I want to provide secure connectivity between my Amazon Virtual Private Cloud (Amazon VPC) and my virtual private network (VPN) using a transit gateway. How do I migrate my VPN from a virtual private gateway to a transit gateway?
Follow these steps to complete the VPN migration from a virtual private gateway to a transit gateway.
Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.
Step 1: Create a transit gateway
Follow the steps to create a transit gateway.
Note: Make sure to select Auto accept shared attachments to enable automatic acceptance of cross-account attachments.
To create a transit gateway using the AWS CLI:
aws ec2 create-transit-gateway
Step 2: Attach your VPCs to the transit gateway
Follow the steps to Attach your VPCs to the transit gateway.
You must specify one subnet from each Availability Zone to be used by the transit gateway for routing traffic. Specifying one subnet from each Availability Zone enables traffic to reach resources in every subnet in that Availability Zone.
Note: It's a best practice to create a separate subnet in each Availability Zone for the transit gateway elastic network interfaces.
To attach a VPC to the transit gateway using the AWS CLI:
aws ec2 create-transit-gateway-vpc-attachment
--subnet-ids "subnet-12312312" "subnet-41343432"
Step 3: Remove your static VPN routes (required for a static VPN connection migrating to a transit gateway)
Follow the steps to remove the static VPN routes.
To remove the static VPN routes using the AWS CLI:
aws ec2 delete-vpn-connection-route
Step 4: Migrate the existing Site-to-Site VPN to the transit gateway
To migrate your VPN target from the virtual gateway to the new transit gateway:
1. Open the Amazon VPC console.
2. In the navigation pane, choose Site-to-Site VPN Connections.
3. Select the Site-to-Site VPN connection, choose Actions, and then choose Modify VPN Connection.
4. For Target Type, choose Transit Gateway.
5. Select your transit gateway from the target transit gateway ID dropdown list.
6. Choose Save.
To migrate the Site-to-Site VPN target to the new transit gateway using the AWS CLI:
aws ec2 modify-vpn-connection \
--vpn-connection-id vpn-12345678901234567 \
Step 5: Update or create the VPC route table
1. Follow the steps to modify or add a route to a route table.
2. For existing routes, change the route Target from the virtual gateway ID to the new virtual gateway ID.
3. If no route exists, then create a new route with the transit gateway ID as the Target.
Note: You must include VPC static routes even if the route table has propagation enabled.
To create a new VPC route using the AWS CLI:
aws ec2 create-route
To modify an existing route using the AWS CLI:
aws ec2 replace-route
Step 6: Update the transit gateway route tables
Follow the steps to create or propagate transit gateway routes tables.
To create the transit gateway route using the AWS CLI:
aws ec2 create-transit-gateway-route \
--destination-cidr-block 10.0.0.0/8 \
--transit-gateway-route-table-id tgw-rtb-00abc11def22ghi33 \
Note: Migrating the VPN target causes a brief interruption of service until the Site-to-Site VPN modification completes.
Transit gateway design best practices
Migrate from Transit VPC to AWS Transit Gateway