**Configuring Transit Gateways**

**Configuring Transit Gateways** === ###### tags: `AWS` ## 完成本次的LAB您將有以下配置 ● Configure a transit gateway ● Attach VPCs to a transit gateway ● Control and customize routing with AWS Transit Gateway ● Peer transit gateways between two Regions ● Use Network Manager to visualize and analyze your network ## LAB環境如下作為LAB的一部分，四個 EC2 實例在primary region各自的 VPC 上預置。在remote region提供一個 EC2 實例和一個Transit gateway。您在primary region中配置一個Transit gateway，將 VPC attach到Transit gateway，更新路由，並驗證primary region內的所有 EC2 實例是否可以互相Ping通。然後，您將Transit gateway與remote region對等，並驗證所有 EC2 實例之間的網絡連接。最後，您創建route filters以僅限制某些 VPC 之間的連接。 ![](https://i.imgur.com/JOctyvp.png) **開始前的基礎環境設置** 1.VPC ![](https://i.imgur.com/JmlpUkf.png) 2.Subnets ![](https://i.imgur.com/0PBcVqY.png) 3.Route tables(其他的private只有自己的網段) ![](https://i.imgur.com/VEIw4rs.png) 4.Internet gateways ![](https://i.imgur.com/sxLn7md.png) 5.EC2 X 5 #### **Primary region** * Region : us-west * AZ : us-west-2a * VPC : 1. a-public X 1 2. b-private X 1 3. C-private X 1 4. d-private X 1 * AMI : amzn2-ami-hvm-2.0.20221103.3-x86_64-gp2 * Tpye : t3.small * EBS Volume size : 8 GiB * Security groups : allow 22Port、ICMP Protocol ![](https://i.imgur.com/CqqAyy1.png) --- #### **Remote region** * Region : us-east * AZ : us-east-1a * VPC : e-private X 1 * AMI : amzn2-ami-hvm-2.0.20221103.3-x86_64-gp2 * Tpye : t3.small * EBS Volume size : 8 GiB * Security groups : allow 22Port、ICMP Protocol ![](https://i.imgur.com/CqqAyy1.png) --- <style> .red { color: red; } </style> ### 步驟 1：Review the Network Topology and Create the Baseline 在此步驟中，使用 Internet 的 (ICMP) 協議驗證command host與其他Host之間的網絡是否互通。在同一個主要區域中有四個 Amazon EC2 實例，標記為Host A 到 D，每個VM都有自己的 VPC。 Host A 位於public subnet中，將用作command host。下圖顯示了LAB環境中的當前基礎配置 ![](https://i.imgur.com/qeXjxln.png) :::info **※每台VM都在獨立的VPC環境中，先連線登入Command host並Ping其他Host VM** ::: ![](https://i.imgur.com/cdMuBaN.png) 由於每個VM都在自己的private Subnets中，每個VM之間沒有配置路由，ICMP Ping 每個VM都會出現Time out。 ### 步驟 2 : Create a Transit Gateway ![](https://i.imgur.com/lFaluAE.png) **配置以下內容** * Name tag: maintransitgw * Amazon side ASN: 65001 * Uncheck VPN ECMP support * Uncheck Default route table association * Uncheck Default route table propagation * Create a Transit Gateway **建立完成(並使用文字編輯器紀錄Transit Gateway ID) EX:tgw-0534607a68f959f70** ![](https://i.imgur.com/N0velDf.png) ### 步驟 3 : 將VPCs attach到Transit Gateway ![](https://i.imgur.com/HGlhv8M.png) 在VPC左側列表Transit Gateway中選擇Transit gateway attachments ![](https://i.imgur.com/hUr1qlH.png) 配置以下內容 * Name tag: vpc-a * Transit Gateway ID: Select the transit gateway ID * Attachment type: VPC * VPC ID: Select the VPC with the name vpc-a * Choose the Create transit gateway attachment button. ![](https://i.imgur.com/wVFFqSj.png) 對其他VPC重複相同的步驟，並等待狀態為Available ![](https://i.imgur.com/zEVkbru.png) ### 步驟 4 : Create the