Attach VPCs to an AWS Transit Gateway
AWS Transit Gateway (TGW) enables transitive routing from on-premises networks through VPN and from other VPC. By creating a Transit Gateway VPC attachment, services in an Aiven Project VPC can route traffic to all other networks attached - directly or indirectly - to the Transit Gateway.
Set up a project VPC
Create a VPC on the Aiven platform in the same region as your Transit Gateway.
Set up a VPC attachment for your Project VPC
Install the Aiven CLI
These instructions apply to the Aiven CLI, but the same configuration can also be managed using Aiven Console.
Locate your AWS account and AWS Transit Gateway ID
To attach a VPC to a Transit Gateway in a different account, the AWS
account ID must be included. This ID is 12-digits and will be referred
to below as $user_account_id
. In addition the ID of the Transit
Gateway itself is needed. This has the format tgw-...
with the dots
being 17 hexadecimal characters. It will be referred to as
$user_tgw_id
.
Share the AWS Transit Gateway with the Aiven AWS account
Before the Aiven platform can attach the Project VPC located in the
Aiven AWS account with the Transit Gateway in your account, the TGW
needs to be shared using AWS Resource Access
Manager. Sharing the TGW allows the Aiven
account to describe the TGW and its route tables, and to request
attaching VPC (and VPN) to it. Note that attachments are not
automatically created when the VPC and TGW reside in different
accounts - the TGW owner account needs to accept a VPC attachment,
similar to how VPC peering connections are before they become
available
.
A resource share can be created using the AWS RAM
console, or the AWS
CLI using the
create-resource-share
command. Add the Transit Gateway as a resource to the share, and
the Aiven AWS account ID as a principal. The Aiven AWS account ID is
675999398324
.
Find your project VPC ID
Use avn vpc list
to find the ID for your Project VPC. The
project_vpc_id value
(a UUID4 string) will be referred to as
$project_vpc_id
later.
Determine the IP ranges to route from the Project VPC to the AWS Transit Gateway
While a Transit Gateway has a route table of its own, and will by
default route traffic to each attached network (directly to attached VPC
or indirectly via VPN attachments), the attached route tables of the VPC
need to be updated to include the TGW as a target for any IP range
(CIDR) that should be routed using the VPC attachment. These IP ranges
must be configured when creating the attachment for an Aiven Project
VPC. The IPv4 range will be referred below to as
$user_peer_network_cidr
.
Create Aiven peering connection
A Transit Gateway VPC attachment is created by making a request to the Aiven API for a peering connection. The Aiven API handles both actual AWS VPC peering connections and AWS Transit Gateway VPC attachments as peering connections.
avn vpc peering-connection create \
--project-vpc-id $aws_vpc \
--peer-cloud-account $user_account_id \
--peer-vpc $user_tgw_id \
--user-peer-network-cidr $user_peer_network_cidr
Note that you can use the --user-peer-network-cidr
argument multiple
times to define more than one peer network CIDR. It's also possible to
create the attachment without any CIDRs and add them later (though the
attachment will be not be of any use until that is done since no
addresses will be routed through the TGW from the Project VPC).
Accept AWS Transit Gateway VPC attachment
After running vpc peering-connection create
command the state of the
Aiven peering connection is APPROVED
. Once the Aiven platform has
built the connection by creating an AWS Transit Gateway VPC attachment,
the state changes to PENDING_PEER
if everything went well. Otherwise
the state information will indicate why the attachment failed to be
created. Note that it may take up to a few minutes before building the
attachment has completed.
The state can be checked using:
avn vpc peering-connection \
--project-vpc-id $project_vpc_id \
--peer-cloud-account $user_account_id \
--peer-vpc $user_tgw_id -v
Once the state is PENDING_PEER
, the output will contain a message
instructing to accept a VPC attachment in your AWS account. The Aiven
platform monitors the attachment until it has been accepted, and once
that is detected the state changes to ACTIVE
indicating the VPC
attachment is operational, the Project VPC route table has been updated
to route $user_peer_network_cidr
to the Transit Gateway, and service
nodes in the Project VPC have opened firewall access to those networks.