SAP-C02 Amazon AWS Certified Solutions Architect Professional – New Domain 5 – Continuous Improvement for Existing Solutions Part 3
35. Overview of Transit Gateways
Hey everyone and welcome back. In today’s video we will be discussing about the AWS transit gateways. Now a transit gateway is basically a network transit hub that you can use to interconnect your VPCs and on premise network. So this diagram is something which makes it easier to understand. So here you have a transit gateway and there are multiple VPCs which are attached to the transit gateway. So you have a VPC one over here and you have a VPC N. So this can be two VPCs or three VPC or more VPCs. Now both are connected to the transit gateway over here. And once you set the roots properly, that basically means that all of these VPCs will be able to communicate with each other and the traffic, let’s say the VPC one wants to connect with the VPC two. So the traffic goes to the transit gateway and from transit gateway it can connect to the other VPCs. Now within the transit gateway, one of the very important use cases that on premise networks are also can be attached.
So if you look into this diagram you are more expanded. You have multiple VPCs over here you have a transit gateway and here you have the Onpremise data center and you have an IPsec tunnel over here. So this also connects to the transit gateways and if the routes are correct, you will be able to interconnect between all the attachments which are made to the transit gateways. Now typically if you go ahead and design a mesh kind of network, it becomes really messy and with the architecture of transit gateways it is much more easier to control things. Now it is important to understand some of the terminologies of the transit gateways. Now we’ll be having a demo after we discuss this concept so that it becomes easier for us to understand. Now the first terminology is the attachment. Now attachment is basically we can attach a VPC or VPN connection to the transit gateway. So anything that you attach to the transit gateway is referred as the attachment. Now do remember as of now, which is January 2019, direct connect cannot be attached to the transit gateway.
You only have option for VPCs and the VPN tunnels. So that is the attachment part. Second is the transit gateway route table. Now, route table I hope you already know it basically can include the static as well as the dynamic route that basically tells the next hop should go to which destination based on the routing that you configure. Now whatever attachment that you create, let’s say you attach this VPC to a transient gateway, that attachment can be associated with a single route table. The third one is association. Again it’s quite similar. So whatever attachment that you have, you can associate that attachment with a route table. And the last one is the route propagation. Now a VPC or a VPN you can dynamically propagate the routes to the transit gateway route table.
Now, when it comes to VPC, you must create the static routes in the route table which is associated with the VPC. And for the VPN connections, the routes are propagated with the transit gateways to Onpremise router using the Border gateway protocol which is BGP. So this is a theoretical perspective. Let me give you a quick demo so that it becomes much more interesting there. So I’m in my transit gateway console. So transit gateway can be basically it’s under the VPC console. So if you go into the VPC and you go a bit down, you have the option for transit gateway. Now within the transit gateway, you see that I have one transit gateway which is currently available. Now, if you look into the attachments over here, we already discussed that you can attach VPCs or you can even attach the Onpremise VPN. So currently within the attachment over here, I have three attachments. You have the VPC one, you have the VPC twelve, you have the VPC three.
So there are three VPCs which are currently attached to the transit gateway and you also have the transit gateway route table. And if you look into the association, it basically has the attachment ID and it has the resource ID over here. And along with that, let me quickly go to the EC to console. So there are three EC Two instances which are available over here and each one of these EC Two instance is in a different virtual private cloud. So if you see here the my EC one, you see it is in the VPC ending with the IDA 17. Then if you look into the EC Two, it’s in a VPC ending with 92 D and you have the third EC Two instance it is in 50 F. So these all EC two instances are in a different VPC. Now, let me quickly show you whether things are working or not. So I’ll quickly log into one of the EC Two instance here. So this is the EC two instance. I am connected via CLI. If I quickly do an if config, the IP address is 107 2318-9145. So this is a default VPC. So let’s do one thing from here. Let’s try to ping the VPC two with EC Two instance.
So it has the IP of 170 to 16. So let me try and ping here and you see you are getting the reply perfectly. Now similarly, let’s try to ping another EC two instance in a different VPC. I’ll just copy this up. It starts with ten dot 77 and if I ping here again, you are able to get a perfect reply over here. Now, there is no VPC peering which we have done over here. Now in fact, if you just want to see that, let me open up one of the VPC. In fact, let me open up the default VPC where we had logged in. And if you look into the VPC here, this has the CID of 172 31. Now, if you look into the subnets, these are the subnets and if you look into the peering connection, there are no peering connections which are established. Now if you look into the routing table, this is where it would be easier to understand. Now here you have various routes. So this is the local route here.
