Lab: Maintaining Hybrid Connectivity and Dynamic Routing with Transit Gateway

This lab simulates a hybrid networking environment where you must maintain and troubleshoot routing between an "on-premises" data center (simulated by a VPC) and an AWS environment using AWS Transit Gateway (TGW) and Route Propagation.

[!WARNING] Remember to run the teardown commands at the end of this lab to avoid ongoing charges for the Transit Gateway and VPC resources.

Prerequisites

An active AWS Account.
AWS CLI installed and configured with appropriate permissions (AdministratorAccess recommended for lab environments).
Basic understanding of CIDR blocks and VPC routing.
A region with at least 2 Availability Zones available (e.g., us-east-1 or eu-west-1).

Learning Objectives

Configure AWS Transit Gateway for multi-VPC (Hybrid-sim) connectivity.
Implement and verify Route Propagation from TGW to VPC route tables.
Use VPC Reachability Analyzer to diagnose and resolve routing misconfigurations.
Monitor hybrid traffic patterns using VPC Flow Logs.

Architecture Overview

Loading Diagram...

Step-by-Step Instructions

Step 1: Provision the Network Infrastructure

We will create two VPCs with non-overlapping CIDRs to represent our hybrid environments.

CLI Command:

bash

# Create VPC A (AWS)
aws ec2 create-vpc --cidr-block 10.0.0.0/16 --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=brainybee-lab-vpc-a}]'

# Create VPC B (Simulated On-Prem)
aws ec2 create-vpc --cidr-block 192.168.0.0/16 --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=brainybee-lab-vpc-b}]'

▶Console alternative

Navigate to

VPC > Your VPCs > Create VPC

. Create one VPC with 10.0.0.0/16 and another with 192.168.0.0/16. Name them accordingly.

Step 2: Create Transit Gateway and Attachments

The Transit Gateway acts as the central hub. We must attach both VPCs to it.

CLI Command:

bash

# Create the TGW
aws ec2 create-transit-gateway --description "Lab TGW" --tag-specifications 'ResourceType=transit-gateway,Tags=[{Key=Name,Value=lab-tgw}]'

# Note the TGW ID from output (tgw-xxxxxxxx)
# Create Attachment for VPC A (Requires Subnet IDs)
aws ec2 create-transit-gateway-vpc-attachment --transit-gateway-id <TGW_ID> --vpc-id <VPC_A_ID> --subnet-ids <SUBNET_A_ID>

# Create Attachment for VPC B
aws ec2 create-transit-gateway-vpc-attachment --transit-gateway-id <TGW_ID> --vpc-id <VPC_B_ID> --subnet-ids <SUBNET_B_ID>

Step 3: Configure Route Propagation

To maintain connectivity without manual static entries for every new subnet, we enable route propagation.

CLI Command:

bash

# In VPC A's Route Table, add a route to VPC B via TGW
aws ec2 create-route --route-table-id <RT_VPC_A> --destination-cidr-block 192.168.0.0/16 --gateway-id <TGW_ID>

[!NOTE] In a real hybrid Direct Connect setup, you would use a Direct Connect Gateway and enable propagation on the Virtual Private Gateway (VGW) to automatically populate these routes via BGP.

Checkpoints

Checkpoint	Action	Expected Result
TGW State	`aws ec2 describe-transit-gateways`	State should be `available`.
Attachment State	Check TGW Attachments in Console	State should be `available`.
Route Table	Inspect VPC A Route Table	Should see `192.168.0.0/16` pointing to `tgw-xxxx`.

Troubleshooting

Issue	Possible Cause	Fix
No connectivity between VPCs	Missing TGW Route Table entry	Ensure TGW Route Table has "Associations" and "Propagations" for both VPCs.
Asymmetric Routing	Return path missing	Ensure VPC B's route table also has a route back to VPC A (10.0.0.0/16).
Security Group Block	ICMP not allowed	Check SG on both instances to allow inbound ICMP from the remote CIDR.

Concept Review

Routing Logic Visual

Compiling TikZ diagram…

⏳

Running TeX engine…

This may take a few seconds

Comparison: VGW vs. TGW

Feature	Virtual Private Gateway (VGW)	Transit Gateway (TGW)
Scalability	1-to-1 VPC mapping (mostly)	Hub-and-spoke (thousands of VPCs)
Routing	BGP / Static	TGW Route Tables / BGP / Equal-Cost Multi-Path (ECMP)
Hybrid Complexity	High for many VPCs	Simplified central management

Stretch Challenge

Simulate a "Blackhole" Route:

Manually add a specific static route in VPC A's Route Table for 192.168.1.0/24 pointing to a non-existent network interface (ENI).
Use VPC Reachability Analyzer to create a path from an instance in VPC A to VPC B.
Identify where the packet is dropped and fix the route priority issue.

Cost Estimate

Transit Gateway Attachment: ~$0.05 per hour per attachment ($0.10/hr total for 2 VPCs).
Data Processing: $0.02 per GB processed by TGW.
Estimated Lab Cost: < $1.00 USD if completed within 1 hour.

Clean-Up / Teardown

[!IMPORTANT] Failure to delete the Transit Gateway attachments will result in continuous hourly charges.

Delete TGW Attachments:
bash
aws ec2 delete-transit-gateway-vpc-attachment --transit-gateway-attachment-id <ATTACHMENT_A_ID> aws ec2 delete-transit-gateway-vpc-attachment --transit-gateway-attachment-id <ATTACHMENT_B_ID>
Delete Transit Gateway:
bash
aws ec2 delete-transit-gateway --transit-gateway-id <TGW_ID>
Delete VPCs:
bash
aws ec2 delete-vpc --vpc-id <VPC_A_ID> aws ec2 delete-vpc --vpc-id <VPC_B_ID>

Lab: Maintaining Hybrid Connectivity and Dynamic Routing with Transit Gateway

[!WARNING] Remember to run the teardown commands at the end of this lab to avoid ongoing charges for the Transit Gateway and VPC resources.

Prerequisites

An active AWS Account.
AWS CLI installed and configured with appropriate permissions (AdministratorAccess recommended for lab environments).
Basic understanding of CIDR blocks and VPC routing.
A region with at least 2 Availability Zones available (e.g., us-east-1 or eu-west-1).

Learning Objectives

Configure AWS Transit Gateway for multi-VPC (Hybrid-sim) connectivity.
Implement and verify Route Propagation from TGW to VPC route tables.
Use VPC Reachability Analyzer to diagnose and resolve routing misconfigurations.
Monitor hybrid traffic patterns using VPC Flow Logs.

Architecture Overview

Loading Diagram...

Step-by-Step Instructions

Step 1: Provision the Network Infrastructure

We will create two VPCs with non-overlapping CIDRs to represent our hybrid environments.

CLI Command:

bash

# Create VPC A (AWS)
aws ec2 create-vpc --cidr-block 10.0.0.0/16 --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=brainybee-lab-vpc-a}]'

# Create VPC B (Simulated On-Prem)
aws ec2 create-vpc --cidr-block 192.168.0.0/16 --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=brainybee-lab-vpc-b}]'

▶Console alternative

Navigate to

VPC > Your VPCs > Create VPC

. Create one VPC with 10.0.0.0/16 and another with 192.168.0.0/16. Name them accordingly.

Step 2: Create Transit Gateway and Attachments

The Transit Gateway acts as the central hub. We must attach both VPCs to it.

CLI Command:

bash

# Create the TGW
aws ec2 create-transit-gateway --description "Lab TGW" --tag-specifications 'ResourceType=transit-gateway,Tags=[{Key=Name,Value=lab-tgw}]'

# Note the TGW ID from output (tgw-xxxxxxxx)
# Create Attachment for VPC A (Requires Subnet IDs)
aws ec2 create-transit-gateway-vpc-attachment --transit-gateway-id <TGW_ID> --vpc-id <VPC_A_ID> --subnet-ids <SUBNET_A_ID>

# Create Attachment for VPC B
aws ec2 create-transit-gateway-vpc-attachment --transit-gateway-id <TGW_ID> --vpc-id <VPC_B_ID> --subnet-ids <SUBNET_B_ID>

Step 3: Configure Route Propagation

To maintain connectivity without manual static entries for every new subnet, we enable route propagation.

CLI Command:

bash

# In VPC A's Route Table, add a route to VPC B via TGW
aws ec2 create-route --route-table-id <RT_VPC_A> --destination-cidr-block 192.168.0.0/16 --gateway-id <TGW_ID>

[!NOTE] In a real hybrid Direct Connect setup, you would use a Direct Connect Gateway and enable propagation on the Virtual Private Gateway (VGW) to automatically populate these routes via BGP.

Checkpoints

Checkpoint	Action	Expected Result
TGW State	`aws ec2 describe-transit-gateways`	State should be `available`.
Attachment State	Check TGW Attachments in Console	State should be `available`.
Route Table	Inspect VPC A Route Table	Should see `192.168.0.0/16` pointing to `tgw-xxxx`.

Troubleshooting

Issue	Possible Cause	Fix
No connectivity between VPCs	Missing TGW Route Table entry	Ensure TGW Route Table has "Associations" and "Propagations" for both VPCs.
Asymmetric Routing	Return path missing	Ensure VPC B's route table also has a route back to VPC A (10.0.0.0/16).
Security Group Block	ICMP not allowed	Check SG on both instances to allow inbound ICMP from the remote CIDR.

Concept Review

Routing Logic Visual

Compiling TikZ diagram…

⏳

Running TeX engine…

This may take a few seconds

Comparison: VGW vs. TGW

Feature	Virtual Private Gateway (VGW)	Transit Gateway (TGW)
Scalability	1-to-1 VPC mapping (mostly)	Hub-and-spoke (thousands of VPCs)
Routing	BGP / Static	TGW Route Tables / BGP / Equal-Cost Multi-Path (ECMP)
Hybrid Complexity	High for many VPCs	Simplified central management

Stretch Challenge

Simulate a "Blackhole" Route:

Manually add a specific static route in VPC A's Route Table for 192.168.1.0/24 pointing to a non-existent network interface (ENI).
Use VPC Reachability Analyzer to create a path from an instance in VPC A to VPC B.
Identify where the packet is dropped and fix the route priority issue.

Cost Estimate

Transit Gateway Attachment: ~$0.05 per hour per attachment ($0.10/hr total for 2 VPCs).
Data Processing: $0.02 per GB processed by TGW.
Estimated Lab Cost: < $1.00 USD if completed within 1 hour.

Clean-Up / Teardown

[!IMPORTANT] Failure to delete the Transit Gateway attachments will result in continuous hourly charges.

Delete TGW Attachments:
bash
aws ec2 delete-transit-gateway-vpc-attachment --transit-gateway-attachment-id <ATTACHMENT_A_ID> aws ec2 delete-transit-gateway-vpc-attachment --transit-gateway-attachment-id <ATTACHMENT_B_ID>
Delete Transit Gateway:
bash
aws ec2 delete-transit-gateway --transit-gateway-id <TGW_ID>
Delete VPCs:
bash
aws ec2 delete-vpc --vpc-id <VPC_A_ID> aws ec2 delete-vpc --vpc-id <VPC_B_ID>