Create AWS Site with TGW
On This Page:
- Objective
- Design
- AWS TGW - Site Deployment & TGW Creation
- AWS TGW - VPC Attachments
- Network Policies
- Network Policies Between Attached VPCs (East-West Traffic)
- Network Policies for Ingress/Egress Traffic
- Forward Proxy Policy for Attached VPCs
- Prerequisites
- Deployment
- Create AWS TGW Site Object
- Deploy Site
- Delete AWS TGW Site
- Concepts
- API References
Objective
This guide provides instructions on how to create and deploy an Amazon Web Services (AWS) Transit Gateway (TGW) site from F5® Distributed Cloud Console (Console). For more information on sites, see Site.
Using the instructions provided in this guide, you can create an AWS TGW site object in Console and deploy the virtual private cloud (VPC) with TGW site using the object.
Note: Configuring site mesh group is not supported for the sites deployed from Console.
Design
The AWS TGW Site is a way to orchestrate/automate the deployment and management of AWS TGW related resources and other resources needed to deploy an F5® Distributed Cloud Services AWS site on a new or existing VPC, which is called a Services VPC.
AWS TGW - Site Deployment & TGW Creation
An AWS TGW site does the following:
-
Automates the creation of the TGW resource, the TGW route table, and the VPN connection between the TGW and Distributed Cloud Services site.
-
Attaches the VPN connection to the TGW.
-
Adds the default routes to the main route table of the attached VPCs.
There are two TGW route tables which are created:
-
VPC route table.
-
Services route table.
The VPC route table is where all the VPC attachments will be attached, and the route will be propagated from the site via BGP over VPN attachment. The site advertised default route will be installed in the VPC route table so that it can attract all the traffic coming from the VPC attachments attached to the VPC route table.
The Services route table is where the VPN connection to the site is attached; the routes of VPC attached to the TGW will be propagated into the services route table. The same VPC CIDR routes will be learned by the site via the BGP connection to the TGW.
The following shows North-South traffic from the Spoke VPC, as indicated in Figure: AWS TGW - Services VPC + TGW + Single VPC Attachment.
-
Egress FROM Spoke VPC (HR): Traffic originating from source
192.168.100.0/22
lands in VPC route table. Traffic destined toANY
will match the0.0.0.0/0
route pointing to an Equal Cost Multi-Path (ECMP) toward interfacesvpn-att-4
andvpn-att-5
(which are the Distributed Cloud Services nodes installed in the service VPC), and is eventually sent out toward the TGW (after F5® Distributed Cloud Mesh features and policies are applied). -
Ingress TO Spoke VPC (HR): Traffic originating from source (anywhere) landing in the services route table will match on destination
192.168.100.0/22
. This has a matching interface ofvpc-att-3
. Traffic is then forwarded to the spoke VPC.
AWS TGW - VPC Attachments
You can create a VPC attachment of spoke VPC to TGW not only while creating the initial AWS TGW Site but also after the site is deployed. You can go to the VPC attachments section and add vpc-id, and then you can assign a key-value label for each vpc-id. These labels can be used while creating network policy to allow traffic between the VPCs and to the Internet.
Once VPC attachments are added to the AWS TGW Site and apply action is completed, all these VPCs will be attached to the TGW. These VPC attachments will be associated with the VPC route table so that all traffic coming from the VPC will be routed to the site because of the default route pointing to the VPN attachment. Same VPC attachments will be added to the services route table in a way that VPC CIDR routes are propagated to the Customer Edge (CE).
Site deployment workflow will create a default route pointing to the transit gateway in the main route table of all VPCs attached to the TGW.
East-West Traffic:
-
From the main route table of the VPC, the traffic will be directed toward the transit gateway because of the default route.
-
In the transit gateway’s VPC route table, a route lookup is done and moves to the site, which is the next hop (NH).
-
In the site’s route table, it will have all the VPC routes learned from TGW. The NH is set as TGW.
-
Next, the lookup is done in the services route table and goes to the destination VPC using the attachment.
