Create AWS Site with TGW

Objective

This guide provides instructions on how to create and deploy AWS Transit Gateway (TGW) site from VoltConsole. For more information on Volterra site, see Volterra Site.

Using the instructions provided in this guide, you can create an AWS TGW site object in VoltConsole and deploy the VPC with TGW site using the object.

Note: Configuring site mesh group is not supported for the sites deployed from VoltConsole.


Design

The AWS TGW Site is a way to orchestrate/automate the deployment and management of AWS TGW related resources and also resources needed to deploy Volterra’s AWS Site on a new/existing VPC—in this case we will call it a Services VPC.

AWS TGW - Site Deployment & TGW Creation

AWS TGW Site 1) automates the creation of the TGW resource, the TGW route table, and the VPN connection between the TGW and Volterra Site; 2) attaching the VPN connection to the TGW; and 3) adding default routes to the main route table of the attached VPCs.

There are two TGW route tables which are created:

  1. VPC route table
  2. Services route table.

The VPC route table is where all the VPC attachments will be attached, and the route will be propagated from the Volterra Site via BGP over vpn attachment. The Volterra Site advertised default route will be installed in the VPC route table so that it can attract all the traffic coming from the vpc attachments attached to the VPC route table.

The Services route table is where the vpn connection to the Volterra site is attached; the routes of vpc attached to the tgw will be propagated into the service route table. The same VPC CIDR routes will be learned by the Volterra Site via the BGP connection to TGW. The following shows North-South traffic from the Spoke VPC as indicated in the Figure: AWS TGW - Services VPC + TGW + Single VPC Attachment.

  • Egress FROM Spoke VPC (HR): Traffic originating from source 192.168.100.0/22 lands in VPC route table. Traffic destined to ANY will match the 0.0.0.0/0 route pointing to an Equal Cost Multi-Path (ECMP) towards interfaces vpn-att-4 and vpn-att-5 (which are the Volterra nodes installed in the service VPC), and is eventually sent out towards the TGW (after VoltMesh features and policy are applied).
  • Ingress TO Spoke VPC (HR): Traffic originating from source (anywhere) landing in services route table will match on destination 192.168.100.0/22. This has a matching interface of vpc-att-3. Traffic is then forwarded to the spoke VPC.

design single att
Figure: AWS TGW - Services VPC + TGW + Single VPC Attachment

AWS TGW - VPC Attachments

You can create a VPC attachment of spoke VPC to TGW not only while creating the initial AWS TGW Site but also after the site is deployed. You can go to the VPC attachments section and add vpc-id, and then you can assign a key-value label for each vpc-id. These labels can be used while creating network policy to allow traffic between the VPCs and to the Internet.

Once VPC attachments are added to the AWS TGW Site and apply action is completed, all these VPCs will be attached to the TGW. These VPC attachments will be associated with the VPC route table so that all traffic coming from the VPC will be routed to Volterra Site because of the default route pointing to the VPN attachment. Same VPC attachments will be added to the services route table in a way that VPC CIDR routes are propagated to the CE.

Site deployment workflow will create a default route pointing to the transit gateway in the main route table of all VPCs attached to the TGW.

design addl
Figure: AWS TGW with additional VPC Attachments

East-West Traffic:

  1. From the main route table of the VPC, the traffic will be directed toward the transit gateway because of the default route.
  2. In transit gateway’s VPC route table, a route lookup is done and moves to the Volterra site which is the next hop.
  3. In the Volterra site’s route table, it will have all the VPC routes learned from TGW. The NH (Nexthop) is set as TGW.
  4. Next, the lookup is done in the services route table and goes to the destination VPC using the attachment.

North-South Traffic:

The following is the ingress/egress traffic flow from VPC to Internet:

  1. From the main route table of the VPC, the traffic will be directed toward the transit gateway because of the default route.
  2. In the transit gateway’s VPC route table, a route lookup is done and then moves to the Volterra site which is the next hop.
  3. In the Volterra Site route table, the default route points to the forward proxy which connects the inside network to outside network. SNAT is performed on the outside interface and traffic is sent to the Internet.

