How do I migrate my VPN from a virtual private gateway to a transit gateway?
Last updated: 2019-05-23
I want to provide secure connectivity between my Amazon Virtual Private Cloud (Amazon VPC) and VPN using a transit gateway. How do I migrate my VPN from a virtual private gateway to a transit gateway?
To migrate a VPN from a virtual private gateway to a transit gateway:
4. Failover the traffic from the virtual gateway to the transit gateway
You can terminate a VPN to a transit gateway. Then, you can failover the traffic from the virtual gateway to the transit gateway. Any VPC attached to the transit gateway is accessible using the single VPN connection. All VPCs attached to the transit gateway can communicate with each other if permitted through the routing and security groups.
Note: A single VPN connection to AWS Transit Gateway must still have a throughput of up to 1.25 Gbps. If you require faster bandwidth, you must terminate multiple VPN connections to the transit gateway, and then distribute your on-premises subnets across them.
Before you begin, be aware of the following:
- You can use the TGW Migrator Tool to automate steps 1 and 2, below.
- To migrate from your existing virtual gateway to a transit gateway without making any changes, you can use a ModifyVpnConnection API call. Because this might cause downtime, consider making changes during your scheduled maintenance window.
Step 1: Create a transit gateway
When configuring the transit gateway, be sure to select Auto accept shared attachments to enable automatic acceptance of cross-account attachments.
You can also create a transit gateway using the AWS Command Line Interface (CLI):
aws ec2 create-transit-gateway
You must specify one subnet from each Availability Zone to be used by the transit gateway for routing traffic. Specifying one subnet from each Availability Zone enables traffic to reach resources in every subnet in that Availability Zone.
To attach a VPC to the transit gateway using the CLI:
aws ec2 create-transit-gateway-vpc-attachment --transit-gateway-id tgw-14324bbc412a43243 --vpc-id vpc-2321314314 --subnet-ids subnet-12312312,subnet-41343432
When creating a transit gateway attachment:
- For Customer Gateway, choose Existing, and then select your customer gateway ID from the dropdown.
- For Tunnel Options, you can optionally specify custom tunnel inside CIDR and pre-shared keys for your VPN tunnels. Otherwise, tunnel options are randomly generated.
To create a VPN attachment using the AWS CLI, use the create-vpn-connection command.
After you create the VPN attachment, download the configuration file and apply the configuration to your customer gateway. You can bring up Internet Protocol Security (IPsec) and Border Gateway Protocol (BGP) sessions, but make sure to keep routing traffic via the VPN to the virtual gateway.
The AWS Transit Gateway route domain contains routes for the attached VPCs and VPN. To view the route table:
- In the console, choose Transit Gateway Route Tables in the navigation pane and select the route table.
- In the AWS CLI, run the following command:
aws ec2 search-transit-gateway-routes --transit-gateway-route-table-id tgw-rtb-xxxxxxxxxxxxxxxxxx --filters Name=route-search.subnet-of-match,Values="0.0.0.0/0"
Step 4: Failover traffic from the virtual gateway to the transit gateway
1. Open the Amazon Virtual Private Cloud (Amazon VPC) console.
2. In the navigation pane, choose Route Tables.
3. For each VPC route table that contains virtual gateway entries:
- Select the VPC route table from the list.
- Choose the Routes tab and choose Edit routes.
- Add a less specific route for your on-premises network to point to the transit gateway. For example, if the current route to access your on-premises network over the virtual private gateway is 10.10.0.0/24, use the 10.10.0.0/16 CIDR block. This configuration makes sure that the route to the virtual private gateway takes priority until you're ready to redirect traffic to the transit gateway.
- To shift traffic to the transit gateway, configure the customer gateway connected to your virtual gateway to stop advertising the on-premises CIDR over VPN tunnels. Alternately, you can disable your BGP session.
- Disable route propagation for the VPC route.