AWS Transit Gateway

Amitabh soniAmitabh soni
8 min read

Table of contents

AWS Transit Gateway Setup Guide for ByteConnect Inc.

This guide provides detailed steps to establish a network architecture for ByteConnect Inc., where multiple departments operate in isolated Virtual Private Clouds (VPCs) within AWS. The goal is to enable seamless communication between instances in these VPCs using AWS Transit Gateway, as depicted in an architecture with three VPCs, each containing a public subnet and an EC2 instance, interconnected via a Transit Gateway.

Prerequisites

Before starting, ensure you have:

  • An AWS account with permissions to create and manage VPCs, subnets, Internet Gateways, route tables, EC2 instances, and Transit Gateways (AWS Identity and Access Management).

  • Basic knowledge of navigating the AWS Management Console.

  • A key pair created in the EC2 console for SSH access to instances (Create a key pair).

  • All actions performed in the same AWS Region (e.g., us-east-1) for consistency.

Architecture Overview

The architecture consists of:

  • Three VPCs:

    • test-vpc-1: CIDR 12.0.0.0/16, with public subnet 12.0.0.0/24.

    • test-vpc-2: CIDR 13.0.0.0/16, with public subnet 13.0.1.0/24.

    • test-vpc-3: CIDR 14.0.0.0/16, with public subnet 14.0.1.0/24.

  • Public Subnets: Each hosts an EC2 instance with a public IP for accessibility.

  • Internet Gateways: Enable internet access for public subnets.

  • EC2 Instances: One per VPC for testing communication.

  • AWS Transit Gateway: Central hub connecting all VPCs, facilitating inter-VPC communication.

  • Route Tables: Configured to route traffic between VPCs via the Transit Gateway.

  • Security Groups: Allow necessary traffic (e.g., ICMP, SSH) between VPCs.

The Transit Gateway simplifies network management by acting as a hub, eliminating the need for complex VPC peering. Each VPC’s route table will include routes to the other VPCs’ CIDR blocks, pointing to the Transit Gateway.

Image credit to Rahul Wagh at YT

Step-by-Step Instructions

Step 1: Create Three VPCs

  1. Log in to the AWS Management Console.

  2. Navigate to the VPC dashboard under “Networking & Content Delivery.”

  3. Click Create VPC and configure:

    • VPC 1:

      • Name tag: test-vpc-1

      • IPv4 CIDR block: 12.0.0.0/16

      • Tenancy: Default

    • VPC 2:

      • Name tag: test-vpc-2

      • IPv4 CIDR block: 13.0.0.0/16

      • Tenancy: Default

    • VPC 3:

      • Name tag: test-vpc-3

      • IPv4 CIDR block: 14.0.0.0/16

      • Tenancy: Default

  4. Click Create VPC for each and verify creation in the VPC dashboard.

Step 2: Create Public Subnets

  1. In the VPC dashboard, select Subnets and click Create subnet.

  2. Configure one subnet per VPC:

    • VPC 1:

      • VPC: test-vpc-1

      • Subnet name: public-subnet-1

      • Availability Zone: e.g., us-east-1a

      • IPv4 CIDR block: 12.0.0.0/24

    • VPC 2:

      • VPC: test-vpc-2

      • Subnet name: public-subnet-2

      • Availability Zone: us-east-1a

      • IPv4 CIDR block: 13.0.1.0/24

    • VPC 3:

      • VPC: test-vpc-3

      • Subnet name: public-subnet-3

      • Availability Zone: us-east-1a

      • IPv4 CIDR block: 14.0.1.0/24

  3. Click Create subnet for each and confirm in the Subnets list.

Step 3: Create and Attach Internet Gateways

  1. In the VPC dashboard, select Internet Gateways and click Create internet gateway.

  2. Create and attach one per VPC:

    • VPC 1:

      • Name tag: igw-test-vpc-1

      • After creation, select it, click Actions > Attach to VPC, and choose test-vpc-1.

    • VPC 2:

      • Name tag: igw-test-vpc-2

      • Attach to test-vpc-2.

    • VPC 3:

      • Name tag: igw-test-vpc-3

      • Attach to test-vpc-3.

