Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
Nous nous efforçons constamment de rendre le contenu disponible dans la langue sélectionnée. Merci pour votre patience.
How do I route traffic between VPCs through an on-premises firewall that uses a Direct Connect transit VIF?
Lecture de 3 minute(s)
0
I have an Amazon Elastic Cloud Compute (Amazon EC2) instance in a Amazon Virtual Private Cloud (Amazon VPC) that must send traffic to an Amazon EC2 instance in another VPC. I want to know how to route the traffic through an on-premises firewall over a transit virtual interface (VIF).
Resolution
To route traffic between VPCs through an on-premises firewall over a transit VIF, complete the following steps:
- Create a transit gateway.
Important: To get a default route table (in this example, TGW RT-1), turn off the default association route table and the propagation route table setting. - Attach your VPCs to your transit gateway. In this example, the VPCs are VPC-A and VPC-B, with VPC attachments VPC-A-Attach and VPC-B-Attach.
- Create two AWS Direct Connect gateways. In this example, the gateways are DXGW-1 and DXGW-2.
- Create two VIFs on existing Direct Connect connections. In this example, the VIFs are Transit VIF-1 and Transit VIF-2.
- Attach Transit VIF-1 to DXGW-1 and Transit VIF-2 to DXGW-2.
- Bring the transit VIFs UP. Then, advertise a default route (0.0.0.0/0) or a supernetting route (summarized prefix of all VPC CIDRs) from the Direct Connect router.
- To create the attachments, associate DXGW-1 with the transit gateway, and then associate DXGW-2.
Important: When you associate DXGW-1, keep Allowed Prefixes empty so that prefixes aren't advertised to the on-premises Direct Connect router. When you associate DXGW-2, in Allowed Prefixes, enter the VPC-A and VPC-B CIDR ranges that must be advertised to the on-premises Direct Connect router. - Create another transit gateway route table. In this example, the other transit gateway route table is TGW RT-2.
- Associate the transit gateway route tables.
First, associate VPC-A-Attach and VPC-B-Attach with TGW RT-1. Then, associate DXGW-1-Attach and DXGW-2-Attach with TGW RT-2. - Propagate the transit gateway route tables.
In TGW RT-1, propagate the route for DXGW-1-Attach without allowed prefixes. In TGW RT-2, propagate the routes for VPC-A-Attach and VPC-B-Attach. - Add a static route in the VPC subnet route tables for the destination VPC CIDR that points to the transit gateway ID.
In the VPC-A subnet route table, add a static route for the VPC-B CIDR. In the VPC-B subnet route table, add a static route for the VPC-A CIDR. - Confirm that the security groups and network access control lists (ACLs) in the VPCs allow connectivity between the source and destination IP addresses.
Note: To route traffic back to the appropriate VPC, configure routing on the Direct Connect router and on-premises firewall.
- Balises
- Amazon VPCAWS Direct Connect
- Langue
- English
AWS OFFICIELA mis à jour il y a 2 ans
Aucun commentaire
Contenus pertinents
- demandé il y a un an
- demandé il y a un an
- demandé il y a 4 mois
- demandé il y a 2 ans
- AWS OFFICIELA mis à jour il y a 3 ans