Technical and Product News and Insights from Rackspace
If you haven’t read Part One, of this series, take a look before reading this post. In this concluding installment, I describe the AWS Transit Gateway and AWS Client VPN configuration.
Rackspace automates much of the infrastructure creation, but the following sections describe the main AWS services’ configuration included in this post. Refer to AWS documentation for detailed instructions.
Within the Transit Gateway console, create a new Transit Gateway. Make sure to allow the Auto accept shared attachments option to enable cross-account attachments.
In this example, I use AWS Direct Connect, so I created a Direct Connect Gateway associated with Transit Gateway. This allows IP connectivity between AWS and the on-premises data center.
To allow VPCs from external AWS accounts to attach to Transit Gateway, I created a Transit Gateway Resource share by using Resource Access Manager (RAM).
You need to take three steps to allow Transit Gateway Attachments from external accounts to complete successfully:
After the Transit Gateway configuration completes, you see all VPC attachments in the Transit Gateway console along with the attachment to Direct Connect Gateway.
With route propagation enabled for Transit Gateway, you also see routes to each connected network.
Finally, you must add routes to the route tables for each VPC attached to the Transit Gateway. This action ensures that each VPC knows to send traffic designed for other attached VPCs to the Transit Gateway.
Traffic arriving at a VPC that does not have the relevant return routes configured tries to return via the default route and ultimately gets dropped. In the following example, this is the NAT Gateway.
AWS VPN users can traverse different networks connected through AWS Transit Gateway if authorized to do so. You can configure authorization and authentication with Active Directory, mutual (certificate-based), and SSO through SAML-Based federated authentication. By adding users to groups within AWS Directory Services, you can authorize them to access specific networks through AWS Client VPN configuration. The remainder of this post focuses on providing authorization via Active Directory group membership.
I have detailed the main steps to set up AWS Client VPN in this section. Refer to AWS documentation for detailed instructions.
Group ID is the security identifier (SID) of the Active Directory groups authorized to access a given network. It’s important when using Active Directory groups to add the security identifier (SID) of the Active Directory group to make sure authorization is operational.
The AWS Client VPN route table provides routes to each of the destination networks available in the solution. In this example, we can see the following routes.
Default route: Created automatically by AWS when we associate subnets from the VPC that Client VPC is associated with.
Route to data center: Added manually to provide access to the source data center. The route goes via AWS Transit Gateway.
Migration target VPC: Added manually to provide access to the migration target network. This route goes via AWS Transit Gateway if it is external to the VPC associated with AWS Client VPC.
When adding a new route, we use the subnets associated with the VPC selected during the Client VPN endpoint creation (Step3) as the next hop. Network packets are then routed via the VPC router to the Transit Gateway.
For redundancy, I have created two routes for each destination by using subnets from both zones of the associated VPC attached to Client VPN endpoint.
The AWS VPN client is free to download. To connect to the AWS Client VPN service, use the following steps to get up and running:
Administrative access to compute resources becomes much more flexible, allowing you to work from the office or home. After you connect, you have IP connectivity from your local workstation to any network connected to Transit Gateway. You can transfer files between connected networks and log on to the console of any compute instances for which you are authorized.
At Rackspace, our Professional Services teams wrap governance and process around a migration into AWS. Through clear project management, we make sure to migrate applications into AWS in the right order according to business goals and objectives.
Rackspace migration engineers will set up and configure AWS CloudEndure Migration on your behalf, setting up replication from the source data center into the relevant CloudEndure project within AWS. Rackspace architects design target VPCs to include complimentary AWS services, such as load balancing, caching, or managed database services. Then, Rackspace engineers deploy the target VPCs, and they are ready to receive replicated workloads.
To learn more about how Rackspace Professional services can assist with your business challenges related to digital transformation, migration, and application modernization, visit our website.
Use the Feedback tab to make any comments or ask questions. You can also click Sales Chat to chat now and start the conversation.