AWS Transit Gateway connects VPCs and on-premises networks through a central hub. This simplifies your network and puts an end to complex peering relationships. It acts as a cloud router – each new connection is only made once.

As you expand globally, inter-Region peering connects AWS Transit Gateways together using the AWS global network. Your data is automatically encrypted, and never travels over the public internet. And, because of its central position, AWS Transit Gateway Network Manager has a unique view over your entire network, even connecting to Software-Defined Wide Area Network (SD-WAN) devices.

VPC Peering vs Transit Gateway

Using VPC Peering

Without using AWS Transit Gateway

Complexity increases with scale. You must maintain routing tables within each VPC and connect to each onsite location using separate network gateways.

With AWS Transit Gateway

With AWS Transit Gateway

Your network is streamlined and scalable. AWS Transit Gateway routes all traffic to and from each VPC or VPN, and you have one place to manage and monitor it all.

In this lab we going to connect two VPC using Transit Gateway

Requirements

  • AWS Account
  • VPC Knowledge
  • Have two VPC with different CIDR block

If you want to know how to create a VPC you can check my other post of Creating Virtual Cloud

Architecture

For this lab, I have created two VPC with public sub-nets in the Ohio Region (us-east-2) with the CIDR block 172.16.0.0/16 and 172.17.0.0/16, the name of those VPC are vpc-test-01 and vpc-test-02

Each VPC have 3 sub-networks (we're going to use only one) vpc-test-01 have sub-vpctest01-A (172.16.0.0/24), sub-vpctest01-B (172.16.1.0/24) and sub-vpctest01-C (172.16.2.0/24) and vpc-test-02 have sub-vpctest02-A (172.17.0.0/24), sub-vpctest02-B (172.17.1.0/24) and sub-vpctest02-C (172.17.2.0/24)

I create two Internet Gateways, and I attach them to the VPCs

And edit each Route table to add the IGW (Not needed for the second VPC in this lab)

Lab

  1. Go to VPC

2. Click on Transit Gateways

3. Click on Create Transit Gateway

4. Give it a name, and a description and click on Create Transit Gateway

5. In the next window, click on Close and wait until the Transit Gateway state pass from pending to Available

6. Go to Transit Gateway Attachments

7. Click on Create Transit Gateway Attachment

8. Select the transti gateway in Transit Gateway ID, and Select the vpc 01 on VPC ID and click on Create attachment

9. Repeat the process with the vpc02

10. Wait until the two Transit Gateway attachments are in available state (refresh browser if is needed)

11. The last step is to edit the Route tables to add the transit gateway, go to Route Tables

12. Select the vpc 01 route table and click on the Route tab, then in Edit Routes

13. Click on Add route and add the CIDR block from the VPC 02, and on Target select Transit Gateway to select the one we just create, click on Save routes

14. Repeat the process with the VPC 02 and add the CIDR block from VPC 01

Great! the configuration of the Transit gateway is complete, now lets test it.

Test

I'm going to create two instances, one in each VPC, and going to connect via ssh from the first VPC to the second VPC using the private IP address

  1. Go to EC2

2. Click on Instances

3. Click on Launch instances

4. Select Amazon Linux 2 AMI 64-bits

5. Select t2.micro and click on Next

6. In Instance details, Select 1 instance, select the VPC 01, select the sub-net, make sure you have Auto-Assign Public IP enabled and click on Review and launch

7. Review the information and click on Launch

8. Select Create a new key pair and give it a name, Download the key pair and click on Launch Instance

9. Now lets launch the second instance in the sencond VPC, Click on Launch instances

10. Select Amazon Linux 2 AMI 64-bits

11. Select t2.micro and click on Next

12. In Instance details, Select 1 instance, select the VPC 02, select the sub-net, make sure you have Auto-Assign Public IP enabled and click on Next

13. On storage leave as default and click on Next

14. On tags leave it default as well and click on Next

15. On the security group change the CIDR block from the source to the VPC 01 CIDR block and click on Review and Launch

16. Review the configuration and click on launch

17. Select the key pair we create in the first instance, check the check box and click on Launch Instances

18. Wait until the two instances are running

19. Select each Instance and get the private and public IP address

20. Select the first instance (VPC 01, 172.16.0.215) and click on Connect

21. Select the SSH client tab and copy the command

22. Open a SSH client and go where you download the key pair

cd ~/Downloads

23. Change the permissions to the pem file

chmod 400 transit-keypair.pem
Use your own ip and pem file name

24. Copy the pem file to your public instance

scp -i transit-keypair.pem transit-keypair.pem ec2-user@3.137.215.246:/tmp
Use your own ip and pem file name

25. Connect to your public instance

ssh -i "transit-keypair.pem" ec2-user@3.137.215.246

26 Go to the location of the pem file and connect to the private instance

sudo su -
cd /tmp
chmod 400 transit-keypair.pem

Connect to the private instance

ssh -i "transit-keypair.pem" ec2-user@172.17.1.213
The authenticity of host '172.17.1.213 (172.17.1.213)' can't be established.
ECDSA key fingerprint is SHA256:nNhzFowlkmiNXn24nRHKo8Izrkqr97aNR/OQFU3MHVg.
ECDSA key fingerprint is MD5:45:d2:61:de:36:77:30:f5:72:d1:0b:69:66:40:06:ca.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.17.1.213' (ECDSA) to the list of known hosts.

       __|  __|_  )
       _|  (     /   Amazon Linux 2 AMI
      ___|\___|___|

https://aws.amazon.com/amazon-linux-2/
[ec2-user@ip-172-17-1-213 ~]$

Great we learn how to create a Transit gateway and communicate between two VPCs.

In the next labs we going deeper into the AWS Services.

Clean-Up

  1. Go to VPC

2. Go to Transit Gateway Attachments

3. Select each Transit Gateways Attachment we create on this lab and click on Actions and select Delete

4. Confirm

5. Wait until the Transit Gateway Attachments state changes from deleting to deleted

6. Go to Transit Gateways

7. Select the TGW we create for this lab and click on Actions and select Delete

8. Confirm

9. Go to EC2

10. Select Instances

11. Select the two instances we create for this lab and click on Instance state and select Terminate instance

12. Confirm

13. Go to Security Groups

14. Select the security groups we create for the instances and click on Actions and select Delete security group

15. Confirm

16. Go to Key Pairs

17. Select the Key pair we create for this lab and click on Actions, and select Delete

18. Confirm

19. Delete the resources you create for this lab like IGW, Sub-Networks, VPC's, etc

References