  3. Verify attachments in the Internet Gateways section.

Step 4: Create and Configure Route Tables

  1. In the VPC dashboard, select Route Tables and click Create route table.

  2. Create one per VPC:

    • VPC 1: Name: rt-test-vpc-1, VPC: test-vpc-1

    • VPC 2: Name: rt-test-vpc-2, VPC: test-vpc-2

    • VPC 3: Name: rt-test-vpc-3, VPC: test-vpc-3

  3. For each route table:

    • Select the route table, go to Routes tab, and click Edit routes.

    • Add a route:

      • Destination: 0.0.0.0/0

      • Target: Internet Gateway (e.g., igw-test-vpc-1 for rt-test-vpc-1)

    • Click Save routes.

  4. Associate each route table with its public subnet:

    • Select the route table, go to Subnet associations, click Edit subnet associations.

    • Select the corresponding subnet (e.g., public-subnet-1 for rt-test-vpc-1) and save.

Step 5: Launch EC2 Instances

  1. Navigate to the EC2 dashboard and click Launch instances.

  2. Configure one instance per VPC:

    • AMI: Choose Amazon Linux 2 or similar.

    • Instance type: t2.micro (free tier eligible).

    • Network settings:

      • VPC 1: VPC: test-vpc-1, Subnet: public-subnet-1, Auto-assign Public IP: Enable

      • VPC 2: VPC: test-vpc-2, Subnet: public-subnet-2, Auto-assign Public IP: Enable

      • VPC 3: VPC: test-vpc-3, Subnet: public-subnet-3, Auto-assign Public IP: Enable

    • Storage: Default settings.

    • Tags: Add Name tag (e.g., instance-vpc-1).

    • Security group: Create a new security group with:

      • Inbound rule: SSH (port 22) from your IP (e.g., 203.0.113.0/32).

      • Inbound rule: All ICMP - IPv4 from anywhere (0.0.0.0/0) for testing.

    • Key pair: Select an existing key pair or create a new one.

  3. Launch each instance and note their public and private IPs.

Step 6: Create AWS Transit Gateway

  1. In the VPC dashboard, select Transit Gateways and click Create Transit Gateway.

  2. Configure:

    • Name tag: test-tgw

    • Description: Optional (e.g., “Transit Gateway for ByteConnect”)

    • Amazon side ASN: Default (64512-65534)

    • DNS support: Enable

    • Default route table association/propagation: Enable

  3. Click Create Transit Gateway and wait for the status to become “Available” (may take a few minutes).

Step 7: Attach VPCs to Transit Gateway

  1. In the VPC dashboard, select Transit Gateway Attachments and click Create Transit Gateway Attachment.

  2. For each VPC:

    • Transit Gateway ID: test-tgw

    • Attachment type: VPC

    • VPC ID: Select test-vpc-1, test-vpc-2, or test-vpc-3

    • Subnet IDs: Select the public subnet (e.g., public-subnet-1 for test-vpc-1)

  3. Click Create attachment for each VPC and verify attachments in the list.

Step 8: Configure Route Tables for Inter-VPC Communication

  1. In the VPC dashboard, select Route Tables.

  2. Update each route table to include routes to other VPCs’ CIDR blocks:

    • rt-test-vpc-1:

      • Destination: 13.0.0.0/16, Target: Transit Gateway (test-tgw)

      • Destination: 14.0.0.0/16, Target: Transit Gateway (test-tgw)

    • rt-test-vpc-2:

      • Destination: 12.0.0.0/16, Target: Transit Gateway (test-tgw)

      • Destination: 14.0.0.0/16, Target: Transit Gateway (test-tgw)

    • rt-test-vpc-3:

      • Destination: 12.0.0.0/16, Target: Transit Gateway (test-tgw)

      • Destination: 13.0.0.0/16, Target: Transit Gateway (test-tgw)

  3. For each route table, click Edit routes, add the routes, and click Save routes.

Step 9: Configure Security Groups for Inter-VPC Traffic

  1. In the EC2 dashboard, select Security Groups.

  2. For each instance’s security group, add inbound rules to allow traffic from other VPCs:

    • Instance in test-vpc-1:

      • Type: All ICMP - IPv4, Source: 13.0.0.0/16

      • Type: All ICMP - IPv4, Source: 14.0.0.0/16

    • Instance in test-vpc-2:

      • Type: All ICMP - IPv4, Source: 12.0.0.0/16

      • Type: All ICMP - IPv4, Source: 14.0.0.0/16

    • Instance in test-vpc-3:

      • Type: All ICMP - IPv4, Source: 12.0.0.0/16

      • Type: All ICMP - IPv4, Source: 13.0.0.0/16

  3. Optionally, add rules for other protocols (e.g., TCP port 80 for HTTP) based on application needs.

  4. Save changes for each security group.

Step 10: Test Connectivity

  1. SSH into an EC2 instance (e.g., instance-vpc-1) using its public IP:

     ssh -i your-key.pem ec2-user@<public-ip>

  2. Ping the private IP of an instance in another VPC (e.g., instance-vpc-2):

     ping <private-ip-of-instance-vpc-2>

  3. Curl the private IP of an instance in another VPC instance (e.g., instance-vpc-2):

     curl <private-ip-of-instance-vpc-2>

  4. Repeat from other instances to confirm bidirectional communication.

  5. If pings fail, verify:

    • Route table entries are correct.

    • Transit Gateway attachments are in “Available” state.

    • Security groups allow ICMP traffic.

    • Network ACLs (if customized) permit the traffic.

Additional Notes

  • CIDR Blocks: The CIDR blocks (12.0.0.0/16, 13.0.0.0/16, 14.0.0.0/16) are chosen to avoid overlap, which is critical for proper routing. Adjust as needed for your environment.

  • Public Subnets: These subnets are configured for internet access, suitable for testing. For production, consider private subnets with NAT Gateways for enhanced security.

  • Transit Gateway Route Table: By default, enabling route table propagation associates all attachments with the Transit Gateway’s default route table, allowing communication between VPCs. For isolation, create separate route tables (Transit Gateway Route Tables).

  • Security Considerations: Restrict security group rules to specific IPs or CIDRs in production. Use network ACLs for additional control if needed.

  • Scalability: Additional VPCs can be attached to the Transit Gateway without modifying existing configurations, making this architecture scalable.

  • Cost: Transit Gateway incurs charges based on attachments and data transfer. Review AWS Transit Gateway Pricing for cost estimates.

Troubleshooting

  • Ping Fails: Check security group rules, route tables, and Transit Gateway attachment status. Ensure instances are running and reachable.

  • Attachment Issues: Verify subnets are correctly associated with Transit Gateway attachments. Attachments should be in “Available” state.

  • Routing Errors: Confirm no overlapping CIDR blocks and that routes point to the correct Transit Gateway ID.

Example Configuration Summary

ComponentVPC 1VPC 2VPC 3
VPC Nametest-vpc-1test-vpc-2test-vpc-3
CIDR Block12.0.0.0/1613.0.0.0/1614.0.0.0/16
Subnetpublic-subnet-1 (12.0.0.0/24)public-subnet-2 (13.0.1.0/24)public-subnet-3 (14.0.1.0/24)
Route Table Routes0.0.0.0/0 → igw
13.0.0.0/16 → tgw
14.0.0.0/16 → tgw0.0.0.0/0 → igw
12.0.0.0/16 → tgw
14.0.0.0/16 → tgw0.0.0.0/0 → igw
12.0.0.0/16 → tgw
13.0.0.0/16 → tgw
EC2 Instanceinstance-vpc-1instance-vpc-2instance-vpc-3

This setup ensures that instances in test-vpc-1, test-vpc-2, and test-vpc-3 can communicate seamlessly, fulfilling ByteConnect Inc.’s requirement for inter-departmental VPC connectivity.

Key Citations

Output Images/Images

  1. VPCs:

  2. Subnets:

  3. Internet Gateways:

  4. Route Tables:

  5. EC2 Instances:

  6. EC2 Security Group Inbound Rule:

  7. Transit Gateway:

  8. Transit Gateway Attachments:

  9. Dept-A-Server:

  10. Dept-B-Server:

  11. Dept-C-Server:

0
Subscribe to my newsletter

Read articles from Amitabh soni directly inside your inbox. Subscribe to the newsletter, and don't miss out.

aws transitAWSDevopsvpcsubnetroutingvpc peeringDevSecOpsInternet Gatewayec2

Written by

Amitabh soni
Amitabh soni

DevOps Enthusiast | Passionate Learner in Tech | BSc IT Student I’m a second-year BSc IT student with a deep love for technology and an ambitious goal: to become a DevOps expert. Currently diving into the world of automation, cloud services, and version control, I’m excited to learn and grow in this dynamic field. As I expand my knowledge, I’m eager to connect with like-minded professionals and explore opportunities to apply what I’m learning in real-world projects. Let’s connect and see how we can innovate together!