Network Policies

Volterra Site can be your ingress/egress and east/west security policy enforcement point as all the traffic coming from attached VPCs will flow through Volterra Site. If the traffic does not match the type defined in your network policy, then the default action will be to deny it.

Network Policies Between Attached VPCs (East-West Traffic)

It is a common use case for enterprises to have workloads of one department or environment spread across multiple VPCs, and one must be able to create a single network policy which could be applied for multiple VPCs attached.

For such scenarios, you can assign the same labels to group the VPCs attached to the TGW. The exact same labels can be used as the label selector while selecting an endpoint during network policy. You can then define ingress and egress policies with respect to that endpoint. This network policy will be applied for all traffic going towards or coming from the VPCs which match the label selector labels.

Network Policies for Ingress/Egress Traffic

Even for ingress/egress traffic, you can continue using a label selector to select the VPCs for which you are defining the network policy. You can define the egress policy by adding the egress rules from the point of VPC to deny/allow a specific traffic pattern. You can also add ingress rules to deny/allow traffic coming towards the endpoint based on the intent.

Forward Proxy Policy for Attached VPCs

Using a forward proxy policy, the user can specify allowed/denied TLS domains or HTTP URLs. The traffic from workloads on private subnets towards the Internet via the Volterra's AWS TGW site is allowed or denied accordingly.


Prerequisites

The following prerequisites apply:


Deployment

AWS TGW site creation and management requires performing the following sequence of actions:

Phase Description
Create AWS TGW Site Object Create the TGW site object in VoltConsole using the guided wizard.
Deploy Site Deploy the VPC and site configured in the TGW site object using automated or assisted method.

Create AWS TGW Site Object

The wizard to create the TGW site object guides you through the steps for required configuration. This document covers each guided step and explains the required actions to be performed for each step.

Perform the following steps:

Step 1: Log into the VoltConsole and start AWS TGW site object creation.

Select Manage -> Site Management from the section tabs in the system namespace on the primary navigation. Select AWS TGW Site from the pages. Click Add AWS TGW Site. Enter a name for your TGW site object in the metadata section.

Step 2: Configure the TGW and VPC settings.

Go to AWS Configuration section and click Edit under the AWS TGW, Services VPC and Nodes field. This opens configuration form for services VPC, TGW, and site node settings.

Step 2.1: Configure the region and services VPC.

Perform the following in the Services VPC section:

  • Select a region in the AWS Region drop-down field.
  • Select an option for the Select Services VPC field and configure as per the following guidelines:

    • For the New VPC Parameters option, select an option for the AWS VPC Name field. The Autogenerate VPC Name option is selected by default. If you select Choose VPC Nameoption, enter a VPC name in the Choose VPC Name field.
    • For the Existing VPC option, enter an existing VPC name in the Existing VPC field.
  • Enter the CIDR in the Primary IPv4 CIDR block field.
Step 2.2: Configure the TGW settings.
  • Go to the Transit Gateway section, select an option for the Select Transit Gateway field, and configure using the following guidelines:

    • For the New TGW Parameters option, select an option for the Select BGP ASN field. If you select Automatic, Volterra assigns the ASNs for TGW and site. In case of the User will assign ASN for TGW and Volterra option, enter the ASNs for Enter TGW ASN and Enter Volterra Site ASN fields. The supported ASN range is from 64513 to 65534.
    • For the Existing TGW option, enter the TGW ID in the Existing TGW ID field. Enter the ASNs for Enter TGW ASN and Enter Volterra Site ASN fields.

srvvpc tgw new
Figure: Services VPC and TGW Configuration

Step 2.3: Configure site node parameters. Go to the `Site Node Parameters` section and configure using the following guidelines:
  • Select an option for the AWS Instance Type for Node field.
  • Enter your public key in the Public SSH key field for SSH access to your node later.
  • Select an option for the AWS AZ name field that matches the configured AWS Region.
  • Select New Subnetor Existing Subnet ID for the Workload Subnet field. Enter either a subnet address in the IPv4 Subnet field or a subnet ID in Existing Subnet ID field accordingly.
  • Select New Subnetor Existing Subnet ID for the Subnet for Outside Interface field. Enter either a subnet address in the IPv4 Subnet field or a subnet ID in Existing Subnet ID options accordingly.