And for the another VPC which is in the 10770 00:16 range, the target is basically the transit gateway warrior and same goes with the destination of 170 to 16. The target here is the transit gateway. So typically if you want to establish the communication between two V PCs and if you have the peering established, then the target would typically be the peering connection. However, here we have instead of the peering connection, it is the transit gateway. So this is how the highlevel overview in terms of demo of transit gateway might look like. So this is the highlevel overview. I hope this video has been informative for you and in the next video we’ll be discussing in detail related to how we can create the transit gateways and establish the connectivity. So I hope this video has been informative for you and I look forward to seeing you in the next video.
36. Practical – Transit Gateway
Hey everyone and welcome back. Now in today’s video we will look into how we can configure the transit gateways in terms of practicality. So the overall architecture that we’ll be performing will be something similar to what we had seen in the earlier video where we have two VPCs and both of them would be associated with the transit gateways and we look into the connectivity there. Alright, so in order to do that, we are in the AWS management console and the first thing that we need to do is we have to go to the VPCs. So as a prerequisite I would assume that you have two VPCs which are up and running. Now I have two VPCs and I also have two EC two instances. Now the first EC two instance is in the default VPC over here and the second EC two instance is in the second VPC. So VPC creation is quite simple. Let me quickly show you here. So currently I have three VPCs, but for this demo I’ll just make use of two VPCs. So this is the default VPC. So this comes in all the regions. So this is something that you do not have to create. You will have to create one more VPC. You can give it a CIDR. In my case it is 170 2160 00:16 and that specific VPC if I can quickly show you here.
So in this VPC I have the internet gateway attached so that my instance can connect to the internet. So this is the simplistic setup. All right, so this is something that I am assuming that you will be able to do. Anyways, once we have that, let’s go a bit down and we have the option for transit gateway. So let’s click on Transit gateways here. And currently I have one transit gateway in the state of deleted. So this was the transit gateway that we had used for our demo purposes. Now make sure that if you have transit gateway and after you complete the practical, go ahead and delete it. If you look into the transit gateway pricing, you get the pricing of $0. 5 per hour. So if you just leave it for a day or two, you will get charged for that. So make sure you delete it after you’re practical. Anyways, so the first thing that we can do is let’s click on Create Transit gateway over here. So you’ll have to give a name tag, I’ll call it as my transit demo. Now we’ll leave everything as default for the time being and let’s click on Create Transit Gateway. So the transit gateway request has been succeeded. And if you see here, you see that this is the transit gateway.
The state is pending. It takes around 1 minute or two minute for the state to be available. So let’s quickly wait here. All right, so it took around two minutes and our transit gateway is ready. Now the next thing that we have to click on is the Transit Gateway attachment. So these were the attachments again that we had used for the demo. Now, what we need to do, as we had discussed in the next slide, that we can attach the on premise BC VR VPN as well as we can attach the VPC. So whatever attachment that you want to associate with the transit gateway is something that you need to do over here. Let’s click on create transit. Gateway. Attachment. And there are two attachment type. One is the VPC and second is the VPN over here. So now in the Transit Gateway ID, we have to give the Transit Gateway ID that we just created. And within the attachment, let me call it as VPC Demo One. And here we have to select the VPC. I’ll select the default VPC which has a Cidi block of 172 30 116, and I’ll use all the subnets and I’ll click on Create attachment. Great. So the attachment request has been succeeded.
And again, this also takes a minute or two. However, let’s do one thing. Let’s also attach the second VPC that we have. We’ll attach it to the same transit gateway. I’ll call it as Demo VPC Two. And the VPC ID this time would be the one which has the CID R of 170 2160 00:16. So there are two subnets. I’ll click on create attachment. Great. So the attachment request has been processed. So let’s quickly wait for a moment for both of these estate to become available. All right, so both the attachments are now available. Now, if you look into the Transit gateway route table and if you look into the association, you will see that two VPCs are associated and within the routes you have these routes which are present. So now let’s do one thing. Let’s connect to one of the EC Two instance here. Great. So I am connected to the EC two instance. This is 107, 23189, 145. The same is here. So from this EC Two instance, let’s try and ping the second EC Two instance over the private IP.