North-South Traffic:
The following is the ingress/egress traffic flow from VPC to the Internet:
-
From the main route table of the VPC, the traffic will be directed toward the transit gateway because of the default route.
-
In the transit gateway’s VPC route table, a route lookup is done and then moves to the site, which is the next hop.
-
In the site route table, the default route points to the forward proxy, which connects the inside network to outside network. SNAT is performed on the outside interface and traffic is sent to the Internet.
Network Policies
The site can be your ingress/egress and East/West security policy enforcement point, as all the traffic coming from attached VPCs will flow through the site. If the traffic does not match the type defined in your network policy, then the default action will be to deny it.
Network Policies Between Attached VPCs (East-West Traffic)
It is a common use case for enterprises to have workloads of one department or environment spread across multiple VPCs, and one must be able to create a single network policy which could be applied for multiple VPCs attached.
For such scenarios, you can assign the same labels to group the VPCs attached to the TGW. The exact same labels can be used as the label selector while selecting an endpoint during network policy. You can then define ingress and egress policies with respect to that endpoint. This network policy will be applied for all traffic going towards or coming from the VPCs which match the label selector labels.
Network Policies for Ingress/Egress Traffic
Even for ingress/egress traffic, you can continue using a label selector to select the VPCs for which you are defining the network policy. You can define the egress policy by adding the egress rules from the point of VPC to deny/allow a specific traffic pattern. You can also add ingress rules to deny/allow traffic coming toward the endpoint based on the intent.
Forward Proxy Policy for Attached VPCs
Using a forward proxy policy, you can specify allowed/denied TLS domains or HTTP URLs. The traffic from workloads on private subnets toward the Internet via the AWS TGW site is allowed or denied accordingly.
Prerequisites
The following prerequisites apply:
-
A Distributed Cloud Services Account. If you do not have an account, see Create an Account.
-
An AWS Account. See Required Access Policies for permissions needed to deploy an AWS TGW site.
-
Resources required per site: Minimum 4 vCPUs and 14 GB RAM.
Deployment
AWS TGW site creation and management requires performing the following sequence of actions:
Phase | Description |
---|---|
Create AWS TGW Site Object | Create the TGW site object in Console using the guided wizard. |
Deploy Site | Deploy the VPC and site configured in the TGW site object using automated or assisted method. |
Create AWS TGW Site Object
The wizard to create the TGW site object guides you through the steps for required configuration. This document covers each guided step and explains the required actions to be performed for each step.
Perform the following steps:
Step 1: Start AWS TGW site object creation.
-
Log into Console.
-
Click
Cloud and Edge Sites
.
-
Click
Manage
>Site Management
>AWS TGW Sites
. -
Click
Add AWS TGW Site
.
- In the
Metadata
section, enter a name for your TGW site object.
Step 2: Configure the TGW and VPC settings.
-
In the
AWS Configuration
section, perform the following:-
Click
Configure
. -
From the
AWS Region
menu, select the region based on your AWS account.
-
Step 2.1: Configure services VPC.
-
From the
Select Services VPC
menu, select an option and configure per the following guidelines:-
For the
New VPC Parameters
option, select an option from theAWS VPC Name
menu. TheAutogenerate VPC Name
option is selected by default. If you select theChoose VPC Name
option, enter a VPC name in theChoose VPC Name
field. -
Enter the Classless Inter-Domain Routing (CIDR) block in the
Primary IPv4 CIDR block
field.
-
- For the
Existing VPC
option, enter an existing VPC name in theExisting VPC
field. If you use this option, you are required to enable theenable_dns_hostnames
field in the existing VPC configuration.
Step 2.2: Configure the TGW settings.
-
In the
Transit Gateway
section, select an option from theSelect Transit Gateway
menu, and configure per the following guidelines:-
For the
New TGW Parameters
option, select an option for theSelect BGP ASN
field. If you selectAutomatic
, Distributed Cloud Services assign the ASNs for the TGW and site. For theUser will assign ASN for TGW and Volterra Site
option, enter the ASNs forEnter TGW ASN
andEnter Volterra Site ASN
fields. The supported ASN range is from 64513 to 65534. -
For the
Existing TGW
option, enter the TGW ID in theExisting TGW ID
field. Enter the ASNs forEnter TGW ASN
andEnter Volterra Site ASN
fields.
-
Step 2.3: Configure site node parameters.
-
In the
Site Node Parameters
section, configure per the following guidelines:-
Select an option from the
AWS Instance Type for Node
menu. -
Enter your public key in the
Public SSH key
field for SSH access to your node later. -
In the
Ingress/Egress Gateway (two Interface) Nodes in AZ
field, clickAdd Item
. -
Select an option from the
AWS AZ Name
menu that matches the configuredAWS Region
. -
From the
Workload Subnet
menu, selectNew Subnet
orExisting Subnet ID
. -
Enter either a subnet address in the
IPv4 Subnet
field or a subnet ID inExisting Subnet ID
field. -
From the
Subnet for Outside Interface
menu, selectNew Subnet
orExisting Subnet ID
. -
Enter either a subnet address in the
IPv4 Subnet
field or a subnet ID in theExisting Subnet ID
field.
-
Note: Workload subnet is the network where your application workloads are hosted. For successful routing towards applications running in workload subnet, an inside static route to the workload subnet CIDR needs to be added on the respective site object.
Note: The
AWS Certified Hardware
option is set toaws-byol-multi-nic-voltmesh
by default. You can add more than one node using theAdd item
option.
- Click
Add Item
.
Step 2.4: Set the deployment type.
-
In the
Deployment
section, select an option from theSelect Automatic or Assisted Deployment
menu. Perform further actions per the following guidelines:- For the
Automatic Deployment
option, select an existing AWS credentials object or clickCreate new cloud credentials
option to the load new credential creation wizard.
- For the
Note: Refer to the Cloud Credentials guide for more information. Ensure that the AWS credentials are applied with required access policies in accordance with the Policy Requirements document.
-
For the
Assisted Deployment
option, obtain the AWS parameters after this object is created in Console and perform the site deployment using the instructions in the Deploy Site chapter. -
Click
Continue
. -
Click
Apply
to apply the services VPC and TGW settings to the AWS TGW object.
Step 3: Optionally, configure VPC attachments.
-
In the
VPC attachments
section, clickConfigure
. -
Click
Add Item
. -
Enter the VPC ID in the
VPC ID
field. Select labels from theLabels For VPC ID
menu. -
Click
Add Item
. -
Click
Apply
.
Note: You can add multiple VPC attachments using the
Add Item
button. You can add VPC attachments during AWS TGW site creation, or you can edit an existing TGW site configuration to add VPC attachments.
Step 4: Optionally, perform TGW network configuration.
-
In the
Network Configuration
section, clickConfigure
. -
Click
Show Advanced Fields
to enable the advanced options. -
From the
Manage Static Routes for Inside Network
menu, selectManage Static Routes
and perform configuration per the following guidelines for theList of Static Routes
field:-
Click
Add Item
. -
Select
Simple Static Route
and enter a static route in theSimple Static Route
field. Or, selectCustom Static Route
and then clickConfigure
and perform the following steps:-
In the
Subnets
section, clickAdd Item
and then selectIPv4
orIPv6
from theVersion
menu. Enter a prefix and prefix length for your subnet. ClickAdd Item
to set more subnets. -
In the
Nexthop
section, select a next-hop type from theType
menu. SelectIPv4
orIPv6
from theVersion
menu in theAddress
section, and enter an IP address accordingly. -
From the
Network Interface
menu, select a network interface or clickCreate new network interface
to create and apply a new network interface. -
In the
Static Route Labels
section, select supported labels from theStatic Route Labels
menu. You can select more than one from this list. -
In the
Attributes
section, select supported attributes from theAttributes
menu. You can select more than one from this list. -
Click
Apply
to add the custom route.
-
-
-
Select
Manage Static routes
from theManage Static Routes for Outside Network
menu, and clickAdd Item
for theStatic route list
field. Follow the same procedure as that of managing the static routes for inside network. -
Click
Apply
.
Note: You can use the
Add Item
button to add multiple inside and outside networks.
-
Select
Connect Global Networks
from theSelect Global Networks to Connect
menu. -
Click
Add Item
. -
Select an option for the
Select Network Connection Type
menu. -
Select a global network object from the displayed list or select
Create new global vn
option from theGlobal Virtual Network
menu. If you selectCreate new virtual network
, the global network creation form opens. Create a global network using the guided form and clickContinue
to apply the network to the global network connection configuration. -
Click
Apply
to apply the TGW network configuration.
Step 5: Optionally, perform TGW security configuration.
-
In the
Security Configuration
section, clickConfigure
. -
From the
Manage Forward Proxy
menu, select a forwarding policy:-
Disable Forward Proxy
: This is the default option and will not forward traffic. -
Enable Forward Proxy with Allow All Policy
: This option forwards all traffic. -
Enable Forward Proxy and Manage Policies
: This option forwards traffic based on the policy you select or specify. In theList of Forward proxy policy
menu, select an existing proxy or selectCreate new forward proxy policy
to create a new policy.
-
-
From the
Manage Network Policy
menu, selectActive Network Policies
. -
Select an existing network policy or select
Create new network policy view
. After creating the policy, clickContinue
to apply. -
In the
Manage East-West Service Policy
section, select an existing policy from theManage East-West Service Policy
drop-down menu:-
Disable East-West Service Policy
: This is the default option and will not use a proxy for East-West traffic. -
Enable East-West Service Policy
: This option uses a proxy for East-West traffic. ClickAdd item
to select an existing policy or selectCreate new service policy
from the menu for a new policy. -
Enable East-West traffic Proxy with Allow All Policy
: This option sends all East-West traffic through a proxy for monitoring.
-
-
Click
Apply
.
Step 6: Optionally, setup geographical site information.
-
In the
Software Configuration
section, clickShow Advanced Fields
. -
Enter the geographical address and/or latitude and longitude for the site location.
Step 7: Complete AWS TGW site object creation.
-
In the
Advanced Configuration
section, clickShow Advanced Fields
. -
From the
Logs Streaming
menu, selectEnable Logs Streaming
and then select a log receiver or create a new log receiver. -
From the
Select Volterra Software Version
menu, select an option. -
From the
Select Operating System Version
menu, select an option. -
Optionally, add a site to site tunnel IP and additional AWS tags.
-
Click
Save and Exit
to complete creating the AWS TGW site object.
The Status
field for the AWS TGW object displays Generated
.
Deploy Site
Creating the AWS TGW site object in Console generates the terraform parameters. You can deploy the site using automatic or assisted deployment, depending on your AWS TGW object configuration.
Automatic Deployment
Perform this procedure if you created the TGW object with the Automatic Deployment
option.
-
Navigate to the AWS TGW site object by clicking
Manage
>Site Management
>AWS TGW Sites
. -
Find your AWS TGW site object and click
Apply
under theActions
column. TheStatus
field for your AWS TGW site object changes toApply Planning
.
Note: Optionally, you can perform terraform plan activity before deployment. Find your AWS TGW site object and click
...
>Plan
to start the action of terraform plan. This creates the execution plan for terraform.
- Wait for the apply process to complete and the status to change to
Applied
.
Note: You can check the status for the apply action. Click
...
>Terraform Parameters
for your AWS TGW site object and then click theApply Status
tab.
-
Navigate to
Sites
>Sites List
. -
Find your site from the displayed list and verify that the status is
ONLINE
. It may take a few minutes for the site to deploy and status to change toONLINE
.
Assisted Deployment
Perform this procedure if you created the AWS TGW object with the Assisted Deployment
option.
-
Download the terraform variables for assisted deployment.
-
Navigate to the created AWS VPC site object by clicking
Manage
>Site Management
>AWS TGW Sites
. -
Find your AWS TGW site object and click
...
>Terraform Parameters
for it. -
Copy the parameters to a file on your local machine.
-
Download the
volt-terraform
container:
docker pull gcr.io/volterraio/volt-terraform
- Run the terraform container:
docker run --entrypoint tail --name terraform-cli -d -it \
-w /terraform/templates \
-v ${HOME}/.ssh:/root/.ssh \
gcr.io/volterraio/volt-terraform:latest \
-f /dev/null
- Copy the downloaded terraform variables file to the container. The following example copies to the
/var/tmp
folder on the container:
docker cp /Users/ted/Downloads/system-aws-tgw-a.json terraform-cli:/var/tmp
- Download the API certificate from Console and copy it to the container:
docker cp /Users/ted/Downloads/playground.console.api-creds.p12 terraform-cli:/var/tmp
Note: See the Generate API Certificate guide for information on API credentials.
- Enter the terraform container:
docker exec -it terraform-cli sh
- Configure AWS API access and secret key:
aws configure
Note: For more information, refer to AWS documentation.
- Change to the AWS TGW template directory:
cd /terraform/templates/views/assisted/aws-tgw-volt-node
-
Set the environment variable needed for the Distributed Cloud Services provider:
-
VOLT_API_P12_FILE
: This is for the path to API certificate file. -
VES_P12_PASSWORD
: This variable is for the API credentials password. This is the password which you set while downloading the API certificate. -
VOLT_API_URL
: This is for the tenant URL.
-
Change the values per your setup. See the following examples:
export VOLT_API_P12_FILE="/var/tmp/playground.console.api-creds.p12"
export VES_P12_PASSWORD=<api_cred_password>
export VOLT_API_URL="https://playground.console.ves.volterra.io/api"
export TF_VAR_akar_api_url=$VOLT_API_URL
- Deploy the nodes by executing the terraform commands:
terraform init
terraform apply -var-file=/var/tmp/system-aws-tgw-a.json
Note: The
terraform init
command downloads the terraform providers defined in the module. When theterraform apply
command is executed, it prompts the user for input to proceed.
-
Enter
yes
to begin deploying the node(s) and wait for the deployment to complete. -
Navigate to
Sites
>Sites List
. -
Find your site from the displayed list and verify that the status is
ONLINE
. It may take a few minutes for the site to deploy and the status to change toONLINE
.
Delete AWS TGW Site
Perform one of the following steps to delete the AWS TGW site:
Automatic Deployment:
-
Navigate to the AWS TGW site object by clicking
Manage
>Site Management
>AWS TGW Sites
. -
Find your AWS TGW site object and click
...
>Delete
. -
Click
Delete
in the confirmation window.
Note: Deleting the AWS TGW site object deletes the sites and nodes from the VPC and deletes the VPC. If the delete operation does not remove the object and returns any errors, check the errors from the status, fix the errors, and then re-attempt the delete operation. If the problem persists, contact technical support. You can check the status using the
...
>Terraform Parameters
>Apply status
option.
Assisted Deployment:
Step 1: Delete the terraform deployment.
- Enter the terraform container:
docker exec -it terraform-cli sh
- Change to the AWS TGW template directory:
cd /terraform/templates/views/assisted/aws-tgw-volt-node
- Destroy the site objects from AWS by executing the following terraform commands:
terraform init
terraform destroy -var-file=/var/tmp/system-aws-tgw-a.json
Note: When the
terraform destroy
command is executed, it prompts the user for input to proceed.
- Enter
yes
and wait for the destroy process to complete.
Step 2: Delete the site from Console.
-
Navigate to the AWS TGW site object by clicking
Manage
>Site Management
>AWS TGW Sites
. -
Find your AWS TGW site object and click
...
>Delete
. -
Click
Delete
in the confirmation window.