Note: Workload subnet is the network where your application workloads are hosted.

site node params tgw new
Figure: Site Node Parameters

Note: The AWS Certified Hardware is set to aws-byol-multi-nic-voltmesh by default. You can add more than one node using the Add item option.

Step 2.4: Set the deployment type.

Go to the Deployment section and select an option for the Select Automatic or Assisted Deployment field. Perform further actions as per the following guidelines.

  • For the Automatic Deployment option, select an existing AWS credentials object or click Create new aws cred option to load new credential creation wizard.

Note: Refer to the Cloud Credentials guide for more information. Ensure that the AWS credentials are applied with required access policies in accordance with the Policy Requirements document.

  • For the Assisted Deployment option, obtain the AWS parameters after this object is created in VoltConsole and perform the site deployment using the instructions in the Deploy Site chapter.

Click Apply to apply the services VPC and TGW settings to the AWS TGW object.

Step 3: Optionally, configure VPC attachments.
  • Go to the VPC attachments section and click Configure to open the VPC attachments configuration screen.
  • Click Add item in the Vpc list section.
  • Enter VPC ID in the VPC ID field. Select labels in the Labels For VPC ID field.
  • Click Apply.

Note: You can add multiple VPC attachments using the Add item button. You can add VPC attachments during AWS TGW site creation or you can edit an existing TGW site configuration to add VPC attachments.

Step 4: Optionally, perform TGW network configuration.
  • Go to the Network Configuration section and click Configure to open the TGW virtual network configuration screen.
  • Click Show Advanced Fields to enable the advanced options.
  • Select Manage Static Routes for the Manage Static Routes for Inside Network field and perform configuration using the following guidelines for the Static route list field.

    • Select Simple Static Route and enter a static route in the Simple Static Route field, or
    • Select Custom Static Route and click Configure under the Custom Static Route option and perform the following steps:
    • In the Subnets section, click Add item and then select IPv4 or IPv6 option for the Version field. Enter a prefix and prefix length for your subnet. You can click Add item again to set more subnets.
    • In the Nexthop section, select a next-hop type for the Type field. Select IPv4 or IPv6 for the Version field in the Address section, and enter an IP address accordingly. Click Select interface object in the Network Interface section and select a network interface or click Create new network interface to create and apply a new network interface. Click Select interface object to apply the interface.
    • In the Static Route Labels section, select supported labels in the Static Route Labels field. You can select more than one from this list.
    • In the Attributes section, select supported attributes in the Attributes field. You can select more than one from this list.
    • Click Apply to add the custom route.
  • Select Manage Static Routes for the Manage Static Routes for Outside Network field and click Add item for the Static route list field. Follow the same procedure as that of managing the static routes for inside network.
  • Click Apply.

Note: You can use Add item button to add multiple inside and outside networks.

  • Select Connect Global Networks option for the Select Global Networks to Connect field. Click Configure under the Global Network Connections field.
  • Select an option for the Select Network Connection Type field.
  • Select a global network object from the displayed list or select Create new global vn option for the Global Virtual Network field. If you select Create new global vn, the global network creation form opens. Create a global network using the guided form and click Continue to apply the network to the global network connection configuration.

