Extend VRFs to AWS by using AWS Transit Gateway Connect - AWS Prescriptive Guidance
SummaryPrerequisites and limitationsArchitectureToolsEpicsRelated resourcesAttachments

Extend VRFs to AWS by using AWS Transit Gateway Connect

Created by Adam Till (AWS), Yashar Araghi (AWS), Vikas Dewangan (AWS), and Mohideen HajaMohideen (AWS)

Environment: PoC or pilot

Technologies: Infrastructure; Networking

AWS services: AWS Direct Connect; AWS Transit Gateway

Summary

Virtual routing and forwarding (VRF) is a feature of traditional networks. It uses isolated logical routing domains, in the form of route tables, to separate network traffic within the same physical infrastructure. You can configure AWS Transit Gateway to support VRF isolation when you connect your on-premises network to AWS. This pattern uses a sample architecture to connect on-premises VRFs to different transit gateway route tables.

This pattern uses transit virtual interfaces (VIFs) in AWS Direct Connect and transit gateway Connect attachments to extend the VRFs. A transit VIF is used to access one or more Amazon VPC transit gateways that are associated with Direct Connect gateways. A transit gateway Connect attachment connects a transit gateway with a third-party virtual appliance that is running in a VPC. A transit gateway Connect attachment supports the Generic Routing Encapsulation (GRE) tunnel protocol for high performance, and it supports Border Gateway Protocol (BGP) for dynamic routing.

The approach described in this pattern has the following benefits:

  • Using Transit Gateway Connect, you can advertise up to 1,000 routes to the Transit Gateway Connect peer and receive up to 5,000 routes from it. Using the Direct Connect transit VIF feature without Transit Gateway Connect is limited to 20 prefixes per transit gateway.

  • You can maintain the traffic isolation and use Transit Gateway Connect to provide hosted services on AWS, regardless of the IP address schemas your customers are using.

  • The VRF traffic doesn’t need to traverse a public virtual interface. This makes it easier to adhere to compliance and security requirements in many organizations.

  • Each GRE tunnel supports up to 5 Gbps, and you can have up to four GRE tunnels per transit gateway Connect attachment. This is faster than many other connection types, such as AWS Site-to-Site VPN connections that support up to 1.25 Gbps.

Prerequisites and limitations

Prerequisites

Limitations

Architecture

Target architecture

The following sample architecture provides a reusable solution to deploy transit VIFs with transit gateway Connect attachments. This architecture provides resilience by using multiple Direct Connect locations. For more information, see Maximum resiliency in the Direct Connect documentation. The on-premises network has production, QA, and development VRFs that are extended to AWS and isolated by using dedicated route tables.

Architecture diagram of using AWS Direct Connect and AWS Transit Gateway resources to extend VRFs

In the AWS environment, two accounts are dedicated to extending the VRFs: a Direct Connect account and a network hub account. The Direct Connect account contains the connection and the transit VIFs for each router. You create the transit VIFs from the Direct Connect account but deploy them to the network hub account so that you can associate them with the Direct Connect gateway in the network hub account. The network hub account contains the Direct Connect gateway and transit gateway. The AWS resources are connected as follows:

  1. Transit VIFs connect the routers in the Direct Connect locations with AWS Direct Connect in the Direct Connect account.

  2. A transit VIF connects Direct Connect with the Direct Connect gateway in the network hub account.

  3. A transit gateway association connects the Direct Connect gateway with the transit gateway in the network hub account.

  4. Transit gateway Connect attachments connect the transit gateway with the VPCs in the production, QA, and development accounts.

Transit VIF architecture

The following diagram shows the configuration details for the transit VIFs. This sample architecture uses a VLAN for the tunnel source, but you could also use a loopback.

Configuration details for the transit VIF connections between the routers and AWS Direct Connect

The following are the configuration details, such as autonomous system numbers (ASNs), for the transit VIFs.

Resource

Item

Detail

router-01

ASN

65534

router-02

ASN

65534

router-03

ASN

65534

router-04

ASN

65534

Direct Connect gateway

ASN

64601

Transit gateway

ASN

64600

CIDR block

10.100.254.0/24

Transit gateway Connect architecture

The following diagram and tables describe how to configure a single VRF through a transit gateway Connect attachment. For additional VRFs, assign unique tunnel IDs, transit gateway GRE IP addresses, and BGP inside CIDR blocks. The peer GRE IP address matches the router peer IP address from the transit VIF.

Configuration details for the GRE tunnels between the routers and the transit gateway

The following table contains router configuration details.

Router

Tunnel

IP address

Source

Destination

router-01

Tunnel 1

169.254.101.17

VLAN 60

169.254.100.1

10.100.254.1

router-02

Tunnel 11

169.254.101.81

VLAN 61

169.254.100.5

10.100.254.11

router-03

Tunnel 21

169.254.101.145

VLAN 62

169.254.100.9

10.100.254.21

router-04

Tunnel 31

169.254.101.209

VLAN 63

169.254.100.13

10.100.254.31

The following table contains transit gateway configuration details.

Tunnel

Transit gateway GRE IP address

Peer GRE IP address

BGP inside CIDR blocks

Tunnel 1

10.100.254.1

VLAN 60

169.254.100.1

169.254.101.16/29

Tunnel 11

10.100.254.11

VLAN 61

169.254.100.5

169.254.101.80/29

Tunnel 21

10.100.254.21

VLAN 62

169.254.100.9

169.254.101.144/29

Tunnel 31

10.100.254.31

VLAN 63

169.254.100.13

169.254.101.208/29

Deployment

The Epics section describes how to deploy a sample configuration for a single VRF across multiple customer routers. After steps 1–5 are complete, you can create new transit gateway Connect attachments by using steps 6–7 for every new VRF that you’re extending into AWS:

  1. Create the transit gateway.

  2. Create a Transit Gateway route table for each VRF.

  3. Create the transit virtual interfaces.

  4. Create the Direct Connect gateway.

  5. Create the Direct Connect gateway virtual interface and gateway associations with allowed prefixes.

  6. Create the transit gateway Connect attachment.

  7. Create the Transit Gateway Connect peers.

  8. Associate the transit gateway Connect attachment with the route table.

  9. Advertise routes to the routers.

Tools

AWS services

  • AWS Direct Connect links your internal network to a Direct Connect location over a standard Ethernet fiber-optic cable. With this connection, you can create virtual interfaces directly to public AWS services while bypassing internet service providers in your network path.

  • AWS Transit Gateway is a central hub that connects virtual private clouds (VPCs) and on-premises networks.

  • Amazon Virtual Private Cloud (Amazon VPC) helps you launch AWS resources into a virtual network that you’ve defined. This virtual network resembles a traditional network that you’d operate in your own data center, with the benefits of using the scalable infrastructure of AWS.

Epics

TaskDescriptionSkills required

Create custom architecture diagrams.

  1. In the Attachments section, download the diagram template.

  2. Open the attached diagram in Microsoft Office PowerPoint.

  3. On the Architecture overview slide, customize the architecture diagram for your environment. Identify the on-premises VRFs that need to be extended into your AWS environment.

  4. On the Transit VIF slide, customize the architecture diagram. Identify the AS numbers of the routers, the Direct Connect gateway, and the transit gateway. Identify the IP addresses at each end of the transit VIF.

  5. On the Transit Gateway Connect slide, customize an architecture diagram for each VRF. Identify all required IP addresses necessary to configure the routers and the Transit Gateway Connect peers.

Cloud architect, Network administrator
TaskDescriptionSkills required

Create the transit gateway.

  1. Sign in to the network hub account.

  2. Follow the instructions in Create a transit gateway. Note the following for this pattern:

    • For Amazon side Autonomous System Number (ASN), enter a unique ASN. For the purposes of this example, the ASN is 64600.

    • Select DNS support.

    • For this sample architecture, VPN ECMP support, Default route table association, Default route table prorogation, and Multicast support are not required.

    • For Transit gateway CIDR blocks, enter the IPv4 CIDR blocks for your transit gateway. For the purposes of this example, the CIDR block is 10.100.254.0/24.

Network administrator, Cloud architect

Create the transit gateway route table.

Follow the instructions in Create a transit gateway route table. Note the following for this pattern:

  • For Name tag, provide a name for the transit gateway route table. We recommend using a name that corresponds to the VRF, such as routetable-dev-vrf.

  • For Transit gateway ID, choose the transit gateway that you created previously.

Cloud architect, Network administrator
TaskDescriptionSkills required

Create the transit virtual interfaces.

  1. Sign in to the Direct Connect account.

  2. Follow the instructions in Create a transit virtual interface to the Direct Connect gateway. Note the following for this pattern:

    • For Virtual interface name, enter a name for the transit VIF. We recommend using a name that corresponds to the router, such as transit-vif-router01.

    • For Connection, select the router, such as router-01.

    • For Virtual interface owner, enter the account ID of the network hub account. For instructions, see View your AWS account ID.

    • For Direct Connect gateway, do not make any selection. You attach the Direct Connect gateway in a subsequent step.

    • For VLAN, enter the VLAN of the router, such as 60.

    • For BGP ASN, enter the ASN of the router, such as 65534.

    • Under Additional Settings, do the following:

      • Choose IPv4.

      • For Your router peer ip, enter the router peer IP address, such as 169.254.100.1.

      • For Amazon router peer ip. enter the Amazon router peer IP, such as 169.254.100.2.

      • For BGP authentication key, a password is required. If this is left blank, AWS creates a key that is only accessible in this account.

  3. Repeat these instructions to create all transit VIFs for the VRF.

Cloud architect, Network administrator
TaskDescriptionSkills required

Create a Direct Connect gateway.

  1. Sign in to the network hub account.

  2. Follow the instructions in Creating a Direct Connect gateway. Note the following for this pattern:

    • For Amazon side ASN, enter the ASN of the Direct Connect gateway, such as 64601.

    • Do not choose a virtual private gateway.

Cloud architect, Network administrator

Attach the Direct Connect gateway to the transit VIFs.

  1. In the network hub account, open the AWS Direct Connect console at https://console.aws.amazon.com/directconnect/v2/.

  2. In the navigation pane, choose Virtual Interfaces.

  3. Select a new transit VIF, and then choose Accept.

  4. Choose the Direct Connect gateway you created.

  5. Repeat these instructions for each transit VIF.

Cloud architect, Network administrator

Create the Direct Connect gateway associations with allowed prefixes.

In the network hub account, follow the instructions in To associate a transit gateway. Note the following for this pattern:

  • For Gateways, choose the transit gateway you created previously.

  • For Allowed prefixes, enter the CIDR block assigned to the transit gateway, such as 10.100.254.0/24.

Creating this association automatically creates a Transit Gateway attachment that has a Direct Connect Gateway resource type. This attachment does not need to be associated with a transit gateway route table.

Cloud architect, Network administrator

Create the transit gateway Connect attachment.

  1. In the network hub account, open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Transit gateway attachments.

  3. Choose Create transit gateway attachment.

  4. For Name tag, enter a name for the attachment. We recommend using a name that corresponds to the VRF, such as PROD-VRF.

  5. For Transit gateway ID, choose the transit gateway you created previously.

  6. For Attachment type, choose Connect.

  7. For Transport attachment ID, choose the Direct Connect gateway you created previously.

  8. Choose Create transit gateway attachment.

  9. Repeat this step for each VRF that you are extending.

Cloud architect, Network administrator

Create the Transit Gateway Connect peers.

  1. In the network hub account, follow the instructions in Create a Transit Gateway Connect peer (GRE tunnel). Note the following for this pattern:

    • For Name tag, enter a name for the Transit Gateway Connect peer. We recommending using a name that corresponds with the router, such as connectpeer-router01.

    • For Transit gateway GRE address, enter the assigned IP address from the transit gateway CIDR block, such as 10.100.254.1.

    • For Peer GRE address, enter the IP address assigned to the VLAN created on the router for the transit VIF, such as 169.254.100.1. Provided that AWS can reach the IP address, you can use any interface, such as VLAN or Loopback, for the peer GRE address.

    • For BGP Inside CIDR Blocks (IPv4), enter the BGP inside CIDR block IP address, such as 169.254.101.16/29.

    • For Peer ASN, enter the ASN of the router, such as 65534.

  2. Repeat these instructions to create a GRE tunnel for each router.

Related resources

AWS documentation

AWS blog posts

Attachments

To access additional content that is associated with this document, unzip the following file: attachment.zip