You’re convinced hosting your mission-critical applications on AWS public cloud is the right choice for your business. You need to host hundreds of web app, database, Oracle, SAP and Microsoft servers. How do you host these applications across many VPCs without having to create a networking nightmare? Will a single VPC be able to scale to your demands? How about 2 VPCs? 10 VPCs? 200 VPCs? Or 500 VPCs? When you need to scale above 10 VPCs networking between regions and physical locations becomes a challenge. Managing VPN endpoints per VPC and creating a mesh network to communicate between all sites becomes complex and unmanageable. That’s why Amazon AWS came up with the “Transit VPC” Solution in order to solve the complexity of networking between VPC-to-VPC and VPC-to-physical locations. Using the most deployed AWS network appliance, Cisco CSR1000v, the “Transit VPC” delivers a highly available network solution that centralizes security, firewall and routing functions within a single point that is scalable and easy to manage. AWS uses the CSR1000v because it is the only network appliance on AWS that delivers the necessary features to make “Transit VPC” work.
Cisco CSR1000v on AWS: http://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/aws/csraws/awsinstall.html
What is the “Transit VPC”?
Think of it as a central or DMZ VPC where the admin spins up two CSR1000vs in high availability mode. The Transit VPC resources, CSR1000v machines and networking configurations are automatically created using a click to launch button that leverages AWS CloudFormation, S3 bucket and Lambda function. The automation script configures secure tunnels northbound from where spoke VPCs running your applications connect to the CSR1000v. The CSR1000v connects to physical locations via Direct Connect and overlay encrypted tunnels, or over the internet using IPSec tunnels.
Highlights:
- AWS Transit VPC marketplace listing based on Cisco CSR1000v allows you to ‘click and launch”.
- CloudFormation will automatically create the resources needed in the Transit VPC and launch the creation of the CSR1000v.
- AWS Lambda function automatically pushes the high availability and tunnel configs down to the CSR
- Spoke VPCs are automatically launched and configured from the Transit VPC GUI console.
The Transit VPC solution with the CSR1000v becomes the secure access point to any of your mission-critical workloads running in AWS. Only the admin and the users that the admin entitles for access are able to reach the applications. All the complexities of figuring out which technology and how to use them are simplified and users can securely connect. Headaches gone.
For more information on the AWS-Cisco based Transit VPC Solution see:
https://docs.aws.amazon.com/solutions/latest/cisco-based-transit-vpc/overview.html
Post Written By: Tony Banuelos, Product Manager for the CSR 1000v
Interesting – does this solution handle NAT for VPCs that may have overlapping address space?
Hi Jo,
The solution can handle NAT for VPCs with overlapping address spaces.
Thanks,
Matthew
Hi,
I have managed to deploy the transit VPC using AWS Cloudformation. The CSRs were installed in Transit VPC and the VPN connections were created automatically for tagged Virtual Private Gateways in spoke VPCs. However, the tunnels won’t come up even when I had VMs in spoke and transit VPCs ping each other. Any suggestion on where to find information on troubleshooting this issue is much appreciated.
Hi KD,
The best place to look for details is the Cisco IPSec troubleshooting guides found here:
– http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html
If you are running the CSR 1000v on demo licenses then you can use our support forum to post questions and search for answers. The forum can be found here:
– https://supportforums.cisco.com/community/12147456/cisco-cloud-service-router-csr-public-cloud
If you have purchased CSR 1000v licenses you can contact TAC for support:
– http://www.cisco.com/c/en/us/support/routers/cloud-services-router-1000v/model.html
Best Regards,
Matthew
Hi KD,
We have identified what you have experienced as an issue with the solution and are working with AWS on a fix now. In the meantime you can get around the issue with the following steps if you:
– Terminate 2xCSR
– Remove TransitVPC S3 bucket
– Remove VPC “TransitVPC”
– Delete Cloud formation template
– Relaunch the solution
Hope this helps.
Regards,
Matthew
I tested the Transit VPC and am impressed with the automation. Got a few questions :
1) For linking Transit VPC to Direct Connect, I need to have a VGW both anchoring the private virtual interfaces, and getting tagged for vpn connection auto linkage. Is it the only way ?
2) Since the Cisco CSR is auto-configured by AWS Lambda, what degree of manual configuration is suggested without jeopardizing the automation ?
Hi Keith,
1)Yes. You can use VGW to connect TransitVPC with your on-prem network through Direct Connect. And this could be the least configuration involved way to do it. Meanwhile, we are working with AWS on alternatives ways to leverage Cisco DMVPN and other technologies. Please stay tuned.
2)If you take a look at the cloud formation template or Lambda, automation will take care of the site-to-site IPSEC config and BGP configurations. As long as your CLI doesn’t touch these things, it should be good. Direct CLI could be needed if you want to manipulate the routes in CSR. For example, different spoke VPC will be in different VRF and by default they can talk to each other because different VRF has import/export the same RT(Route-Target), if you want to segment the connectivity, you probably need to change it by CLI. Besides, CLI also useful in trouble shooting.