Lab: Designing and Implementing Hybrid Connectivity with AWS Transit Gateway and Site-to-Site VPN
Design a routing strategy and connectivity architecture between on-premises networks and the AWS Cloud
Lab: Designing and Implementing Hybrid Connectivity with AWS Transit Gateway and Site-to-Site VPN
This hands-on lab guides you through the process of designing and implementing a robust, scalable hybrid network architecture. You will configure an AWS Transit Gateway (TGW) to act as a regional hub, connecting a VPC to a simulated on-premises environment via an IPsec VPN with Border Gateway Protocol (BGP) dynamic routing.
Prerequisites
Before starting this lab, ensure you have the following:
- An AWS Account with administrative privileges.
- AWS CLI installed and configured with credentials for your account.
- Basic knowledge of IPv4 Subnetting and BGP concepts.
- An external IP address (you can use your local machine's public IP as a placeholder for the Customer Gateway).
Learning Objectives
By the end of this lab, you will be able to:
- Deploy an AWS Transit Gateway to serve as a central interconnect.
- Configure a Customer Gateway (CGW) representation in AWS.
- Establish a Site-to-Site VPN connection using dynamic BGP routing.
- Implement route propagation between AWS and on-premises simulated networks.
Architecture Overview
The following diagram illustrates the hub-and-spoke architecture you will build. The Transit Gateway acts as the central hub connecting the VPC spoke and the On-Premises branch via a VPN tunnel.
Step-by-Step Instructions
Step 1: Create the Spoke VPC
First, we create the infrastructure that needs to communicate with the on-premises environment.
# Create the VPC
aws ec2 create-vpc --cidr-block 10.0.0.0/16 --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=brainybee-spoke-vpc}]'
# Create a subnet for the TGW attachment
aws ec2 create-subnet --vpc-id <VPC_ID> --cidr-block 10.0.1.0/24 --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=brainybee-tgw-subnet}]'▶Console Alternative
- Navigate to
. 2. Name:
brainybee-spoke-vpc, CIDR:
10.0.0.0/16. 3. Create a Subnet named
brainybee-tgw-subnetin that VPC.
Step 2: Provision the Transit Gateway (TGW)
The TGW is the core of our routing strategy. We will use ASN 64512 for the AWS side.
aws ec2 create-transit-gateway --description "Hub TGW" --options AmazonSideAsn=64512[!NOTE] It takes a few minutes for the TGW state to change from
pendingtoavailable.
Step 3: Attach VPC to Transit Gateway
This step connects your VPC resources to the hub.
aws ec2 create-transit-gateway-vpc-attachment \
--transit-gateway-id <TGW_ID> \
--vpc-id <VPC_ID> \
--subnet-ids <SUBNET_ID>Step 4: Create the Customer Gateway (CGW)
The CGW represents your on-premises router in AWS. Use a placeholder public IP (e.g., your public IP) for this lab.
aws ec2 create-customer-gateway --type ipsec.1 --public-ip <YOUR_PUBLIC_IP> --bgp-asn 65001Step 5: Establish the Site-to-Site VPN Connection
We will now create the VPN and attach it directly to the Transit Gateway. This uses dynamic routing (BGP) to exchange prefixes.
aws ec2 create-vpn-connection --type ipsec.1 \
--customer-gateway-id <CGW_ID> \
--transit-gateway-id <TGW_ID> \
--options "{\"StaticRoutesOnly\": false}"▶Console Alternative
- Navigate to
. 2. Click
. 3. Target Gateway Type:
. 4. Routing Options:
.
Checkpoints
| Verification Step | Command / Action | Expected Result |
|---|---|---|
| TGW State | aws ec2 describe-transit-gateways | State: available |
| VPN Attachment | aws ec2 describe-transit-gateway-attachments | ResourceType: vpn, State: associated |
| BGP Peering | View VPN "Tunnel Details" in Console | Status: DOWN (Expected until on-prem router is configured) |
Concept Review
Understanding the BGP peering relationship is critical for the Advanced Networking exam. Below is a visual representation of the peering logic used in this lab.
Troubleshooting
| Problem | Likely Cause | Solution |
|---|---|---|
| VPN Tunnel is 'Down' | Firewall blocking UDP 500/4500 | Ensure local firewall allows ISAKMP and IPsec NAT-T traffic. |
| Routes not in VPC Table | Route propagation disabled | In the VPC Route Table, click 'Edit Routes' and add a route for 172.16.0.0/16 pointing to the TGW ID. |
| BGP Not Establishing | ASN Mismatch | Verify that the CGW ASN matches your local configuration (we used 65001). |
Cost Estimate
[!WARNING] Remember to run the teardown commands to avoid ongoing charges.
- AWS Transit Gateway:
$0.05 per attachment per hour ($1.20/day). - Site-to-Site VPN:
$0.05 per connection per hour ($1.20/day). - Data Transfer: Standard AWS data transfer rates apply (first 100GB/month free).
Challenge
The "Cloud-Native Branch" Challenge: Modify the architecture to support ECMP (Equal-Cost Multi-Pathing).
- Enable the
VPN ECMP Supportoption on your Transit Gateway. - Add a second VPN connection to the same TGW using a different Customer Gateway IP.
- Research how BGP determines the best path when ECMP is disabled.
Clean-Up / Teardown
To avoid unnecessary costs, delete resources in this specific order:
# 1. Delete VPN Connection
aws ec2 delete-vpn-connection --vpn-connection-id <VPN_ID>
# 2. Delete TGW VPC Attachment
aws ec2 delete-transit-gateway-vpc-attachment --transit-gateway-attachment-id <ATTACHMENT_ID>
# 3. Delete Transit Gateway (Wait for attachments to clear first)
aws ec2 delete-transit-gateway --transit-gateway-id <TGW_ID>
# 4. Delete Customer Gateway
aws ec2 delete-customer-gateway --customer-gateway-id <CGW_ID>
# 5. Delete VPC
aws ec2 delete-vpc --vpc-id <VPC_ID>