Optimizing TGW Routing for Select VPC Subnets in DX Communication Scenario

Question

A client has a specific requirement to establish communication between a VPC and an on-premises network via Direct Connect (DX), utilizing a Transit Gateway (TGW). This communication is necessary for a subset of private subnets within the VPC; specifically, out of the existing 6 private subnets, only 3 need to establish connectivity to the on-premises environment.

Here's the sequence of actions I've undertaken to address this requirement:

1. I initiated the creation of a TGW attachment dedicated to the target VPC.

2. I crafted and associated a route table with the above attachment to facilitate the connection.

My current deliberation centers around the need to set up propagation within the TGW route table. My understanding is that the entire CIDR range of the VPC would be disseminated. Nevertheless, I'm contemplating if there's a method to permit solely the 3 specific subnets to engage with the on-premises infrastructure. Furthermore, I'm exploring the feasibility of condensing the route information for these subnets, streamlining the connection to the on-premises network.

I'm seeking guidance on how to effectively address this scenario, ensuring that only the designated 3 subnets are authorized for communication while concurrently optimizing the route configuration.

Accepted Answer

In your case you will be using Transit virtual interface + Direct Connect gateway + Transit Gateway, the prefixes advertised to on-premises would be controlled via the allowed prefixes field under Direct Connect gateway.

In the allowed prefixes you can define the 3 subnets that you wish to establish the connectivity with on-premises., and on-premises will only receive those three subnets CIDRs.

Below are two guides goes through the same, 
https://repost.aws/knowledge-center/direct-connect-vpc-bgp
https://docs.aws.amazon.com/directconnect/latest/UserGuide/allowed-to-prefixes.html#allowed-to-prefixes-transit-gateway

Answer

Hello.  
As you recognize, when route propagation is enabled, the CIDR of the VPC is advertised as the route.  
However, we thought we could control communication with the on-premises by configuring routing to the Transit Gateway only in the route table of the subnet we want to communicate with the on-premises.  
In other words, communication with on-premises is not possible unless a route destined to the Transit Gateway is set in the route table for the subnet that does not communicate with on-premises.  
So we thought there would be no problem with advertising the VPC's CIDR to the on-premises route.

Optimizing TGW Routing for Select VPC Subnets in DX Communication Scenario

관련 콘텐츠