This guide provides instructions on how to create a Cloud Connect using a guided wizard in F5® Distributed Cloud Console (Console). Cloud Connect is a cloud-neutral approach to enable you to attach your private cloud network onto F5 Distributed Cloud Platform's cloud customer edge (CE) sites.
A transit gateway (TGW) acts as a regional virtual router for traffic flowing between virtual private clouds (VPCs) and on-premises networks.
An existing AWS TGW site with Hub, Spoke, and Services route tables.
Transit Gateway must be in Available state.
Cloud credentials with following permissions are required to create the attachment:
AWS Elastic Compute Cloud (EC2) permissions
AWS Rersource Access Manager (RAM) permissions
ec2:CreateTransitGatewayVpcAttachment
ram:ListPrincipals
ec2:DescribeTransitGateways
ram:CreateResourceShare
ec2:DeleteTransitGatewayVpcAttachment
ram:DeleteResourceShare
ec2:ModifyTransitGatewayVpcAttachment
ram:AcceptResourceShareInvitation
ec2:AcceptTransitGatewayVpcAttachment
ram:GetResourceShares
ram:GetResourceShareInvitations
ram:DisassociateResourceShare
ram:AssociateResourceShare
ram:TagResource
Configuration
Create a Cloud Connect
Perform the following steps to create a Cloud Connect:
Step 1: Navigate to the Cloud Connects page.
Log into Console and select the Multi-Cloud Network Connect service.
Figure: Console Homepage
Click Manage > Connectors > Cloud Connects.
Figure: Cloud ConnectsStep 2: Create a Cloud Connect.
Click Add Cloud Connect.
Note: You can also create a Cloud Connect from the Manage > Site Management > AWS TGW Sites page. Click ... > Attach Cloud Connect in the Action column of a listed site. This will have the added benefit of pre-populating the site and credentials fields on the Cloud Connect creation form.
Select a cloud provider and site type from the Provider drop-down menu. The choices are detailed below.
AWS TGW SiteFigure: New AWS Cloud Connect
Select a site reference from the AWS TGW Site Reference drop-down menu. Once you've made a selection, you can click View Configuration to verify the configuration details.
Select a cloud credential from the Credential Reference drop-down menu to deploy resources, or select Add Item below the list to create a new one. Once you've made a selection, you can click View Configuration or Edit Configuration to verify the configuration details or make changes.
Click Add Item to create for each VPC Attachment.
Enter a VPC ID of the VPC to be attached.
Select which traffic should be routed toward the customer edge (CE) from the Routing Choice drop-down menu.
Manual: You manage routing.
Override Default Route: You select the route tables. Next, select the Override Default Route Choice. If you choose Selective Route Tables for AWS, then you must also add one or more Route table IDs.
Advertise Custom CIDRs - User specifies CIDRs routes toward the CE to be installed for this subnet. Next, click Add Item for each route table in your list. For each route table, select a Route table ID and then enter one or more Static Routes using the Add Item button.
Note:
The AWS TGW CE site must be in online and available state.
The cloud credentials you select must have the listed permissions attached to it.
The VPC will be discovered from the site region using the selected credential.
The maximum number of supported VPCs is 128 for each Cloud Connect.
The VPC must have a t least one subnet.
Editing a selected credential and AWS TGW site is not supported.
Step 3: Select a segment and save .
Use the Segment drop-down menu to select an existing segment, or select Add Item below the selection list to create a new segment.
Click Save and Exit to create the Cloud Connect.
Step 4: Verify your Cloud Connect.
Click Manage > Connectors > Cloud Connect to see you new Cloud Connect. You may need to click the Refresh button to see your new Cloud Connect in the table.
Figure: New AWS Cloud Connect
Click ... > Show Status for your new Cloud Connect and then click the UID object.
Figure: AWS Cloud Connect Status
The Status section shows the current state of your Cloud Connect. During creation, the State column will show Pending, and the Deployment Status will show Not Ready. After a minute or two they will change to Available and Ready, at which time your Cloud Connect will be available.
Delete a Cloud Connect
Perform the following steps to create a Cloud Connect:
Step 1: Navigate to the Cloud Connects page.
Log into Console and select the Multi-Cloud Network Connect service.
Figure: Console Homepage
In the Multi-Cloud Network Connect service, click Manage > Connectors > Cloud Connects.
Step 2: Delete a Cloud Connect.Figure: Cloud Connects
Click ... > Delete in the Actions column for the Cloud Connect you want to delete.
Click Delete in the confirmation pop-up window.
The Status column for your Cloud Connect will change to Degraded during the deleting process. Once deleted, that Cloud Connect will be removed from the table.
Limitations
When you attach a VPC to a transit gateway, any resources in Availability Zones where there is no transit gateway attachment cannot reach the transit gateway. If there is a route to the transit gateway in a subnet route table, traffic is forwarded to the transit gateway only when the transit gateway has an attachment in a subnet in the same Availability Zone.
The resources in a VPC attached to a transit gateway cannot access the security groups of a different VPC that is also attached to the same transit gateway.
A transit gateway does not support routing between VPCs with identical CIDRs. If you attach a VPC to a transit gateway and its CIDR is identical to the CIDR of another VPC that is already attached to the transit gateway, the routes for the newly attached VPC are not propagated to the transit gateway route table.
You cannot create an attachment for a VPC subnet that resides in a Local Zone.
You cannot create a transit gateway attachment using IPv6-only subnets.
Transit gateway attachment subnets must also support IPv4 addresses.
A transit gateway must have at least one VPC attachment before that transit gateway can be added to a route table.
