Connectors

Objective

This guide provides instructions on how to create a Cloud Connect using a guided wizard in F5® Distributed Cloud Console (Console). Cloud Connect is a cloud-neutral approach to enable you to attach your private cloud network onto F5 Distributed Cloud Platform's cloud customer edge (CE) sites.

A transit gateway (TGW) acts as a regional virtual router for traffic flowing between virtual private clouds (VPCs) and on-premises networks.

Figure: Cloud Connects Configuration

Figure: Cloud Connects Configuration

Prerequisites

Note: If you do not have an account, see Create an F5 Distributed Cloud Services Account.

  • An existing AWS TGW site with Hub, Spoke, and Services route tables.

  • Transit Gateway must be in Available state.

  • Cloud credentials with following permissions are required to create the attachment:

    AWS Elastic Compute Cloud (EC2) permissionsAWS Rersource Access Manager (RAM) permissions
    ec2:CreateTransitGatewayVpcAttachmentram:ListPrincipals
    ec2:DescribeTransitGatewaysram:CreateResourceShare
    ec2:DeleteTransitGatewayVpcAttachmentram:DeleteResourceShare
    ec2:ModifyTransitGatewayVpcAttachmentram:AcceptResourceShareInvitation
    ec2:AcceptTransitGatewayVpcAttachmentram:GetResourceShares
    ram:GetResourceShareInvitations
    ram:DisassociateResourceShare
    ram:AssociateResourceShare
    ram:TagResource

Configuration

Create a Cloud Connect

Perform the following steps to create a Cloud Connect:

Step 1: Navigate to the Cloud Connects page.
  • Log into Console and select the Multi-Cloud Network Connect service.
Figure: Console Homepage

Figure: Console Homepage

  • Click Manage > Connectors > Cloud Connects.
Figure: Cloud Connects

Figure: Cloud Connects

Step 2: Create a Cloud Connect.
  • Click Add Cloud Connect.

Note: You can also create a Cloud Connect from the Manage > Site Management > AWS TGW Sites page. Click ... > Attach Cloud Connect in the Action column of a listed site. This will have the added benefit of pre-populating the site and credentials fields on the Cloud Connect creation form.

  • Select a cloud provider and site type from the Provider drop-down menu. The choices are detailed below.
AWS TGW Site
Figure: New AWS Cloud Connect

Figure: New AWS Cloud Connect

  • Select a site reference from the AWS TGW Site Reference drop-down menu. Once you've made a selection, you can click View Configuration to verify the configuration details.

  • Select a cloud credential from the Credential Reference drop-down menu to deploy resources, or select Add Item below the list to create a new one. Once you've made a selection, you can click View Configuration or Edit Configuration to verify the configuration details or make changes.

  • Click Add Item to create for each VPC Attachment.

    • Enter a VPC ID of the VPC to be attached.
    • Select which traffic should be routed toward the customer edge (CE) from the Routing Choice drop-down menu.
      • Manual: You manage routing.
      • Override Default Route: You select the route tables. Next, select the Override Default Route Choice. If you choose Selective Route Tables for AWS, then you must also add one or more Route table IDs.
      • Advertise Custom CIDRs - User specifies CIDRs routes toward the CE to be installed for this subnet. Next, click Add Item for each route table in your list. For each route table, select a Route table ID and then enter one or more Static Routes using the Add Item button.

Note:

  • The AWS TGW CE site must be in online and available state.
  • The cloud credentials you select must have the listed permissions attached to it.
  • The VPC will be discovered from the site region using the selected credential.
  • The maximum number of supported VPCs is 128 for each Cloud Connect.
  • The VPC must have a t least one subnet.
  • Editing a selected credential and AWS TGW site is not supported.
Step 3: Select a segment and save .

  • Use the Segment drop-down menu to select an existing segment, or select Add Item below the selection list to create a new segment.

  • Click Save and Exit to create the Cloud Connect.

Step 4: Verify your Cloud Connect.
  • Click Manage > Connectors > Cloud Connect to see you new Cloud Connect. You may need to click the Refresh button to see your new Cloud Connect in the table.
Figure: New AWS Cloud Connect

Figure: New AWS Cloud Connect

  • Click ... > Show Status for your new Cloud Connect and then click the UID object.
Figure: AWS Cloud Connect Status

Figure: AWS Cloud Connect Status

  • The Status section shows the current state of your Cloud Connect. During creation, the State column will show Pending, and the Deployment Status will show Not Ready. After a minute or two they will change to Available and Ready, at which time your Cloud Connect will be available.

Delete a Cloud Connect

Perform the following steps to create a Cloud Connect:

Step 1: Navigate to the Cloud Connects page.
  • Log into Console and select the Multi-Cloud Network Connect service.
Figure: Console Homepage

Figure: Console Homepage

  • In the Multi-Cloud Network Connect service, click Manage > Connectors > Cloud Connects.
Step 2: Delete a Cloud Connect.
Figure: Cloud Connects

Figure: Cloud Connects

  • Click ... > Delete in the Actions column for the Cloud Connect you want to delete.

  • Click Delete in the confirmation pop-up window.

  • The Status column for your Cloud Connect will change to Degraded during the deleting process. Once deleted, that Cloud Connect will be removed from the table.

Limitations

  • When you attach a VPC to a transit gateway, any resources in Availability Zones where there is no transit gateway attachment cannot reach the transit gateway. If there is a route to the transit gateway in a subnet route table, traffic is forwarded to the transit gateway only when the transit gateway has an attachment in a subnet in the same Availability Zone.

  • The resources in a VPC attached to a transit gateway cannot access the security groups of a different VPC that is also attached to the same transit gateway.

  • A transit gateway does not support routing between VPCs with identical CIDRs. If you attach a VPC to a transit gateway and its CIDR is identical to the CIDR of another VPC that is already attached to the transit gateway, the routes for the newly attached VPC are not propagated to the transit gateway route table.

  • You cannot create an attachment for a VPC subnet that resides in a Local Zone.

  • You cannot create a transit gateway attachment using IPv6-only subnets.

  • Transit gateway attachment subnets must also support IPv4 addresses.

  • A transit gateway must have at least one VPC attachment before that transit gateway can be added to a route table.

Concepts

API References

On this page: