Hybrid Connectivity To Transit Gateway Ra

1.
Hybrid connectivity to AWS Transit Gateway with AWS Site-to-Site VPN
2. Hybrid connectivity to AWS Transit Gateway with AWS Direct Connect
3. AWS Site-to-Site VPN as primary and AWS Site-to-Site VPN as backup
Hybrid Connectivity to 4. AWS Direct Connect as primary and AWS Site-to-Site VPN as backup
AWS Transit Gateway 5. AWS Direct Connect in active/passive configuration
6. AWS Site-to-Site VPN on top of AWS Direct Connect for traffic encryption
7. AWS Direct Connect and Transit Gateway Connect attachments
8. Hybrid connectivity with Private VIFs and inter-VPC with AWS Transit Gateway
Reviewed for technical accuracy August 17, 2022

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Reference Architecture
Traffic initiated from an Amazon Elastic
Hybrid connectivity to AWS Transit Gateway with AWS Site-to-Site VPN 1 Compute Cloud (Amazon EC2) instance
You can create a Site-to-Site VPN connection directly to a Transit Gateway. With this, you can take advantage of the benefits in the spoke VPC A and destined to the
office branch is routed to the Transit
of a managed VPN solution, while connecting to several VPCs without having to add new connection. Take into account that
Gateway elastic network interface (ENI)
it is recommended the use of a second VPN connection for high-availability. as per the spoke VPC A route table.
Traffic is forwarded to AWS Transit

AWS Region spoke VPC A route table 2 Gateway (AWS TGW). As per the spoke
VPC route table, the traffic is routed to
spoke VPC A Destination Target
10.0.0.0/16
the office branch via the AWS Site-to-
10.0.0.0/16 local Site VPN attachment.
Availability Zone A
0.0.0.0/0 tgw-id The traffic is routed to the destination via
workload subnet
10.0.1.0/24 3 the Site-to-Site VPN connection over the
Amazon EC2
internet.
instance 1 AWS Transit Gateway
Traffic from the office branch destined to
TGW subnet
VPC spoke VPC route table A the spoke VPC B is forwarded to the
10.0.0.0/24 3
association CIDR attachment Transit Gateway via the Site-to-Site
Transit 2
VPN connection.
Gateway 10.10.0.0/16 Site-to-Site VPN
ENI
As per the Transit Gateway on-premises
on-premises route table B
VPC route table, the traffic is forwarded to
spoke VPC B association CIDR attachment the spoke VPC B attachment.
AWS Site- AWS Site-to-Site
10.1.0.0/16 10.0.0.0/24 spoke VPC A to-Site VPN office branch
attachment internet 10.10.0.0/16 The Transit Gateway ENI of the spoke
Availability Zone A 10.1.0.0/24 spoke VPC B
A
C VPC B forwards the traffic to the
TGW subnet B destination.
10.1.0.0/24
Transit
Gateway For more information about how to configure
ENI AWS Site-to-Site VPN, refer to:
workload subnet spoke VPC B route table Getting started - AWS Site-to-Site VPN
10.1.1.0/24
Destination Target
C
10.1.0.0/16 local 1 AWS to on-premises
Amazon EC2 instance
0.0.0.0/0 tgw-id
A On-premises to AWS