Transit Gateway Route Table 在VPC左側列表Transit Gateway中選擇Transit Gateway Route Table ![](https://i.imgur.com/a27DeuM.png) 配置以下內容 * Name tag: maintransitgw-rt * Transit Gateway ID: Select the transit gateway ID ![](https://i.imgur.com/taVzNYz.png) #### 步驟 4-1 : Create Route Table Associations :::info **※ 1個Transit Gateway只能和一個Route Table進行關聯，Route table可以和多個資源進行關聯** ::: 先選取maintransitgw-rt並選擇Actions ![](https://i.imgur.com/32WiQGr.png) VPC-a~d 皆重複以下操作 ![](https://i.imgur.com/gRwE4rp.png) Associations完成後顯示如下 ![](https://i.imgur.com/9LX6yJL.png) #### 步驟 4-2 : Create Route Propagations :::info **使用Route Propagations將路由從路由表添加到附件。添加傳播使路由能夠從附件傳播到目標transit gateway route table。** **一個附件可以propagated to multiple route tables。** ::: 先選取maintransitgw-rt並選擇Actions ![](https://i.imgur.com/Ek3C0fJ.png) VPC-a~d 皆重複以下操作 ![](https://i.imgur.com/rPUXs0d.png) Propagations完成後顯示如下 ![](https://i.imgur.com/uI1oaEm.png) ### 步驟 5 : Update the VPC Route Tables :::info **※替所有VPC中的Subents添加一條目的為Transit gateway的路由** ::: 在VPC左側列表Virtual Private Cloud中選擇Route Table ![](https://i.imgur.com/tnKgQwB.png) 配置以下內容 * Destination: 10.0.0.0/8 * Target: Copy and paste the transit gateway ID (參考步驟2複製的ID) VPC-a~d 皆重複以下操作 ![](https://i.imgur.com/bsGyFRd.png) 連線到Command host並Ping其他Host VM，此時會發現只有Host E ping不通(編寫Lab過程有重新建立環境，Host IP 異動不影響Lab過程，VPC配置皆一樣) ![](https://i.imgur.com/7LQOTlc.png) 因為Host E建立在remote region，因此會不通 ### 步驟 6 : Create a Peering Connection to the Remote Region Transit Gateway :::info **※選取VPC服務後，將Region切換至us-east-1(remote region)** ::: 先重複步驟2-4建立一個us-east-1(remote region)的Transit gateways 配置更動的內容為下列 * Name tag: remote-tgw * Amazon side ASN: 65002 建立完成後一樣先使用文字編輯器紀錄Transit Gateway ID(EX:tgw-0fbb0e3f7515eb79c) ![](https://i.imgur.com/jH78haO.png) #### 步驟 6-1 : Create the Transit Gateway Peering Connection Create the Transit Gateway Peering Connection 切換回us-west-2(primary region)配置以下內容 * Name tag - optional: remote-vpc-e * Transit Gateway ID: Select the transit gateway * Attachment type: Peering Connection * Account: My account * Region: Select the remote region name * Transit gateway (accepter): Copy and paste the transit gateway ID for the remote region that you recorded in the previous section * Choose the Create transit gateway attachment button ![](https://i.imgur.com/PrZ7lW4.png) 這時候會顯示 Pending Acceptance ![](https://i.imgur.com/1soV5i2.png) :::info **※這時候先切換至us-east-1(remote region)** ::: 在Transit Gateway Attachments的地方可以看到有一個Pending acceptance，點選Accept transit gateway attachment進行接受 ![](https://i.imgur.com/w5MssWU.png) 這時候可以看到跨Region的Transit Gateway Peering Connection 已經Available ![](https://i.imgur.com/ppn0iW3.png) #### 步驟 6-2 : Update the Route Table Association - Remote Region 在us-east-1(remote region)的Transit gateway route tables 選擇 Associations ![](https://i.imgur.com/KzbDZiT.png) 選擇Transit gateway 的 route tables 中的 CIDR 