How to test Aviatrix Transit VPC for AWS — without requiring a connection to your data center?
This note describes how to set up and test the Aviatrix Next-Generation Transit Solution in AWS without having to make connections into your datacenter. You will create a VPC that emulates a datacenter. For introductory details on transit solution, please refer to: https://aws.amazon.com/answers/networking/aws-global-transit-network/
With this approach, you will be creating 3 VPCs, the first of which will emulate the datacenter. The second and third VPCs will be the transit and spoke VPCs. The end goal is to test transit connectivity from Spoke VPC to the “Datacenter VPC” as illustrated in this diagram:
1. Create 3 VPCs in your AWS Account:
- DC-Emulate (plays the role of your on-premise/datacenter environment)
Note: Make sure each of these VPCs have at least one Subnet attached to an IGW.
2. Create a VGW in the same region as the Transit-VPC and attach it to the Transit-VPC (VGW needs to be attached temporarily for testing)
3. Create one test instance (amazon Linux) in each of the three VPCs. These instances will need SSH access to test connectivity. Also, open the ICMP port on these instances from 0.0.0.0/0 to be able to perform ping tests.
4. Log-in to the Aviatrix Controller and create a Gateway in the DC-Emulate VPC. This Gateway plays the role of you Datacenter IPsec Device. Note the Public IP address (EIP) of this Gateway.
5. Create an IPsec tunnel from the DC-VPC’s Gateway to the VGW attached to the Transit. To do this, create a CGW. Make sure you select static option and enter the EIP of the DC-Emulate Gateway.
6. Create a VPN Connection in the AWS console.
- Pick the VGW and CGW you just created.
- Select Static and enter the CIDR of the DC-Emulate VPC in the Static IP prefix textbox.
- Leave Tunnel Options Blank.
- Click Create.
7. Select the VPN Connection you just created and click Download Configuration. Select “Generic” vendor and click Download.
8. Open the Downloaded File. Note the IPSec configuration parameters.
9. Switch to the Aviatrix controller and create a Site2Cloud Connection. Select the parameters according to the configuration file. For the Remote CIDRs, enter the transit and spoke CIDRs (comma separated).
10. The VPN Connection in the AWS Console and the Aviatrix Console show as “Up” in a few seconds:
11. To test connectivity across this tunnel, add a route in the Transit-VPC’s route table:
DC-Emulate CIDR -> VGW
12. Now test connectivity between the test instances in the DC-emulate and Transit-VPCs. (hint: Open ICMP in the instance Security Groups).
13. Once you have tested connectivity:
- Detach the VGW from the Transit-VPC. This will keep the VPN Connection still active.
- Delete the manual route entry you made in the transit VPC step above.
In the next steps, we are going to connect the Transit-VPC to this VGW using an Aviatrix Tunnel and create a transit connection to the Spoke-VPC:
14. Switch to the Aviatrix controller and go to the Transit Network navigation tab.
Follow the steps (1 – 6) to Launch a gateway in the Transit VPC, connect to the VGW and attach the spoke gateway to the transit gateway. (Detailed Instructions: http://docs.aviatrix.com/HowTos/transitvpc_workflow.html)
Test connectivity from Spoke-VPC’s test instance to the DC-Emulate VPC’s test instance.
To add additional spoke VPCs to the Transit Architecture:
- In the AWS console, create a new VPC and call it “Spoke 2 VPC”. Add at least one public subnet to host the Aviatrix Gateway in.
- Log into the Aviatrix Controller web UI
- Click on Transit Network tab in the navigation pane.
- Perform steps 4 (create a gateway in the new spoke) and 6 (attach the new spoke gateway to the transit gateway)
- Add this new spoke CIDR to the (emulated) Datacenter-to-Transit tunnel:
- In the Aviatrix controller, click on Site2Cloud in the navigation pane.
- Select the Datacenter-to-Transit tunnel.
- Scroll down to the tunnel details and locate the “Remote CIDR” textbox.
- Add the new Spoke’s CIDR to the existing CIDRs (comma separated)
- Click on “Change Remote Subnet” button.
After these steps, you will be able to ping an instance in the new spoke from the Datacenter VPC.
Note: You will not be able to ping from spoke 1 to spoke 2. To do this, you will need to create an encrypted peering from the “Peering” tab.