect and Transit Gateway | AWS re:Post
AWS Direct Connect with private VIF over virtual private gateway - AWS Prescriptive Guidance
AWS Direct Connect + AWS Transit Gateway + AWS Site-to-Site VPN - Amazon Virtual Private Cloud Connectivity Options

answered a year ago
EXPERT
reviewed a year ago
0

While the Guide answer is correct it is lacking a small detail:

If you only have two VPCs you can connect both of them to the same Direct Connect Gateway. They can communicate with each other via peering; and with the on premises networks via the (single!) Direct Connect Gateway. You can add several VPCs like this but the complexity will grow as your inter-VPC peering network does.

This is where Transit Gateway comes into play. It's most beneficial when there are multiple VPCs because you don't have to keep configuring additional connections between the Direct Connect Gateway and your VPCs; nor do you need to set up lots of VPC peering connections.

Bear in mind that you can start with the first design and then change it later as your VPCs (and network) grows.

AWS
EXPERT
answered a year ago
  • rgaduputi
    a year ago

    You mean to have Virtual Private Gateway on both VPCs and then associate with the same Direct Connect Gateway ? Yes it does look simple enough to start. But then with this i am missing the isolation part because VPC A is also being exposed to on-prem right

  • Brettski-AWS EXPERT
    a year ago

    You cannot connect through another VPC unless you use NAT or a proxy server within the VPC. Doing so introduces complexities and cost.

  • rgaduputi
    10 months ago

    thanks, Been playing with this approach but not sure if i am in right direction. Appreciate any insights. Below is what is done

    1. Peered VPC A and VPC B
    2. Add routes for VPC A and VPC B through peering on both sides
    3. On VPC A route table add route to on premise through Peering connection
    4. Create a SNAT instance (EC2) in VPC B subnet with iptables , also source/destination check disabled
    5. In VPC B route table add on-prem route pointing towards SNAT EC2 ENI

    Just with this in place instance in VPC A is able to VPC B SNAT instance without any issues. But if i try to reach on-prem from VPC A traffic is not routing/appearing on SNAT device interface. (Please note i have not added VGW route yet on VPC B as i am stuck even before that)

  • rgaduputi
    10 months ago

    Never mind, Just understood that peering does not work when the IP address does not belongs to either of the VPC's peered. I have replaced peering with Transit Gateway and performed all the steps. Now the traffic pointed towards On-prem reaches the SNAT device on the VPC B. But now i am unable to send it into VGW since SNAT instance route table already contains route On-Prem -> SNAT Instance ENI, so can't add VGW route.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content