By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How do I to connect multiple VPCs to an on-premises network over the same VPN connection?

5 minute read
0

I have two virtual private clouds (VPCs): one for production and one for development. On-premises users need access to both VPCs with a single VPN connection. I must establish network connectivity between the VPCs and the on-premises network through a VPN connection. Additionally, I need to block access between the VPCs.

Short Description

Complete the steps below to establish network connectivity between resources in multiple VPCs so that:

  • On-premises users can access resources from all VPCs across the VPN
  • VPC resources can't access resources in the other VPCs

Resolution

Create a transit gateway, and then attach your VPCs and a Site-to-Site VPN

  1. Create a transit gateway.
  2. Attach your VPCs to your transit gateway.
  3. Create a Site-to-Site VPN connection and attach it to your transit gateway.

Note:

  • Turn off the Default association route table setting when creating your transit gateway.
  • To automatically propagate VPN routes to the transit gateway route table, choose Dynamic (requires Border Gateway Protocol) for Routing option.

Create a transit gateway route table and associate your VPCs to it

  1. Open the Amazon Virtual Private Cloud (Amazon VPC) console.
  2. From the navigation pane, choose Transit Gateways.
  3. Verify that the Default association route table setting for your transit gateway is set to Disable.
    Note: If the setting is set to Enable, skip to step 8.
  4. Choose Transit Gateway Route Tables.
  5. Choose Create Transit Gateway Route Table, and then complete the following:
    For Name tag, enter VPCs Route Table.
    For Transit Gateway ID, choose the Transit Gateway ID for your transit gateway.
    Choose Create Transit Gateway Route Table.
  6. Choose VPCs Route Table (or the default route table of your transit gateway). Then, choose Associations, Create Association.
  7. For Choose attachment to associate, choose the association IDs for your VPCs. Then, choose Create Association. Repeat this step until all of your VPCs display under Association.
  8. Delete the VPN association from default transit gateway route table.

Create a second transit gateway route table and associate your VPN connection attachment with it

  1. Choose Transit Gateway Route Tables.
  2. Choose Create Transit Gateway Route Table, and then complete the following:
    For Name tag, enter VPN Route table.
    For Transit Gateway ID, choose the Transit Gateway ID for your transit gateway.
    Choose Create Transit Gateway Route Table.
  3. Choose VPN Route table (or the default route table of your transit gateway). Then, choose Associations, Create Association.
  4. Associate the VPN connection attachment that you created with VPN Route table.

Propagate routes from your VPCs and VPN on both route tables

  1. Choose VPCs Route Table Propagation.
  2. Choose Propagation. For Choose attachment to propagate, choose the propagation for the VPN. If you have propagation activated for all of the attachments, then verify that the VPN connection association isn't activated in the route table.
    Important: If you created a static route VPN connection, then create a static route for the on-premises network to the VPN attachment on VPCs Route Table. Do this instead of activating route propagation from the VPN connection.
  3. Choose VPN Route table Propagation.
  4. Choose Propagation. For Choose attachment to propagate, choose the propagation for all of the VPCs.

Configure the route table associated with your VPC and attachment subnet

  1. Open the Amazon VPC console.
  2. From the navigation pane, choose Route Tables.
  3. Choose the route table that's attached to the production subnets (the subnets that contain the VPC resources).
  4. Choose the Routes tab, and then choose Edit Routes.
  5. Choose the Add Route tab, and then complete the following:
    For Destination, specify the subnet of the on-premises network.
    For Target, choose your transit gateway.
    Choose Save routes.

Note: If you require more restrictive access between your VPCs, then you can create a separate route table for each VPC and configure the routes. Note the following for this method:

  • If a transit gateway attachment is associated with a transit gateway route table, then the attachment uses the route table to make routing decisions.
  • If a transit gateway attachment has propagation activated for a specific transit gateway route table, the attachment only advertises prefixes into this route table. But, if the attachment is not associated with the route table, then the attachment doesn't use the route table for routing.
  • A single transit gateway attachment can propagate into one or more transit gateway route tables.
  • A single transit gateway attachment can be associated only with a single transit gateway route table.
  • A single transit gateway route table can be associated with one or multiple transit gateway attachments.
  • Multiple transit gateway attachments can propagate to the same transit gateway route table.
Topics
Networking & Content Delivery
Tags
AWS Transit Gateway
Language
English
AWS OFFICIAL
AWS OFFICIALUpdated 9 months ago
No comments

Relevant content