AWS Transit Gateway Connect Plugin
The 128T-aws-transit-gateway-connect plugin provides integration between an SSR and a Transit Gateway. It does so with the use of BGP for sharing routes and GRE tunnels to encapsulate the BGP traffic as well as any other traffic to be sent to the Transit Gateway.
The instructions for installing and managing the plugin can be found here.
Version Restrictions
The router configuration that is generated is only compatible with SSR versions which have native GRE support (128T >= 5.2.0).
The plugin is designed to operate on an AWS conductor. Installing the plugin on a non AWS environment can cause delay with config commits for up to 5 seconds. Please refer to the link here on how to identify EC2 linux instances.
Terms
General Terms:
- Transit Gateway - A cloud router which connects VPCs and on-premise networks through a central hub.
- Virtual Private Cloud (VPC) - A logically isolated virtual network in AWS where resources exist.
- Transit Gateway Attachment - How the Transit Gateway attaches to a network.
Transit Gateway Connect Terms:
- Transit Gateway Connect - A logical unit containing the Connect Attachment, Transport Attachment, a Connect VPC, and the SSR.
- Transit Gateway Connect Attachment - A new type of Transit Gateway Attachment which operates on top of an existing Transport Transit Gateway Attachment.
- Transport Transit Gateway Attachment - An attachment on top of which a Connect Attachment is created. Must be either of type VPC or VPN.
- Transit Gateway Connect Peer - A peer that communicates over GRE and with BGP to the Transit Gateway Connect. In our case, this is an SSR.
Approach
Configure the following components, in order:
- Transit Gateway
- Transport Transit Gateway Attachment
- Transit Gateway Connect Attachment
- Additionally, the routing tables must be configured to transport the GRE traffic to the Transit Gateway network interface.
The plugin interacts with the AWS APIs to identify an existing "Connect Peer" that applies to the given node. Matching is based on the network interface IP address and the Connect Peer's peer address. If there is no existing Connect Peer, the plugin creates one on behalf of the user. The plugin chooses the first available
Transit Gateway Connect Attachment to create the Transit Gateway Connect Peer.
This logic collects the necessary data for the plugin to generate the appropriate BGP and GRE configuration for connection.
Setup Credentials on the Conductor
Use the following steps to configure the Conductor to query and create AWS objects. On each Conductor node:
- Install the AWS CLI if not already installed.
- Configure AWS CLI using
aws configure
. Be sure to specify the credentials, andjson
for theoutput
.
Configuration Snippet
To determine which nodes/interfaces are to be used to connect to the transit gateway, the plugin configuration datamodel needs a tagging mechanism on the network-interface
's address
to let the plugin know which interfaces are to be used for peering.
router
node
device-interface base
network-interface base-intf
address
ip-address 10.10.10.10
prefix-length 24
gateway 10.10.10.11
aws-transit-gateway-connect
enable true
exit
exit
exit
exit
exit
exit
If the router you are tagging is in a different region than the conductor, you must configure the region of the router.
router
aws-transit-gateway-connect
region us-west-2
exit
exit
Restrictions
- Due to the nature of tagging a specific
address
under thenetwork-interface
, this plugin only supports peering over an interface with a static IP address.
Troubleshooting
Configuration Generation
The /var/log/128technology/persistentDataManager.log
file at trace level will show whether the configuration generation was run, as well as output and return code.
Configuration generation logs can be found on the conductor under /var/**log**/128technology/plugins/aws-transit-gateway-connect-generate-configuration.log
.
Helpful Commands
After the configuration is generated, the BGP peering status can be queried on the SSR side using the following commands on the router:
show bgp
show bgp neighbors
show bgp summary
On the AWS Portal, under VPC
> Transit Gateway Attachments
> <your connect attachments>
> Connect peers
, there will be entries for the SSR as a connect peer and the BGP status.
Appendix
Example Configuration Generation
With the example configuration and the following AWS TGW connect peer
Field | Value |
---|---|
TGW GRE IP | 10.128.2.201 |
TGW BGP IP 1 | 169.254.192.26 |
TGW BGP IP 2 | 169.254.192.27 |
SSR GRE IP | 10.128.2.25 |
SSR BGP IP | 169.254.192.25 |
The following config will be generated:
The base
device-interface already exists and the gre
network-interface is generated under the base
device-interface.
router
node
device-interface base
network-interface gre
name gre
type gre-tunnel
tunnel
destination 10.128.2.201
source
network-interface
exit
exit
exit
exit
device-interface bgp
name bgp
description "Auto-generated host KNI interface for aws-transit-gateway-connect"
type host
network-interface bgp-intf
name bgp-intf
type external
address 169.254.192.25
ip-address 169.254.192.25
prefix-length 29
exit
exit
exit
exit
routing default-instance
type default-instance
routing-protocol bgp
type bgp
local-as 64512
router-id 169.254.192.25
address-family ipv4-unicast
afi-safi ipv4-unicast
exit
neighbor 169.254.192.26
neighbor-address 169.254.192.26
neighbor-as 64512
transport
local-address
node Node1
interface bgp-intf
exit
exit
address-family ipv4-unicast
afi-safi ipv4-unicast
next-hop-self true
exit
exit
neighbor 169.254.192.27
neighbor-address 169.254.192.27
neighbor-as 64512
transport
local-address
node Node1
interface bgp-intf
exit
exit
address-family ipv4-unicast
afi-safi ipv4-unicast
next-hop-self true
exit
exit
redistribute connected
protocol connected
exit
exit
static-route 169.254.192.26/32 1
destination-prefix 169.254.192.26/32
distance 1
next-hop-interface Node1 gre
node Node1
interface gre
exit
exit
static-route 169.254.192.27/32 1
destination-prefix 169.254.192.27/32
distance 1
next-hop-interface Node1 gre
node Node1
interface gre
exit
exit
exit
exit
Release Notes
Release 1.1.1
Issues Fixed
PLUGIN-1311 Commit on conductor could take up to 2 minutes to complete with plugin installed when conductor is not runnning inside AWS, even if the plugin was unconfigured.
PLUGIN-1343 Unnecessary additional steps needed to set up AWS CLI to utilize TGW Connect APIs.
PLUGIN-1322 Assets would become stuck in connected state after uninstalling plugin.