This example shows simple static routes:

tgw vns
Figure: TGW Virtual Networks Configuration

  • Click Apply to apply the TGW network configuration.
Step 5: Optionally, perform TGW security configuration.
  • Go to the Security Configuration section and click Configure to open the TGW security configuration screen.
  • In the Manage Forward Proxy Policy field, select a forwarding policy from the drop-down list.

    • Disable Forward Proxy is the default and will not forward traffic.
    • Enable Forward Proxy with Allow All Policy will forward all traffic.
    • Enable Foward Proxy and Manage Policies will forward traffic based on the policy you select or specify. Then In the Forward Proxy Policies field, select an existing proxy or select Create new forward proxy policy to create a new policy.
  • Select Active Network Policies in the Manage Network Policy field. Select an existing network policy view or select Create new network policy view. After creating the policy, click Continue to apply.
  • In the Manage East-West Service Policy field, select an existing policy from the drop-down list.

    • Disable East-West Service Policy is the default and will not use a proxy for east-west traffic.
    • Enable East-West Service Policy will use a proxy for east-west traffic. Next click Add item to select an existing policy or select Create new service policy for a new one.
    • Enable East-West Service Proxy with Allow All Policy will send all east-west traffic through a proxy for monitoring. You can specify additional policies with the Add item button.

Note: A new service policy can also be created from the Security -> Firewall -> Service Policies page.

tgw pols
Figure: TGW Security Configuration

  • Click Apply.
Step 6: Optionally, setup geographical site information.
  • Optionally, go to the Software Configuration section, click Show Advanced Fields, and enter the geographical address and/or latitude/longitude for the site location.
Step 7: Complete the AWS TGW site object creation.
  • Optionally, go to the Advanced Configuration section, click Show Advanced Fields, and configure the following items.

    • In the Logs Streaming field, select Enable Logs Streaming and then select a log receiver or create a new log receiver.
    • Enter Volterra software version and OS versions in the Software Version and Operating System Version fields respectively
  • Click Save and Exit to complete creating the AWS TGW site.

Note: The Status field for the AWS TGW object shows Generated.


Deploy Site

Creating the AWS TGW site object in VoltConsole generates the terraform parameters. You can deploy the site using automatic or assisted deployment, depending on your AWS TGW object configuration.

Automatic Deployment

Perform this procedure in case you created the TGW object with automatic deployment option.

  • Navigate to the created AWS TGW site object using the Manage -> Site Management -> AWS TGW Site option. Find your AWS TGW site object and click Apply under the Actions column. The Status field for your AWS TGW site object changes to Applying.

Note: Optionally, you can perform terraform plan activity before the deployment. Find your AWS TGW site object and click ... -> Plan (Optional) to start the action of terraform plan. This creates the execution plan for terraform.

  • Wait for the apply to complete and the status to change to Applied.

Note: You can check the status for the apply action. Click ... -> Terraform Parameters for your AWS TGW site object and click the Apply Status tab.

  • Navigate to Sites -> Sites List. Find your site from the displayed list and verify that the status is ONLINE.

Note: It takes a few minutes for the site to be deployed and status to become ONLINE.

Assisted Deployment

Perform this procedure in case you created the AWS TGW object with assisted deployment option.

  • Download the terraform variables in case of assisted deployment. Navigate to the created AWS VPC site object using the Manage -> Site Management -> AWS TGW Site path.
  • Find your AWS TGW site object and click ... -> Terraform Parameters for it. Copy the parameters to a file in your local machine.
  • Download Volterra's volt-terraform container.
docker pull gcr.io/volterraio/volt-terraform
  • Run the terraform container.
docker run --entrypoint tail --name terraform-cli -d -it \
-w /terraform/templates \
-v ${HOME}/.ssh:/root/.ssh \
gcr.io/volterraio/volt-terraform:latest \
-f /dev/null
  • Copy the downloaded terraform variables file to the container. The following example copies to the /var/tmp folder on the container.
docker cp /Users/ted/Downloads/system-aws-tgw-a.json terraform-cli:/var/tmp
  • Download API certificate from volterra console and copy it to the container.
docker cp /Users/ted/Downloads/playground.console.api-creds.p12 terraform-cli:/var/tmp

Note: See the Generate API Certificate for information on API credentials.

