Lab: Maintaining Hybrid Connectivity and Dynamic Routing with Transit Gateway
Maintain routing and connectivity on AWS and hybrid networks
Lab: Maintaining Hybrid Connectivity and Dynamic Routing with Transit Gateway
This lab simulates a hybrid networking environment where you must maintain and troubleshoot routing between an "on-premises" data center (simulated by a VPC) and an AWS environment using AWS Transit Gateway (TGW) and Route Propagation.
[!WARNING] Remember to run the teardown commands at the end of this lab to avoid ongoing charges for the Transit Gateway and VPC resources.
Prerequisites
- An active AWS Account.
- AWS CLI installed and configured with appropriate permissions (
AdministratorAccessrecommended for lab environments). - Basic understanding of CIDR blocks and VPC routing.
- A region with at least 2 Availability Zones available (e.g.,
us-east-1oreu-west-1).
Learning Objectives
- Configure AWS Transit Gateway for multi-VPC (Hybrid-sim) connectivity.
- Implement and verify Route Propagation from TGW to VPC route tables.
- Use VPC Reachability Analyzer to diagnose and resolve routing misconfigurations.
- Monitor hybrid traffic patterns using VPC Flow Logs.
Architecture Overview
Step-by-Step Instructions
Step 1: Provision the Network Infrastructure
We will create two VPCs with non-overlapping CIDRs to represent our hybrid environments.
CLI Command:
# Create VPC A (AWS)
aws ec2 create-vpc --cidr-block 10.0.0.0/16 --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=brainybee-lab-vpc-a}]'
# Create VPC B (Simulated On-Prem)
aws ec2 create-vpc --cidr-block 192.168.0.0/16 --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=brainybee-lab-vpc-b}]'▶Console alternative
Navigate to
. Create one VPC with 10.0.0.0/16 and another with 192.168.0.0/16. Name them accordingly.
Step 2: Create Transit Gateway and Attachments
The Transit Gateway acts as the central hub. We must attach both VPCs to it.
CLI Command:
# Create the TGW
aws ec2 create-transit-gateway --description "Lab TGW" --tag-specifications 'ResourceType=transit-gateway,Tags=[{Key=Name,Value=lab-tgw}]'
# Note the TGW ID from output (tgw-xxxxxxxx)
# Create Attachment for VPC A (Requires Subnet IDs)
aws ec2 create-transit-gateway-vpc-attachment --transit-gateway-id <TGW_ID> --vpc-id <VPC_A_ID> --subnet-ids <SUBNET_A_ID>
# Create Attachment for VPC B
aws ec2 create-transit-gateway-vpc-attachment --transit-gateway-id <TGW_ID> --vpc-id <VPC_B_ID> --subnet-ids <SUBNET_B_ID>Step 3: Configure Route Propagation
To maintain connectivity without manual static entries for every new subnet, we enable route propagation.
CLI Command:
# In VPC A's Route Table, add a route to VPC B via TGW
aws ec2 create-route --route-table-id <RT_VPC_A> --destination-cidr-block 192.168.0.0/16 --gateway-id <TGW_ID>[!NOTE] In a real hybrid Direct Connect setup, you would use a Direct Connect Gateway and enable propagation on the Virtual Private Gateway (VGW) to automatically populate these routes via BGP.
Checkpoints
| Checkpoint | Action | Expected Result |
|---|---|---|
| TGW State | aws ec2 describe-transit-gateways | State should be available. |
| Attachment State | Check TGW Attachments in Console | State should be available. |
| Route Table | Inspect VPC A Route Table | Should see 192.168.0.0/16 pointing to tgw-xxxx. |
Troubleshooting
| Issue | Possible Cause | Fix |
|---|---|---|
| No connectivity between VPCs | Missing TGW Route Table entry | Ensure TGW Route Table has "Associations" and "Propagations" for both VPCs. |
| Asymmetric Routing | Return path missing | Ensure VPC B's route table also has a route back to VPC A (10.0.0.0/16). |
| Security Group Block | ICMP not allowed | Check SG on both instances to allow inbound ICMP from the remote CIDR. |
Concept Review
Routing Logic Visual
\begin{tikzpicture}[node distance=2cm, every node/.style={draw, rectangle, rounded corners, minimum width=2.5cm, minimum height=1cm, align=center}] \node (src) {Source Packet$VPC A: 10.0.1.5)}; \node (rt1) [right of=src, xshift=2cm] {VPC Route Table\Check Destination}; \node (tgw) [right of=rt1, xshift=2cm, fill=orange!20] {Transit Gateway\Route Lookup}; \node (dest) [right of=tgw, xshift=2cm] {Destination$VPC B: 192.168.1.10)};
\draw[->, thick] (src) -- (rt1);
\draw[->, thick] (rt1) -- node[above, font=\scriptsize] {Target: TGW} (tgw);
\draw[->, thick] (tgw) -- node[above, font=\scriptsize] {Propagation Match} (dest);
\draw[dashed, ->] (dest.south) .. controls +(0,-1.5) and +(0,-1.5) .. (src.south) node[midway, below] {Return Path (Must exist in VPC B RT)};\end{tikzpicture}
Comparison: VGW vs. TGW
| Feature | Virtual Private Gateway (VGW) | Transit Gateway (TGW) |
|---|---|---|
| Scalability | 1-to-1 VPC mapping (mostly) | Hub-and-spoke (thousands of VPCs) |
| Routing | BGP / Static | TGW Route Tables / BGP / Equal-Cost Multi-Path (ECMP) |
| Hybrid Complexity | High for many VPCs | Simplified central management |
Stretch Challenge
Simulate a "Blackhole" Route:
- Manually add a specific static route in VPC A's Route Table for
192.168.1.0/24pointing to a non-existent network interface (ENI). - Use VPC Reachability Analyzer to create a path from an instance in VPC A to VPC B.
- Identify where the packet is dropped and fix the route priority issue.
Cost Estimate
- Transit Gateway Attachment: ~$0.05 per hour per attachment ($0.10/hr total for 2 VPCs).
- Data Processing: $0.02 per GB processed by TGW.
- Estimated Lab Cost: < $1.00 USD if completed within 1 hour.
Clean-Up / Teardown
[!IMPORTANT] Failure to delete the Transit Gateway attachments will result in continuous hourly charges.
- Delete TGW Attachments:
bash
aws ec2 delete-transit-gateway-vpc-attachment --transit-gateway-attachment-id <ATTACHMENT_A_ID> aws ec2 delete-transit-gateway-vpc-attachment --transit-gateway-attachment-id <ATTACHMENT_B_ID> - Delete Transit Gateway:
bash
aws ec2 delete-transit-gateway --transit-gateway-id <TGW_ID> - Delete VPCs:
bash
aws ec2 delete-vpc --vpc-id <VPC_A_ID> aws ec2 delete-vpc --vpc-id <VPC_B_ID>