0.0.0.0/0 Replace static route ![](https://i.imgur.com/4ndl49Z.png) 選擇沒有名稱Tag的TGW ![](https://i.imgur.com/W9D9lMg.png) #### 步驟 6-3 : Update the VPC Route Table - Remote Region 選擇vpc_e-private並配置以下內容 * Destination: 0.0.0.0/0 * Target: Copy and paste the transit gateway ID of the remote region * Choose the Save changes button 配置完成如下 ![](https://i.imgur.com/BIvBJqp.png) 連線到Command host並Ping其他Host VM進行測試 ![](https://i.imgur.com/jl2jNV6.png) #### 步驟 6-4 : 這時候會發現Host E 仍然 Ping不通，需要先切換為us-west-2(PrimaryRegion)，並更新Transit gateway route tables 重新association並選擇remote-vpc-e ![](https://i.imgur.com/qcSqy4w.png) 替Transit gateway route tables Create static route 配置以下內容 * CIDR: 10.0.0.0/16 * Choose attachment: Select attachment ID with the name tag remote-vpc-e * Choose the Create static route button ![](https://i.imgur.com/vB7KmSR.png) 再次使用Command host對Host E進行Ping測試 ![](https://i.imgur.com/SqJdAf5.png) 透過測試確認可以成功透過Command host去Ping到各個獨立VPC中的Host VM ### 步驟 7 : Create Route Filters :::info **※我們將blackhole routes在VPC-B、D，需先切換到us-west-2(PrimaryRegion)** ::: ![](https://i.imgur.com/zL5QapW.png) 替Transit gateway route tables Create static route 配置以下內容 * CIDR: 10.2.2.0/24 * Select Blackhole * Choose the Create static route button ![](https://i.imgur.com/l6Jb61y.png) 對CIDR 10.4.4.0/24 重複上圖相同步驟，結果如下圖 ![](https://i.imgur.com/GZ3fh6Q.png) 連線到Command host並Ping其他Host VM進行測試 ![](https://i.imgur.com/46Aq885.png) 由測試結果可以發現VPC-B、D成功被Route Filters block 步驟 8 : Visualize and Analyze Your Network (Optional) 在VPC左側列表最下方選擇Network Manager ![](https://i.imgur.com/KyVouQv.png) 在Global networks點選Cerate Global networks ![](https://i.imgur.com/E9uTFpy.png) 配置以下內容 * Name: TGW-Network * Description: Transit Gateway Network * Choose Next * Deselect Add core network in your global network * Choose Next * Choose the Create global network button ![](https://i.imgur.com/rzSvzub.png) 等待狀態為Available後，點選該資源名稱後，在左側列表選取Transit gateways ![](https://i.imgur.com/fhv5222.png) 點選Register Transit Gateway，兩個Transit Gateway都選取並Register ![](https://i.imgur.com/zIZY0HR.png) 註冊完成並等待狀態為Available ![](https://i.imgur.com/F3ckkFc.png) #### 步驟 8-1 : Visualize the Network :::info **※先選取左側列表中的Transit gateway network，分別查看Geography, Topology tree, and Monitoring** ::: Geography顯示如下圖 ![](https://i.imgur.com/je592tI.png) Topology tree顯示如下圖 ![](https://i.imgur.com/Ruu5Wwg.png) Monitoring顯示如下圖 ![](https://i.imgur.com/i0IVxwO.png) #### 步驟 8-2 : Analyze Route 選擇Route Analyzer 配置以下內容-Source * Transit Gateway: maintransitgw * Transit Gateway attachment: vpc-a * IP address: Copy and paste the CommandHostPrivateIP IP address * Select Include return path in results 配置以下內容-Destination * Transit Gateway: remote-tgw * Transit Gateway attachment: vpc-e * IP address: Copy and paste the HostE IP address ![](https://i.imgur.com/lEfFC0Q.png) 分析結果如下圖 ![](https://i.imgur.com/lJfYs9W.png)