How do I migrate my VPN from a virtual private gateway to a transit gateway?
Last updated: 2021-03-23
I want to provide secure connectivity between my Amazon Virtual Private Cloud (Amazon VPC) and my virtual private network (VPN) using a transit gateway. How do I migrate my VPN from a virtual private gateway to a transit gateway?
To migrate a VPN from a virtual private gateway to a transit gateway:
4. Failover the traffic from the virtual gateway to the transit gateway
Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.
You can terminate a VPN to a transit gateway. Then, you can failover the traffic from the virtual gateway to the transit gateway. Any VPC attached to the transit gateway is accessible using the single VPN connection. All VPCs attached to the transit gateway can communicate if permitted through the routing and security groups.
A single VPN connection to AWS Transit Gateway must still have a throughput of up to 1.25 Gbps. If you require faster bandwidth, then you must terminate multiple VPN connections to the transit gateway, and then distribute your on-premises subnets across them.
Before you begin, be aware of the following:
- You can use the TGW Migrator Tool to automate steps 1 and 2, below.
- To migrate from your existing virtual gateway to a transit gateway without making any changes, you can use a ModifyVpnConnection API call. However, this call might cause downtime, so consider making changes during your scheduled maintenance window.
Step 1: Create a transit gateway
Follow the steps to create a transit gateway.
When configuring the transit gateway, be sure to select Auto accept shared attachments to enable automatic acceptance of cross-account attachments.
You can also create a transit gateway using the AWS CLI:
aws ec2 create-transit-gateway
Step 2: Attach your VPCs to the transit gateway
Follow the steps to Attach your VPCs to the transit gateway.
You must specify one subnet from each Availability Zone to be used by the transit gateway for routing traffic. Specifying one subnet from each Availability Zone enables traffic to reach resources in every subnet in that Availability Zone.
To attach a VPC to the transit gateway using the AWS CLI:
aws ec2 create-transit-gateway-vpc-attachment --transit-gateway-id tgw-14324bbc412a43243 --vpc-id vpc-2321314314 --subnet-ids "subnet-12312312" "subnet-41343432"
Step 3: Attach your VPN to the transit gateway
Follow the steps to Attach your VPN to the transit gateway.
When creating a transit gateway attachment:
- For Customer Gateway, choose Existing, and then select your customer gateway ID.
- For Tunnel Options, you can optionally specify custom tunnel inside CIDR and pre-shared keys for your VPN tunnels. Otherwise, tunnel options are randomly generated.
To create a VPN attachment using the AWS CLI, use the create-vpn-connection command.
After you create the VPN attachment, download the configuration file and apply the configuration to your customer gateway. You can bring up Internet Protocol Security (IPsec) and Border Gateway Protocol (BGP) sessions, but be sure to keep routing traffic through the VPN to the virtual gateway.
The AWS Transit Gateway route domain contains routes for the attached VPCs and VPN. To view the route table:
1. Open the Amazon VPC console.
2. In the navigation pane, choose Transit Gateway Route Tables.
3. Select the route table.
In the AWS CLI, run the following command:
aws ec2 search-transit-gateway-routes --transit-gateway-route-table-id tgw-rtb-xxxxxxxxxxxxxxxxxx --filters Name=route-search.subnet-of-match,Values="0.0.0.0/0"
Step 4: Failover traffic from the virtual gateway to the transit gateway
1. Open the Amazon VPC console.
2. In the navigation pane, choose Route Tables.
3. Select the VPC route table from the list.
4. Choose Routes, and then choose Edit routes.
5. Add a less specific route for your on-premises network to direct to the transit gateway. For example, if the current route to access your on-premises network over the virtual private gateway is 10.10.0.0/24, use the 10.10.0.0/16 CIDR block. This configuration makes sure that the route to the virtual private gateway takes priority until you're ready to redirect traffic to the transit gateway.
6. To shift traffic to the transit gateway, configure the customer gateway connected to your virtual gateway to stop advertising the on-premises CIDR over VPN tunnels. Or, you can disable your BGP session.
7. Disable route propagation for the VPC route.
8. Repeat steps 3-7 for each VPC route table that contains virtual gateway entries.