How can I allow communication between multiple VPCs from a single VPN connection attached to my transit gateway, without allowing access between the VPCs?

Last updated: 2022-07-07

I have two virtual private clouds (VPCs). On-premises users need access to both VPCs with a single VPN connection. I want to establish network connectivity between the VPCs and the on-premises network through a single VPN connection. How can I do this?

Short description

If you have two VPCs, such as a production and development environments, with a single VPN connection, follow these steps to establish network connectivity between resources in multiple VPCs so that:

  • On-premises users can access resources from all VPCs across the VPN
  • VPC resources can't access resources in the other VPCs

Resolution

Create a transit gateway, and then attach your VPCs and a site-to-site VPN

  1. In the Amazon Virtual Private Cloud (Amazon VPC) console, create a transit gateway.
    Note: Turn off the Default association route table setting when creating your transit gateway.
  2. Attach your VPCs to your transit gateway.
  3. Create a site-to-site VPN connection and attach it to your transit gateway.
    Note: To automatically propagate VPN routes to the transit gateway route table, choose Dynamic for Routing option. This option requires Border Gateway Protocol.

Create a transit gateway route table and associate it with your VPCs

  1. Open the Amazon VPC console.
  2. From the navigation pane, choose Transit gateways.
  3. Verify that the Default association route table setting for your transit gateway is set to Disable.
    Note: If Default associate route table is set to Enable, skip to step 9.
  4. Choose Transit gateway route tables.
  5. Choose Create transit gateway route table.
    For Name tag, enter Route Table A.
    For Transit gateway ID, choose the ID for your transit gateway.
    Then, choose Create transit gateway route table.
  6. Choose the Route Table A that you created in the previous step, or the default route table of your transit gateway.
  7. Choose Associations, then choose Create association.
  8. For Choose attachment to associate, choose the association IDs for your VPCs. Then, choose Create association. Repeat this step until all of your VPCs display under Association.
  9. Delete the VPN association from default transit gateway route table.

Create a second transit gateway route table and associate it with your VPN connection

  1. In the Amazon VPC console, choose Transit gateway route tables.
  2. Choose Create transit gateway route table.
    For Name tag, enter Route Table B.
    For Transit gateway ID, choose the ID for your transit gateway..
    Then, choose Create transit gateway route table.
  3. Choose the Route Table B that you created in the previous step
  4. Choose Associations, then choose Create association.
  5. Associate the VPN connection that you created with Route Table B.

Propagate routes from your VPCs and VPN to both route tables

  1. In the Amazon VPC console, choose Transit gateway route tables.
  2. Select Route Table A.
  3. Choose Actions, and then choose Create propagation.
  4. For Choose attachment to propagate, choose the propagation for the VPN. If you have propagation enabled for all of the attachments, verify that the VPN connection association is not enabled in this route table.
    Important: If you created a static route VPN connection, rather than dynamic routing, you must create a static route for the on-premises network to the VPN on Route Table A. For policy-based static VPN connections, only one pair of security association (SA) is allowed. Consolidate the on-premises CIDR and CIDR of VPCs to a single SA. For more information, see How do I troubleshoot connection problems between an AWS VPN endpoint and a policy-based VPN?
  5. Choose Create propagation.
  6. From the Transit gateway route tables, select Route table B.
  7. Choose Actions, and then choose Create propagation.
  8. For Choose attachment to propagate, choose the propagation for all of the VPCs. Then, choose Create propagation.

Configure the route table associated with your VPC and attachment subnet

  1. In the Amazon VPC console, choose Route tables.
  2. Choose the route table that's attached to the attachment subnet.
  3. Choose the Routes tab, and then choose Edit routes.
  4. Choose the Add route tab.
    For Destination, choose the subnet of the on-premises network.
    For Target, choose your transit gateway.
  5. Choose Save routes.

Note: If your use case requires more restrictive access between your VPCs, create a separate route table for each VPC and configure the routes. Keep in mind:

  • Routing in the transit gateway route table is based on the association of the transit gateway association and the transit gateway route table.
  • You can configure routes to any destination in the transit gateway attachment in any transit gateway route table. The transit gateway attachment doesn't need to be associated with that specific route table.

Did this article help?


Do you need billing or technical support?