So let me do a ping here. And currently the ping is not happening. Now, if I quickly show you the security group. The security group has the ICMP of full allowed. So you see the source is now in case if you just want to see on how you can enable the ICMP, if you look into the inbound, this is the all ICMP V four. So if you just add a rule, you have to select the version four of the ICMP traffic here. So now the connectivity is still not present. Now, the reason why it is still not present is because of the route table. So let’s go to the default VPC over here. And if you look into the route table, so there is the route table. This is the main route table. And within the route you only have two routes which are available. One is for the local and second is for the Internet. You do not really have a route for the subnet of 170 to 16. So this is something that you can add directly in the VPC route table. So I’ll say 170 2160 00:16.
So this is the CID R of the second VPC and the target this time would be the transit gateway. And I’ll select the transit gateway, which is VPC demo One. So ideally, the second transit gateway should not come primarily because it is in the deleted state. Let’s just quickly verify. So if I go to the transit gateway, you see the eight. Let’s click here. The eight here is in the Delete It state. Anyways, I’ll consider this as a bug. So we just make sure you select at the right transit gateway ID, which is six C four. All right, I’ll click on save routes. Great. So this is the first part. Now, again, you have to change the route of another VPC. So this is the 172 16 VPC. And let’s add a route over here. So I’ll say Route of 172310 00:16. So this is the CID r of our default VPC. I’ll send it to the transit gateway of C Four and I’ll click on Save Routes. Now, let’s also verify there is a second route table.
Let’s also add the same route here. I’ll say 172310 00:16. I’ll connect it to the transit gateway of C four, and I’ll go ahead and save the route. Great. So once the route is saved, let’s go back to the EC Two instance. I am already logged into this EC Two instance, which is in the default VPC. So from this EC Two instance, we’ll try and ping the second EC Two instance, which is in the 170 216 VPC. So now let’s do a ping. Count is four, and I’ll copy the private IP and you see the connectivity is perfectly established. So this is the high level overview about what transit gateways are all about.
Again, for practical, make sure that once you have done and tested all the things, you should go ahead and delete it. Otherwise you’ll get charged. Along with that, make sure that if you have more VPCs, like currently we had only two VPCs, but if you have more VPCs, you follow the same steps that we had currently taken in order to ensure the connectivity. So this is the high level overview about the transit gateways. In terms of practicality, I hope this video has an informative for you and I look forward to seeing you in the next video.
Interesting posts
The Growing Demand for IT Certifications in the Fintech Industry
The fintech industry is experiencing an unprecedented boom, driven by the relentless pace of technological innovation and the increasing integration of financial services with digital platforms. As the lines between finance and technology blur, the need for highly skilled professionals who can navigate both worlds is greater than ever. One of the most effective ways… Read More »
CompTIA Security+ vs. CEH: Entry-Level Cybersecurity Certifications Compared
In today’s digital world, cybersecurity is no longer just a technical concern; it’s a critical business priority. With cyber threats evolving rapidly, organizations of all sizes are seeking skilled professionals to protect their digital assets. For those looking to break into the cybersecurity field, earning a certification is a great way to validate your skills… Read More »
The Evolving Role of ITIL: What’s New in ITIL 4 Managing Professional Transition Exam?
If you’ve been in the IT service management (ITSM) world for a while, you’ve probably heard of ITIL – the framework that’s been guiding IT professionals in delivering high-quality services for decades. The Information Technology Infrastructure Library (ITIL) has evolved significantly over the years, and its latest iteration, ITIL 4, marks a substantial shift in… Read More »
SASE and Zero Trust: How New Security Architectures are Shaping Cisco’s CyberOps Certification
As cybersecurity threats become increasingly sophisticated and pervasive, traditional security models are proving inadequate for today’s complex digital environments. To address these challenges, modern security frameworks such as SASE (Secure Access Service Edge) and Zero Trust are revolutionizing how organizations protect their networks and data. Recognizing the shift towards these advanced security architectures, Cisco has… Read More »
CompTIA’s CASP+ (CAS-004) Gets Tougher: What’s New in Advanced Security Practitioner Certification?
The cybersecurity landscape is constantly evolving, and with it, the certifications that validate the expertise of security professionals must adapt to address new challenges and technologies. CompTIA’s CASP+ (CompTIA Advanced Security Practitioner) certification has long been a hallmark of advanced knowledge in cybersecurity, distinguishing those who are capable of designing, implementing, and managing enterprise-level security… Read More »
Azure DevOps Engineer Expert Certification: What’s Changed in the New AZ-400 Exam Blueprint?
The cloud landscape is evolving at a breakneck pace, and with it, the certifications that validate an IT professional’s skills. One such certification is the Microsoft Certified: DevOps Engineer Expert, which is validated through the AZ-400 exam. This exam has undergone significant changes to reflect the latest trends, tools, and methodologies in the DevOps world.… Read More »