Hello AWS Experts,
I’m working with a customer who needs a specific on-prem CIDR block — 10.6.0.0/20 — to connect only to a single VPC (let's call it VPC-D) in east-2. We want to ensure that this route is isolated and not accessible to any other VPCs in our environment.
Here’s our current setup:
We have two Direct Connect connections, one in east-1 and another in east-2, both connected to the same Direct Connect Gateway (DXGW).
The DXGW is attached to Transit Gateway (TGW) in both regions.
In us-east-2, we have a single TGW route table associated with over 50+ spoke VPCs, excluding VPC-D. This route table also has the DXGW attachment associated and route propagation enabled.
The TGW route table is currently learning on-prem routes like 10.10.0.0/20 and 10.100.0.0/20 via BGP advertisements from our on-prem environment.
The concern: If I advertise 10.6.0.0/20 from on-prem to the DXGW, it will propagate to the TGW and therefore become reachable by all 50+ VPCs, which is not desired. I only want 10.6.0.0/20 to be able to communicate with VPC-D, and no other VPCs.
Ask: What is the best way to achieve this isolation — allowing 10.6.0.0/20 to connect to only VPC-D while keeping it unreachable from all other VPCs attached to the TGW?
Looking for best practices or recommended architectural patterns.
Thanks in advance!
asked 6 years ago
AWS OFFICIALUpdated 10 months ago
Hi Tushar, Thank you so much for the detailed response — this is incredibly helpful! Just to confirm my understanding and ensure I'm proceeding correctly: Option1 :- I can configure a blackhole route for 10.6.0.0/20 in the main TGW route table where all the spoke VPCs (except VPC-D) are associated. This ensures that even though the route is learned from on-prem via BGP, it will be dropped for these VPCs. Then, I create a separate TGW route table for VPC-D: Associate VPC-D with this route table. Enable propagation from the DXGW so it receives on-prem routes. Optionally, configure blackhole routes for all other on-prem prefixes except 10.6.0.0/20, just to ensure tighter control.
Option 2: Alternatively, as you suggested: Create a Private VIF with a VGW as the target (specifically for VPC-D) using the Direct Connect connection in the Ohio Region. Advertise only the 10.6.0.0/20 prefix through this Private VIF. Continue using the existing Transit VIF and TGW setup for all other VPCs and routes.
I had a quick question here — would the BGP ASN, Amazon Router IP, and Customer Router IP for this Private VIF be the same as those used for the Transit VIF in the same region (Ohio)? Or would these differ?
Please correct me if I’m misunderstanding anything — just want to ensure I’ve interpreted everything accurately before moving forward.
Thanks again for your guidance!
For option2 note that you can not configure Private VIF and Transit VIF on the same DXGW which means you need a separate DXGW for Private VIF. As for ASNs, use unique ASNs for TGW, DXGWs and CGW across the board.
Thank you.