Hybrid connectivity to AWS Transit Gateway with AWS Direct Connect 1
Traffic from the corporate data center
destined to the spoke VPC A is
You can use a Transit VIF and a Direct Connect gateway to connect your on-premises environments to AWS. With this, you can forwarded to AWS Transit Gateway via
benefit of the connectivity to multiple VPCs without the need of several Direct Connect connections. Take into account that it the AWS Direct Connect (DX) link. The
Transit Gateway is connected to Direct
is recommended the use of a second connection (Direct Connect or VPN) for high-availability.
Connect link by using a Transit virtual
interface (VIF) and a Direct Connect
Gateway.
AWS Region spoke VPC A route table
Destination Target
spoke VPC A
10.0.0.0/16
2 route table, the traffic is forwarded to
10.0.0.0/16 local the spoke VPC A attachment.
Availability Zone A
0.0.0.0/0 tgw-id
workload subnet The Transit Gateway ENI of the spoke
10.0.1.0/24 3 VPC A forwards the traffic to the
EC2 destination.
instance 3 AWS Transit Gateway
Traffic initiated from an Amazon EC2
TGW subnet VPC
spoke VPC route table A instance in the spoke VPC B and
10.0.0.0/24 association destined to the corporate data center is
CIDR attachment
Transit Direct Connect
2 routed to the Transit Gateway ENI as
Gateway 192.168.0.0/16 Direct Connect Gateway location
ENI per the spoke VPC B route table.
1
10.10.0.0/16 Site-to-Site VPN Transit
VPC VIF Traffic is forwarded to the AWS Transit
spoke VPC B
association
on-premises route table C B Gateway. As per the spoke VPC route
10.1.0.0/16 Direct Connect DX router table, the traffic is routed to the office
CIDR attachment corporate data center
gateway
Availability Zone A
192.168.0.0/16 branch via the AWS Direct Connect
10.0.0.0/24 Spoke VPC A DX Gateway
Association Gateway attachment.
TGW subnet
10.1.0.0/24 Spoke VPC B
10.1.0.0/24
B The traffic is routed to the destination
Transit C via the AWS Direct Connect link.
Gateway
ENI spoke VPC B route table For more information about how to create an
workload subnet Destination Target AWS Direct Connect connection, refer to:
10.1.1.0/24 Create a connection – AWS Direct Connect.
A 10.1.0.0/16 local
1 AWS to on-premises
0.0.0.0/0 tgw-id
EC2 instance

AWS Site-to-Site VPN as primary and AWS Site-to-Site VPN as backup 1 instance in the spoke VPC A and
You can create a Site-to-Site VPN connection directly to a Transit Gateway. With this, you can take advantage of the destined to the office branch is routed
to the Transit Gateway ENI as per the
benefits of a managed VPN solution, while connecting to several VPCs without having to add new connection. Having a spoke VPC A route table.
secondary VPN connection allows you to achieve high-availability in the hybrid setup.
Traffic is forwarded to the AWS Transit
2 Gateway. As per the spoke VPC route
AWS Region spoke VPC A route table table, the traffic is routed to the office
branch via the primary AWS Site-to-
Site VPN attachment. To influence the
10.0.0.0/16
10.0.0.0/16 local choice of the primary tunnel you can
Availability Zone A advertise a shorter Border Gateway
0.0.0.0/0 tgw-id
workload subnet
Protocol (BGP) AS_PATH from your
10.0.1.0/24 preferred customer gateway.
EC2 AWS Transit Gateway
instance The traffic is routed to the destination
1
spoke VPC route table 3 via the primary Site-to-Site VPN
office branch
TGW subnet connection over the internet.
VPC CIDR attachment 10.10.0.0/16
10.0.0.0/24
association
2 10.10.0.0/16 Site-to-Site VPN 1 3
Transit Traffic from the office branch destined
Gateway (primary) A to the spoke VPC B is forwarded to the
ENI 10.10.0.0/16 Site-to-Site VPN 2 Transit Gateway via the primary Site-
(secondary) to-Site VPN connection. When
VPN AWS Site-to-Site customer
VPC
spoke VPC B association association VPN 1 gateway advertising the same prefixes from both
10.1.0.0/16 on-premises route table Site-to-Site VPNs, You can influence
CIDR attachment A corporate this choice by using BGP attributes, such
Availability Zone A servers as local preference.
TGW subnet 10.0.0.0/24 spoke VPC A
VPN
10.1.0.0/24
B internet
10.1.0.0/24 spoke VPC B association As per the Transit Gateway on-
Transit AWS Site-to-Site B premises route table, the traffic is
Gateway VPN2 forwarded to the spoke VPC B
ENI
spoke VPC B route table attachment.
workload subnet
10.1.1.0/24
Destination Target
The Transit Gateway ENI of the spoke
C 10.1.0.0/16 local
C VPC B forwards the traffic to the
1 AWS to on-premises destination.
EC2 instance 0.0.0.0/0 tgw-id
A On-premises to AWS For more information about how to configure
AWS Site-to-Site VPN to prefer one tunnel
over the other, refer to:
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Reference Architecture AWS Site-to-Site VPN - Configure tunnel
preference
Traffic from the office branch destined to
AWS Direct Connect as primary and AWS Site-to-Site VPN as backup A the Spoke VPC B is forwarded to the
Transit Gateway via the AWS Direct
You can use a Transit VIF and a Direct Connect gateway to connect your on-premises environments to AWS. With this, you Connect link, this behavior can be achieved
can benefit of the connectivity to multiple VPCs without the need of several Direct Connect connections. Having a VPN by configuring the office branch devices
connection as backup line allows you to achieve high-availability in the hybrid setup. with higher BGP local preference pointing
to the DX peer. The Transit Gateway is
connected to Direct Connect by using a
AWS Region spoke VPC A route table Transit VIF and a Direct Connect Gateway.
spoke VPC A Destination Target As per the Transit Gateway on-premises

10.0.0.0/16 B route table, the traffic is forwarded to the
10.0.0.0/16 local
Availability Zone A
spoke VPC B attachment.
0.0.0.0/0 tgw-id
workload subnet
The TGW ENI of the spoke VPC B forwards
10.0.1.0/24 C the traffic to the destination.
EC2 VPC
instance association AWS Transit Gateway
In the event of a AWS Direct Connect
spoke VPC route table
1 failure, traffic from the office branch
TGW subnet
10.0.0.0/24
AWS Site-to-Site VPN destined to the spoke VPC B is forwarded
CIDR attachment
TGW
to the Transit Gateway via the AWS Site-
10.10.0.0/16 Direct Connect Gateway VPN 1 to-Site VPN connection.
ENI
association internet
10.10.0.0/16 Site-to-Site VPN
2 route table, the traffic is forwarded to the
spoke VPC B on-premises route table DX location
10.1.0.0/16 spoke VPC B attachment.
CIDR attachment DX
VPC Gateway
Availability Zone A transit The TGW ENI of the spoke VPC B forwards
association 10.0.0.0/24 spoke VPC A
TGW subnet
association VIF 3 the traffic to the destination.
2 B 10.1.0.0/24 spoke VPC B
10.1.0.0/24 Direct A DX router
Connect office branch
TGW
Gateway For more information about how to configure
ENI 10.10.0.0/16
AWS Direct Connect with AWS Site-to-Site
workload subnet VPN as a backup, refer to:
spoke VPC B route table
10.1.1.0/24 Using a VPN connection as a backup to Direct
Destination Target Connect
C 3
10.1.0.0/16 local 1 AWS to on-premises For more information about asymmetric
EC2 instance
0.0.0.0/0 tgw-id routing, refer to:
A On-premises to AWS Resolve asymmetric routing issues

AWS Direct Connect in active/passive configuration (two connections) Traffic from the office branch destined to
A the spoke VPC B is forwarded to the
You can use a Transit VIF and a Direct Connect gateway to connect your on-premises environments to AWS. With this, you Transit Gateway via the active AWS Direct
can benefit of the connectivity to multiple VPCs without the need of several Direct Connect connections. Having a Connect link. The active/passive behavior
in the Direct Connect links can be
secondary Direct Connect connection as backup line allows you to achieve high-availability in the hybrid setup. achieved by configuring the BGP
configuration of each Transit VIF
accordingly. The Transit Gateway is
AWS Region spoke VPC A route table connected to Direct Connect by using a
spoke VPC A Destination Target Transit VIF and a Direct Connect Gateway.
10.0.0.0/16
10.0.0.0/16 local As per the Transit Gateway on-premises
Availability Zone A B route table, the traffic is forwarded to the
0.0.0.0/0 tgw-id
workload subnet spoke VPC B attachment.
10.0.1.0/24
EC2 The TGW ENI of the spoke VPC B forwards
instance 1 VPC C the traffic to the destination.
association
AWS Transit Gateway DX location A
TGW subnet
10.0.0.0/24 spoke VPC route table Traffic initiated from an Amazon EC2
1 instance in the spoke VPC A and destined
TGW CIDR Attachment 3
Transit VIF to the office branch is routed to the
ENI 2 10.10.0.0/16 Direct Connect Gateway DX Gateway (active) Transit Gateway ENI as per the spoke VPC
DX router
association A route table.
on-premises route table
spoke VPC B DX location As per the Transit Gateway spoke VPC
10.1.0.0/16 CIDR attachment Direct Transit VIF 2 route table, the traffic is forwarded to the
Connect (passive) office branch
Availability Zone A
VPC 10.0.0.0/24 Spoke VPC A
10.10.0.0/16 Direct Connect gateway.
association Gateway
TGW subnet 10.1.0.0/24 Spoke VPC B
B Because of the BGP configuration of both
10.1.0.0/24
DX router 3 Direct Connect connections, the active link
TGW is the preferred one for the traffic from
ENI
the Transit Gateway to the office branch.
workload subnet spoke VPC B route table
10.1.1.0/24
Destination Target For more information about how to configure
C active/passive configurations with AWS Direct
10.1.0.0/16 local 1 AWS to on-premises
Connect, refer to: Creating active/passive BGP
EC2 instance
0.0.0.0/0 tgw-id connections over AWS Direct Connect.

AWS Site-to-Site VPN on top of AWS Direct Connect for encryption A
You can create an AWS Site-to-Site VPN on
top of an AWS Direct connect link by using
If you require traffic encryption in your AWS Direct Connect connection, one of the options to achieve is to create an AWS a public VIF. You will need to configure your
Site-to-Site VPN on top of the Direct Connect connection. You have two options: either by using a Public VIF to connect to customer gateway to bring up the VIF and
create the VPN connection. Traffic from the
the VPN public endpoint, or by creating a Private IP VPN on top of a Transit VIF to use private IPs.
corporate data center destined to the spoke
VPC A will be routed via the Site-to-Site
VPN connection.
AWS Region spoke VPC A route table AWS Direct Connect
Destination Target public VIF Traffic is sent to the AWS Transit Gateway
spoke VPC A B via the Site-to-Site VPN connection, which
10.0.0.0/16 10.0.0.0/16 local
AWS Site-to-Site VPN is created over the Direct Connect link.
Availability Zone A 0.0.0.0/0 tgw-id
As per the on-premises route table in the
workload subnet
10.0.1.0/24
C Transit Gateway, traffic is forwarded to the
spoke VPC A attachment. The TGW ENI of
the spoke VPC B forwards the traffic to the
EC2 instance VPC corporate destination.
association network –
TGW subnet AWS Transit Gateway 192.168.0.0/16
10.0.0.0/24 AWS Direct Connect location Traffic initiated from an Amazon EC2
spoke VPC route table
B 1 instance in the spoke VPC B and destined to
A
C the corporate data center is routed to the
CIDR attachment Direct
TGW ENI 3 Transit Gateway ENI as per the spoke VPC A
Connect
192.168.0.0/16 Site-to-Site VPN route table.
sp10.1.0.0/16
spoke VPC B on-premises route table customer As per the Transit Gateway spoke VPC route
AWS customer or
gateway
2 table, the traffic is forwarded to the AWS
Availability Zone A CIDR attachment device Partner device
VPN Site-to-Site VPN attachment.
TGW subnet 10.0.0.0/24 spoke VPC A association
10.1.0.0/24 The traffic is sent to the corporate data
10.1.0.0/24 spoke VPC B 3 center via the Site-to-Site VPN connection
2
VPC on top of the Direct Connect link.
TGW ENI association
workload subnet spoke VPC B route table

10.1.1.0/24
To know more about all the options to encrypt
Destination Target
1 traffic in AWS Direct Connect, refer to: Traffic
1 AWS to on-premises
10.1.0.0/16 local Encryptions Options in AWS Direct Connect.
EC2 instance
0.0.0.0/0 tgw-id A On-premises to AWS

Traffic initiated from an instance in the
AWS Direct Connect and Transit Gateway Connect attachments 1 spoke VPC A and destined to the corporate
Use AWS Transit Gateway Connect attachments to simplify your route management across hybrid cloud environments. This data center is routed to the TGW ENI as
per the spoke VPC A route table.
design allows the creation of several Connect attachments over the same AWS Direct Connect link to achieve the logical
separation of traffic. Traffic is forwarded to the Transit
2 Gateway. As per the spoke VPC route
table, the traffic is routed to the corporate
data center via the Transit Gateway
AWS Region spoke VPC A route table Connect attachment.
GRE tunnel
10.0.0.0/16 The Transit Gateway Connect attachment
10.0.0.0/16 local BGP peering 3 uses the Direct Connect connection as
Availability Zone A
0.0.0.0/0 tgw-id transport, and connects the Transit
workload subnet Gateway to the corporate data center
10.0.1.0/24 device using Generic Routing
EC2 Encapsulation (GRE) tunneling and BGP.
VPC
instance 1 association
TGW subnet
AWS Transit Gateway corporate data center A destined to the spoke VPC B is forwarded
10.0.0.0/24 192.168.0.0/16
to the Transit Gateway via the GRE tunnel
spoke VPC route table A
TGW 2 DX location of the Transit Gateway Connect
ENI 3
CIDR attachment attachment – over the Direct Connect link.
Connect customer
192.168.0.0/16 TGW Connect
attachment gateway As per the Transit Gateway Connect route
spoke VPC B
connect route table
B table, the traffic is forwarded to the spoke
10.1.0.0/16 Direct DX router transit VPC B attachment.
CIDR attachment Connect VIF corporate servers
VPC DX
Availability Zone A gateway Gateway
association 10.0.0.0/24 spoke VPC A The TGW ENI of the spoke VPC B forwards
TGW subnet association
10.1.0.0/24 B 10.1.0.0/24 spoke VPC B
C the traffic to the destination.
TGW AWS Direct

ENI Connect
workload subnet
spoke VPC B route table
10.1.1.0/24
Destination Target
C 1 AWS to on-premises
10.1.0.0/16 local
EC2 instance
0.0.0.0/0 tgw-id

Hybrid connectivity with AWS Direct Connect Private VIFs and inter-VPC 1
instance in the spoke VPC A and
connection with AWS Transit Gateway destined to spoke VPC B is routed to the
Transit Gateway ENI as per the spoke
When transitivity communication is not needed in the connection between on-premises and AWS, you can be cost-effective by VPC A route table. Traffic is forwarded
using VIFs and Direct Connect Gateway to connect your corporate data center to your VPCs, and use AWS Transit Gateway only to the AWS Transit Gateway.
for inter-VPC communication.
As per the AWS Transit Gateway spoke
2 VPC route table, the traffic is routed to
AWS Region spoke VPC B. The Transit Gateway ENI
spoke VPC A
10.0.0.0/16
in spoke VPC B forwards the traffic to
spoke VPC A route table the destination.
Availability Zone A
Destination Target
10.0.0.0/16 local TGW subnet workload subnet A destined to the spoke VPC A is
10.0.1.0/28 10.0.0.0/24
forwarded to AWS via the AWS Direct
192.168.0.0/16 vgw-id
1 Connect link. The corporate data center
C
0.0.0.0/0 tgw-id can communicate with both VPCs using
Transit Gateway EC2 instance Virtual Private one single private VIF thanks to the
ENI gateway Direct Connect Gateway.
B
AWS Transit Gateway DX DX location For this specific use case, the traffic is
VPC association Gateway
private VIF B forwarded to the Virtual Private
spoke VPC route table association
Gateway of the spoke VPC A.
CIDR attachment A
VPC association Direct Connect Direct Connect As per the spoke VPC A route table,
corporate data
10.0.0.0/16 spoke VPC A Gateway router
center C traffic is forwarded to the destination
DX Gateway 192.168.0.0/16 Amazon EC2 instance.
10.1.0.0/16 spoke VPC B
spoke VPC B association
10.1.0.0/16
Availability Zone A Virtual Private

gateway
TGW subnet workload subnet
10.1.1.0/28 10.1.0.0/24 spoke VPC B route table
2
Destination Target
Transit Gateway EC2 instance 10.1.0.0/16 local 1 AWS to AWS

ENI 192.168.0.0/16 vgw-id
0.0.0.0/0 tgw-id


Hybrid Connectivity To Transit Gateway Ra

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Hybrid Connectivity To Transit Gateway Ra

Uploaded by

Copyright:

Available Formats

1.

Hybrid connectivity to AWS Transit Gateway with AWS Site-to-Site VPN

2. Hybrid connectivity to AWS Transit Gateway with AWS Direct Connect

3. AWS Site-to-Site VPN as primary and AWS Site-to-Site VPN as backup

AWS Transit Gateway 5. AWS Direct Connect in active/passive configuration

7. AWS Direct Connect and Transit Gateway Connect attachments

Reviewed for technical accuracy August 17, 2022

Traffic is forwarded to AWS Transit

Reviewed for technical accuracy August 17, 2022

Reviewed for technical accuracy August 17, 2022

spoke VPC A Destination Target As per the Transit Gateway on-premises

Reviewed for technical accuracy August 17, 2022

Reviewed for technical accuracy August 17, 2022

workload subnet spoke VPC B route table

Reviewed for technical accuracy August 17, 2022

TGW AWS Direct

Reviewed for technical accuracy August 17, 2022

Availability Zone A Virtual Private

Transit Gateway EC2 instance 10.1.0.0/16 local 1 AWS to AWS

Reviewed for technical accuracy August 17, 2022

You might also like