AWS Site-to-Site VPN Connection and Distrubution over AWS Transit Gateway.

AWS Site-to-Site VPN and Transit Gateway Cross-Account Routing

Introduction

In enterprise cloud infrastructures, establishing secure and scalable network connections between different AWS accounts and VPCs (Virtual Private Cloud) is of critical importance. AWS provides powerful services such as Site-to-Site VPN and Transit Gateway to meet this need. In this article, we will explain step by step how to route network traffic between multiple AWS accounts using Site-to-Site VPN and Transit Gateway.

1. Basic Concepts

Site-to-Site VPN

AWS Site-to-Site VPN creates an encrypted tunnel between your on-premises data center and your AWS VPC. This enables secure data transmission between your on-premises network and cloud environment.

Transit Gateway

AWS Transit Gateway allows you to connect multiple VPCs and on-premises networks through a central hub. This structure simplifies network management and increases scalability.

2. Scenario and Architecture Definition

Account A: Main AWS account connected to on-premises data center.
Account B and C: VPCs located in different AWS accounts.
Objective: Provide secure and centralized access from on-premises data center to VPCs in Account B and C.

3. Step-by-Step Setup

3.1. Creating Transit Gateway (Account A)

Sign in to AWS Management Console with Account A.
Follow the steps: VPC Dashboard > Transit Gateways > Create Transit Gateway.
Give the Transit Gateway a meaningful name and configure necessary settings.
Note the Transit Gateway ID.

3.2. Creating Transit Gateway Attachments

a) Connecting Account A's VPC to Transit Gateway

Create a new attachment from the Transit Gateway Attachments section in VPC Dashboard.
Select the relevant VPC in Account A and connect it to the Transit Gateway.

b) Creating VPC Attachments in Other Accounts (B and C)

In Account B and C, enable Transit Gateway sharing through Resource Access Manager (RAM).
Share the Transit Gateway from Account A.
In Account B and C, connect their own VPCs to the Transit Gateway using the shared Transit Gateway.

3.3. Site-to-Site VPN Setup

Create Customer Gateway and Virtual Private Gateway in Account A.
Create Site-to-Site VPN Connection and enter your on-premises network information.
Connect the VPN connection to the Transit Gateway (create Attachment).

3.4. Route Table and Routing

Add routes to each VPC's route table to route traffic to other VPCs and on-premises network through the Transit Gateway.
Define rules in the Transit Gateway Route Table to route incoming traffic to the correct VPC or VPN.

3.5. Security Groups and NACLs

Configure security groups and network access control lists (NACL) to allow relevant ports and protocols.

4. Testing and Validation

Test the connection by pinging or SSH connecting to resources (e.g., EC2) in Account B and C from the on-premises network.
Monitor traffic using AWS VPC Flow Logs and CloudWatch.

5. Best Practices

Segment Transit Gateway Route Tables to ensure network isolation.
Securely manage resource sharing with IAM and RAM.
Use two tunnels for high availability in VPN connections.

Conclusion

With AWS Site-to-Site VPN and Transit Gateway, you can establish a centralized, secure, and scalable network architecture between different AWS accounts and on-premises networks. This structure greatly simplifies network management in large-scale and multi-account architectures.