How can I enable communication between multiple VPCs from a single VPN connection attached to my transit gateway without allowing access between the VPCs?

Last updated: 2020-04-15

I have two virtual private clouds (VPCs): one for production and one for development. On-premises users need access to both VPCs with a single VPN connection. I must establish network connectivity between the VPCs and the on-premises network through a VPN connection. Additionally, I need to block access between the VPCs. How can I enable communication between multiple VPCs and a VPN connection attached to my transit gateway without allowing access between the VPCs?

Short Description

Complete the steps below to establish network connectivity between resources in multiple VPCs so that:

  • On-premises users can access resources from all VPCs across the VPN
  • VPC resources cannot access resources in the other VPCs

Resolution

Create a transit gateway, and then attach your VPCs and a site-to-site VPN

  1. Create a transit gateway
  2. Attach your VPCs to your transit gateway.
  3. Create a site-to-site VPN connection and attach it to your transit gateway.

Notes:

  • Disable the Default association route table setting when creating your transit gateway.
  • To automatically propagate VPN routes to the transit gateway route table, choose Dynamic (requires Border Gateway Protocol) for Routing option.

Create a transit gateway route table and associate your VPCs to it

  1. Open the Amazon Virtual Private Cloud (Amazon VPC) console.
  2. From the navigation pane, choose Transit Gateways.
  3. Verify that the Default association route table setting for your transit gateway is set to Disable.
    Note: If the setting is set to Enable, skip to step 8.
  4. Choose Transit Gateway Route Tables.
  5. Choose Create Transit Gateway Route Table, and then complete the following:
    For Name tag, enter Route Table A.
    For Transit Gateway ID, choose the Transit Gateway ID for your transit gateway.
    Choose Create Transit Gateway Route Table.
  6. Choose Route Table A (or the default route table of your transit gateway). Then, choose AssociationsCreate Association.
  7. For Choose attachment to associate, choose the association IDs for your VPCs. Then, choose Create Association. Repeat this step until all of your VPCs display under Association.
  8. Delete the VPN association from default transit gateway route table.

Create a second transit gateway route table and associate your VPN connection association to it

  1. Choose Transit Gateway Route Tables.
  2. Choose Create Transit Gateway Route Table, and then complete the following:
    For Name tag, enter Route Table B.
    For Transit Gateway ID, choose the Transit Gateway ID for your transit gateway.
    Choose Create Transit Gateway Route Table.
  3. Choose Route Table B (or the default route table of your transit gateway). Then, choose AssociationsCreate Association.
  4. Associate the VPN connection that you just created with Route Table B.

Propagate routes from your VPCs and VPN on both route tables

  1. Choose Route Table A Propagation.
  2. Choose Propagation. For Choose attachment to propagate, choose the propagation for the VPN. If you have propagation enabled for all of the attachments, verify that the VPN connection association is not enabled in this route table.
    Important: If you created a VPN connection with the Static Route option (rather than Dynamic Routing), you must create a static route for the on-premises network to the VPN on Route Table A instead of enabling route propagation from the VPN connection.
  3. Choose Route Table B Propagation.
  4. Choose Propagation. For Choose attachment to propagate, choose the propagation for all of the VPCs.

Configure the route table associated with your VPC and attachment subnet

  1. Open the Amazon VPC console.
  2. From the navigation pane, choose Route Tables.
  3. Choose the route table that's attached to the attachment subnet.
  4. Choose the Routes tab, and then choose Edit Routes.
  5. Choose the Add Route tab, and then complete the following:
    For Destination, choose the subnet of the on-premises network.
    For Target, choose your transit gateway.
    Choose Save routes.

Note: If your use case requires more restrictive access between your VPCs, you can create a separate route table for each VPC and configure the routes. Keep in mind:

  • Routing in the transit gateway route table is based on the association of the transit gateway association and the transit gateway route table.
  • You can configure routes to any destination in the transit gateway attachment in any transit gateway route table. The transit gateway attachment doesn't need to be associated with that specific route table.

Did this article help you?

Anything we could improve?


Need more help?