Deploying AWS Direct Connect, Transit Gateway, and Sharing On-Prem Routes

Introduction

This guide provides step-by-step instructions to set up AWS Direct Connect, a Transit Gateway, and share on-premises routes with AWS. It covers three deployment methods:

• AWS Console (Manual Setup)
• AWS CLI
• Terraform (Infrastructure as Code - IaC)

Prerequisites

Before proceeding, ensure the following:

• You have AWS IAM permissions to create and modify Direct Connect, Transit Gateway, and routing tables.
• You have an established Direct Connect connection from an on-premises network.
• You have BGP (Border Gateway Protocol) configurations for peering between AWS and on-prem.
• Terraform (if using IaC) is installed, and AWS credentials are configured.

Creating active/passive BGP connections over AWS Direct Connect

Manual Deployment via AWS Console

Step 1: Create a Direct Connect Gateway (DXGW)

1. Navigate to AWS Direct Connect in the AWS Console.
2. Click Direct Connect Gateways > Create Direct Connect Gateway.
3. Enter a Name and specify the ASN (Autonomous System Number) of your on-premises router.
4. Click Create Direct Connect Gateway.

Step 2: Associate DXGW with a Transit Gateway (TGW)

1. In the Direct Connect Gateway console, select your DXGW.
2. Click Actions > Associate with Transit Gateway.
3. Choose an existing Transit Gateway or create a new one.
4. Specify the Allowed Prefixes to share with AWS.
5. Click Associate.

Step 3: Configure the Transit Gateway

1. Navigate to AWS Transit Gateway in the AWS Console.
2. Click Create Transit Gateway and configure:
   1. Name: Provide a meaningful name.
   2. Amazon ASN: Enter a private ASN (e.g., 64512) if needed.
   3. Enable DNS support, route propagation, and VPN ECMP support if required.
3. Click Create Transit Gateway.

Step 4: Create a Transit Gateway Route Table

1. Go to Transit Gateway Route Tables > Create Route Table.
2. Associate this route table with the VPC attachments and DX Gateway attachment.
3. Propagate on-premises prefixes into the Transit Gateway Route Table.

Step 5: Attach VPCs to the Transit Gateway

1. In Transit Gateway Attachments, create a new attachment for each VPC.
2. Select the VPC and subnets to attach.
3. Add the attachment to the correct route table.

Step 6: Validate Route Propagation

1. In Direct Connect Gateway, verify route propagation under the Transit Gateway association.
2. In VPC route tables, ensure traffic is routed via the Transit Gateway (TGW) for on-prem communication.

Deployment via AWS CLI

Step 1: Create Direct Connect Gateway

aws directconnect create-direct-connect-gateway --direct-connect-gateway-name MyDXGW --amazon-side-asn 64512

Step 2: Create a Transit Gateway

aws ec2 create-transit-gateway --description "My Transit Gateway" --options AmazonSideAsn=64512

Step 3: Associate DXGW with Transit Gateway

aws directconnect associate-direct-connect-gateway --direct-connect-gateway-id dxg-abc123 --transit-gateway-id tgw-xyz789 --allowed-prefixes-to-direct-connect-gateway "10.0.0.0/16"

Step 4: Create a TGW Route Table & Enable Propagation

aws ec2 create-transit-gateway-route-table --transit-gateway-id tgw-xyz789
aws ec2 enable-transit-gateway-route-table-propagation --transit-gateway-route-table-id tgw-rtb-xyz456 --transit-gateway-attachment-id tgw-attach-dxg-789

Step 5: Attach a VPC to the Transit Gateway

aws ec2 create-transit-gateway-vpc-attachment --transit-gateway-id tgw-xyz789 --vpc-id vpc-abc123 --subnet-ids subnet-111 subnet-222

Step 6: Verify Route Propagation

aws ec2 describe-transit-gateway-route-tables --transit-gateway-route-table-id tgw-rtb-xyz456

Deployment via Terraform

Step 1: Define the Direct Connect Gateway

<syntaxhighlight lang="hcl"> resource "aws_dx_gateway" "dxgw" {

 name            = "MyDXGW"
 amazon_side_asn = 64512

} </syntaxhighlight>

Step 2: Define the Transit Gateway

<syntaxhighlight lang="hcl"> resource "aws_ec2_transit_gateway" "tgw" {

 description = "My Transit Gateway"
 amazon_side_asn = 64512

} </syntaxhighlight>

Step 3: Associate DXGW with TGW

<syntaxhighlight lang="hcl"> resource "aws_dx_gateway_association" "dxgw_tgw" {

 dx_gateway_id      = aws_dx_gateway.dxgw.id
 transit_gateway_id = aws_ec2_transit_gateway.tgw.id
 allowed_prefixes   = ["10.0.0.0/16"]

} </syntaxhighlight>

Step 4: Create a Transit Gateway Route Table

<syntaxhighlight lang="hcl"> resource "aws_ec2_transit_gateway_route_table" "tgw_rt" {

 transit_gateway_id = aws_ec2_transit_gateway.tgw.id

} </syntaxhighlight>

Step 5: Create a VPC Attachment

<syntaxhighlight lang="hcl"> resource "aws_ec2_transit_gateway_vpc_attachment" "tgw_vpc" {

 subnet_ids         = ["subnet-111", "subnet-222"]
 transit_gateway_id = aws_ec2_transit_gateway.tgw.id
 vpc_id            = "vpc-abc123"

} </syntaxhighlight>

Step 6: Enable Route Propagation

<syntaxhighlight lang="hcl"> resource "aws_ec2_transit_gateway_route_table_propagation" "dxgw_propagation" {

 transit_gateway_attachment_id  = aws_dx_gateway_association.dxgw_tgw.id
 transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.tgw_rt.id

} </syntaxhighlight>

Step 7: Apply Terraform

terraform init  
terraform apply -auto-approve  

Verification Steps

After deployment, verify connectivity:

1. Check the DXGW and TGW association in the AWS Console under Transit Gateway Associations.
2. Run AWS CLI commands to verify route propagation:

aws ec2 describe-transit-gateway-route-tables --transit-gateway-route-table-id tgw-rtb-xyz456

1. Ping from an on-premises server to an AWS instance and check traffic routes.

Conclusion

This guide covered how to set up AWS Direct Connect, Transit Gateway, and share on-premises routes using the AWS Console, CLI, and Terraform. Using Terraform ensures an automated, repeatable infrastructure setup, while the CLI allows for scripting and rapid deployments.

For production, always follow AWS best practices for security, route filtering, and monitoring.