direct connect extend to cloudwan

1

Dear Team - i have below setup.

on-prem --> Direct connect -> Direct connect gateway --> TGW --> Peering --> Cloudwan.

TGW has two route table, one prod and one Hybrid. Cloudwan has two segment, prod and Hybrid. Both route table are extended to respective cloudwan segment through TGW-Cloudwan peering. Direct connect GW is associated and propagated to Hybrid RT. Direct connect GW is also propagated to Prod Route table. On-prem routes are rightly getting propagated in both the TGW route tables. I can ping on-prem host from EC2 VM of Hybrid Cloudwan side of segment.

In the cloudwan core network route section of prod segment, I can see on-prem route towards transit gateway route table as below.

CIDR - 198.168.0.0/16 (on-prem routes)
Destination - attachment-0d5a74dd546bdfdfd | transit-gateway-route-table | tgw-rtb-0191skldjks878
Route Type - Propogated

However, i can not ping on-prem host from cloudwan prod segment EC2 VM. i believe, because Hybrid RT does not have propagated routes of cloudwan prod segment for reverse traffic from on-prem ?

When i try to propagate cloudwan peering attachment in Hybrid RT, i am getting error "You cannot propagate a peering attachment to a Transit Gateway Route Table"

Does it mean that, on-prem routes we are getting from direct connect can only work/reachable from single segment of cloudwan ? does aws has any documentation on this?

Thanks team

1 Answer
1
Accepted Answer

Have you tried using segment sharing between your CloudWAN Prod and Hybrid segments?

See this blog and specifically this section 'Direct Connect integration with Cloud WAN' which explains the forward and reverse traffic flow in such scenario.

profile pictureAWS
EXPERT
answered 4 days ago
profile picture
EXPERT
reviewed 3 days ago
  • Thanks Tushar_J - Yes, i can ping after the segment sharing of CloudWAN Prod and Hybrid segments. My goal is to inspect the traffic as well. So in the segment sharing, i can not inspect the traffic, right? or i need to remove the segment sharing and send the traffic from prod to hybrid via NFG. is this correct understanding ?

  • Correct, then you wouldn't want to share the segments directly between Prod and Hybrid. If you intend to inspect the traffic then send the traffic via the NFG as you said.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions