Carrier gateway for AWS Wavelength
A carrier gateway serves two purposes. It allows inbound traffic from a carrier network in a specific location, and it allows outbound traffic to the carrier network and the internet. There is no inbound connection configuration from the internet to a Wavelength Zone through the carrier gateway.
A carrier gateway supports IPv4 traffic.
Carrier gateways are only available for VPCs that contain subnets in a Wavelength Zone. The carrier gateway provides connectivity between your Wavelength Zone and the carrier, and devices on the carrier network. The carrier gateway performs NAT of the Wavelength instances' IP addresses to the Carrier IP addresses from a pool that is assigned to the network border group. The carrier gateway NAT function is similar to how an internet gateway functions in a Region.
Enable access to the carrier network
To enable access to or from the carrier network for instances in a Wavelength subnet, you must do the following:
-
Create a VPC.
-
Create a carrier gateway and attach the carrier gateway to your VPC. When you create the carrier gateway, you can optionally choose which subnets route to the carrier gateway. When you select this option, we automatically create the resources related to carrier gateways, such as route tables and network ACLs. If you do not choose this option, then you must perform the following tasks:
-
Select the subnets that route traffic to the carrier gateway.
-
Ensure that your subnet route tables have a route that directs traffic to the carrier gateway.
-
Ensure that instances in your subnet have a globally unique Carrier IP address.
-
Ensure that your network access control lists and security group rules allow the relevant traffic to flow to and from your instance.
-
Work with carrier gateways
The following sections describe how to manually create a carrier gateway for your VPC to support inbound traffic from the carrier network (for example, mobile phones), and to support outbound traffic to the carrier network and the internet.
Tasks
- Create a VPC
- Create a carrier gateway
- Create a security group to access the carrier network
- Allocate and associate a Carrier IP address with the instance in the Wavelength Zone subnet
- Routing to a Wavelength Zone carrier gateway
- View the carrier gateway details
- Manage carrier gateway tags
- Delete a carrier gateway
Create a VPC
You can create an empty Wavelength VPC as follows.
Limitation
You can specify a range of publicly routable IPv4 addresses. However,
we do not support direct access to the internet from publicly
routable CIDR blocks in a VPC. Windows instances cannot boot correctly if
launched into a VPC with ranges from 224.0.0.0
to
255.255.255.255
(Class D and Class E IP address ranges).
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the navigation pane, choose Your VPCs, Create VPC.
-
Do the following and then choose Create.
-
Name tag: Optionally provide a name for your VPC. Doing so creates a tag with a key of
Name
and the value that you specify. -
IPv4 CIDR block: Specify an IPv4 CIDR block for the VPC. We recommend that you specify a CIDR block from the private (non-publicly routable) IP address ranges as specified in RFC 1918
; for example, 10.0.0.0/16
, or192.168.0.0/16
.
-
To create a VPC using the AWS CLI
Use the create-vpc command.
Create a carrier gateway
After you create a VPC, create a carrier gateway and then select the subnets that route traffic to the carrier gateway.
If you have not opted in to a Wavelength Zone, the Amazon Virtual Private Cloud Console prompts you to opt in. For more information, see Manage Zones.
When you choose to automatically route traffic from subnets to the carrier gateway, we create the following resources:
-
A carrier gateway
-
A subnet. You can optionally assign all carrier gateway tags that do not have a Key value of
Name
to the subnet. -
A network ACL with the following resources:
-
A subnet associated with the subnet in the Wavelength Zone
-
Default inbound and outbound rules for all of your traffic.
-
-
A route table with the following resources:
-
A route for all local traffic
-
A route that routes all non-local traffic to the carrier gateway
-
An association with the subnet
-
To create a carrier gateway
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the navigation pane, choose Carrier Gateways, and then choose Create carrier gateway.
-
Optional: For Name, enter a name for the carrier gateway.
-
For VPC, choose the VPC.
-
Choose Route subnet traffic to carrier gateway, and under Subnets to route do the following.
-
Under Existing subnets in Wavelength Zone, select the box for each subnet to route to the carrier gateway.
-
To create a subnet in the Wavelength Zone, choose Add new subnet, specify the following information, and then choose Add new subnet:
-
Name tag: Optionally provide a name for your subnet. Doing so creates a tag with a key of
Name
and the value that you specify. -
VPC: Choose the VPC.
-
Availability Zone: Choose the Wavelength Zone.
-
IPv4 CIDR block: Specify an IPv4 CIDR block for your subnet, for example,
10.0.1.0/24
. -
To apply the carrier gateway tags to the subnet, select Apply same tags from this carrier gateway.
-
-
-
(Optional) To add a tag to the carrier gateway, choose Add tag, and then do the following:
-
For Key, enter the key name.
-
For Value, enter the key value.
-
-
Choose Create carrier gateway.
To create a carrier gateway using the AWS CLI
-
Use the create-carrier-gateway command.
-
Add a VPC route table with the following resources:
-
A route for all VPC local traffic
-
A route that routes all non-local traffic to the carrier gateway
-
An association with the subnets in the Wavelength Zone
For more information, see Routing to a Wavelength Zone carrier gateway.
-
Create a security group to access the carrier network
By default, a VPC security group allows all outbound traffic. You can create a new security group and add rules that allow inbound traffic from the carrier. Then, you associate the security group with instances in the subnet.
To create a new security group and associate it with your instances
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the navigation pane, choose Security Groups, and then choose Create Security Group.
-
To create a security group, choose Create security group, specify the following information, and then choose create:
-
Security group name: Enter a name for the subnet.
-
Description: Enter the security group description.
-
VPC: Choose the VPC.
-
-
Select the security group. The details pane displays the details for the security group, plus tabs for working with its inbound rules and outbound rules.
-
On the Inbound Rules tab, choose Edit. Choose Add Rule, and complete the required information. For example, select HTTP or HTTPS from the Type list, and enter the Source as
0.0.0.0/0
for IPv4 traffic, or::/0
for IPv6 traffic. Choose Save. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
. -
In the navigation pane, choose Instances.
-
Select the instance, choose Actions, Networking, and then select Change Security Groups.
-
Clear the check box for the currently selected security group, and then select the new one. Choose Assign Security Groups.
To create a security group using the AWS CLI
Use the create-security-group command.
Allocate and associate a Carrier IP address with the instance in the Wavelength Zone subnet
If you used the Amazon EC2 console to launch the instance, or you did not use the
associate-carrier-ip-address
option in the AWS CLI, then you must allocate a
Carrier IP address and assign it to the instance:
To allocate and associate a Carrier IP address using the AWS CLI
-
Use the allocate-address command as follows.
aws ec2 allocate-address --region us-east-1 --domain vpc --network-border-group us-east-1-wl1-bos-wlz-1
The following is example output:
{ "AllocationId": "eipalloc-05807b62acEXAMPLE", "PublicIpv4Pool": "amazon", "NetworkBorderGroup": "us-east-1-wl1-bos-wlz-1", "Domain": "vpc", "CarrierIp": "155.146.10.111" }
-
Use the associate-address command to associate the Carrier IP address with the EC2 instance as follows.
aws ec2 associate-address --allocation-id eipalloc-05807b62acEXAMPLE --network-interface-id eni-1a2b3c4d
The following is example output:
{ "AssociationId": "eipassoc-02463d08ceEXAMPLE", }
Routing to a Wavelength Zone carrier gateway
Subnets that are in Wavelength Zones can have an additional target type of a carrier gateway. Consider the case where you want to have the carrier gateway route traffic to route all non-VPC traffic to the carrier network. To do this, create and attach a carrier gateway to your VPC, and then add the following routes:
Destination | Target |
---|---|
0.0.0.0/0 | cagw-id |
::/0 | cagw-id |
View the carrier gateway details
You can view information about your carrier gateway, including the state and the tags.
To view the carrier gateway details
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the navigation pane, choose Carrier Gateways.
-
Select the carrier gateway and choose Actions, View details.
To view the carrier gateway details using the AWS CLI
Use the describe-carrier-gateways command.
Manage carrier gateway tags
Tags help you to identify your carrier gateways. You can add or remove tags.
To manage the carrier gateway tags
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the navigation pane, choose Carrier Gateways.
-
Select the carrier gateway and choose Actions, Manage tags.
-
To add a tag, choose Add tag, and then do the following:
-
For Key, enter the key name.
-
For Value, enter the key value.
-
-
To remove a tag, choose Remove to the right of the tag’s Key and Value.
Choose Save.
To manage the carrier gateway tags using the AWS CLI
-
To add tags, use the create-tag command.
-
To delete tags, use the delete-tags command.
Delete a carrier gateway
If you no longer need a carrier gateway, you can delete it.
Important
If you do not delete the route that has the carrier gateway as the Target, the route is a blackhole route.
To delete a carrier gateway
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the navigation pane, choose Carrier Gateways.
-
Select the carrier gateway and choose Actions, Delete carrier gateway.
-
In the Delete carrier gateway dialog box, enter Delete, and then choose Delete.
To delete a carrier gateway using the AWS CLI
Use the delete-carrier-gateway command.
Manage Zones
Before you specify a Wavelength Zone for a resource or service, you must opt in to the AWS Zone.