Use AWS Transit Gateway & Direct Connect to Centralize and Streamline Your Network Connectivity
Update (May 2020) – This post was originally published in April 2019 and accidentally unpublished earlier this year. We have re-reviewed it and republished it.
Last year I showed you how to Use an AWS Transit Gateway to Simplify Your Network Architecture. As I said at the time:
You can connect your existing VPCs, data centers, remote offices, and remote gateways to a managed Transit Gateway, with full control over network routing and security, even if your VPCs, Active Directories, shared services, and other resources span multiple AWS accounts. You can simplify your overall network architecture, reduce operational overhead, and gain the ability to centrally manage crucial aspects of your external connectivity, including security. Last but not least, you can use Transit Gateways to consolidate your existing edge connectivity and route it through a single ingress/egress point.
In that post I also promised you support for AWS Direct Connect, and I’m happy to announce that this support is available today for use in the US East (N. Virginia), US East (Ohio), US West (N. California), and US West (Oregon) Regions. The applications that you run in the AWS Cloud can now communicate with each other, and with your on-premises applications, at speeds of up to 10 Gbps per Direct Connect connection. You can set it up in minutes (assuming that you already have a dedicated or hosted connection running at 1 Gbps or more) and start using it right away.
Putting it all together, you get a lot of important benefits from today’s launch:
Simplification – You can simplify your network architecture and your network management overhead by creating a hub-and-spoke model that spans multiple VPCs, regions, and AWS accounts. If you go this route, you may also be in a position to cut down on the number of AWS VPN connections that you use.
Consolidation – You have the opportunity to reduce the number of dedicated or hosted connections, saving money and avoiding complexity in the process. You can consolidate your connectivity so that it all flows across the same BGP session.
Connectivity – You can reach your Transit Gateway using your connections from any of the 90+ AWS Direct Connect locations (except from AWS Direct Connect locations in China).
Using Transit Gateway & Direct Connect
I will use the freshly updated Direct Connect Console to set up my Transit Gateway for use with Direct Connect. The menu on the left lets me view and create the resources that I will need:
My AWS account already has access to a 1 Gbps connection (MyConnection) to TierPoint in Seattle:
I create a Direct Connect Gateway (MyDCGateway):
I create a Virtual Interface (VIF) with type Transit:
I reference my Direct Connect connection (MyConnection) and my Direct Connect Gateway (MyDCGateway) and click Create virtual interface:
When the state of my new VIF switches from pending to down I am ready to proceed:
Now I am ready to create my transit gateway (MyTransitGW). This is a VPC component; clicking on Transit gateways takes me to the VPC console. I enter a name, description, and ASN (which must be distinct from the one that I used for the Direct Connect Gateway), leave the other values as-is, and click Create Transit Gateway:
The state starts out as pending, and transitions to available:
With all of the resources ready, I am ready to connect them! I return to the Direct Connect Console, find my Transit Gateway, and click Associate Direct Connect gateway:
I associate the Transit Gateway with a Direct Connect Gateway in my account (using another account requires the ID of the gateway and the corresponding AWS account number), and list the network prefixes that I want to advertise to the other side of the Direct Connect connection. Then I click Associate Direct Connect gateway to make it so:
The state starts out as associating and transitions to associated. This can take some time, so I will take Luna for a walk:
By the time we return, the Direct Connect Gateway is associated with the Transit Gateway, and we are good to go!
In a real-world situation you would spend more time planning your network topology and addressing, and you would probably use multiple AWS accounts.
You can use this new feature today to interface with your Transit Gateways hosted in four AWS regions.