  • Enter the terraform container.
docker exec -it terraform-cli sh
  • Configure AWS API access and secret key.
aws configure

Note: For more information, refer to AWS documentation.

  • Change to the AWS TGW template directory.
cd /terraform/templates/views/assisted/aws-tgw-volt-node
  • Set the environment variable needed for volterra provider
  • VOLT_API_P12_FILE: This is for the path to API certificate file.
  • VES_P12_PASSWORD: This variable is for API credentials password. This is the password which you set while downloading API certificate.
  • VOLT_API_URL: This is for the tenant URL.

The following is a sample. Change the values as per your setup.

export VOLT_API_P12_FILE="/var/tmp/playground.console.api-creds.p12"
export VES_P12_PASSWORD=<api_cred_password>
export VOLT_API_URL="https://playground.console.ves.volterra.io/api"
export TF_VAR_akar_api_url=$VOLT_API_URL
  • Deploy the nodes by executing the terraform commands.
terraform init
terraform apply -var-file=/var/tmp/system-aws-tgw-a.json

Note: The terraform init command downloads the terraform providers defined in the module. When the terraform apply command is executed, it prompts for user input to proceed. Enter yes to begin deploying the node(s) and wait for the deployment to complete.

  • Navigate to Sites -> Sites List. Find your site from the displayed list and verify that the status is ONLINE.

Note: It takes a few minutes for the site to be deployed and status to become ONLINE.


Delete AWS TGW Site

Perform one of the following to delete the AWS TGW site according to the type of deployment:

Automatic Deployment:Delete the TGW site object from the VoltConsole for sites deployed using automatic deployment method.

Perform the following to delete the TGW site object:

  • Navigate to the created AWS TGW site object using the Manage -> Site Management -> AWS TGW Site option.
  • Find your AWS TGW site object and click ... -> Delete.
  • Click Delete in the confirmation window.

Note: Deleting the AWS TGW site object deletes the sites and nodes from the VPC and deletes the VPC. In case the delete operation does not remove the object and returns any error, check the error from the status, fix the error, and re-attempt the delete operation. If the problem persists, contact technical support. You can check the status using the ... ->Terraform Parameters-> Apply status option.

Assisted Deployment: Delete the terraform deployment made in assisted mode and then delete the site from the VoltConsole.
Step 1: Delete the terraform deployment.
  • Enter terraform container.
docker exec -it terraform-cli sh
  • Change to the AWS TGW template directory.
cd /terraform/templates/views/assisted/aws-tgw-volt-node
  • Set the environment variable needed for volterra provider
  • VOLT_API_P12_FILE: This is for the path to API certificate file.
  • VES_P12_PASSWORD: This variable is for API credentials password. This is the password which you set while downloading API certificate.
  • VOLT_API_URL: This is for the tenant URL.

The following is a sample. Change the values as per your setup.

export VOLT_API_P12_FILE="/var/tmp/playground.console.api-creds.p12"
export VES_P12_PASSWORD=<api_cred_password>
export VOLT_API_URL="https://playground.console.ves.volterra.io/api"
export TF_VAR_akar_api_url=$VOLT_API_URL
  • Destroy the site objects from aws by executing the terraform commands.
terraform init
terraform destroy -var-file=/var/tmp/system-aws-tgw-a.json

Note: When the terraform destroy command is executed, it prompts for user input to proceed. Enter yes and wait for the destroy to complete.

Step 2: Delete the site from VoltConsole.
  • Navigate to the created AWS TGW site object using the Manage -> Site Management -> AWS TGW Site option.
  • Find your AWS TGW site object and click ... -> Delete.
  • Click Delete in the confirmation window.

Concepts


API References