# Extend VRFs to AWS by using AWS Transit Gateway Connect
*Adam Till, Yashar Araghi, Vikas Dewangan, and Mohideen HajaMohideen, Amazon Web Services*
## Summary
Virtual routing and forwarding (VRF) is a feature of traditional networks. It uses isolated logical routing domains, in the form of route tables, to separate network traffic within the same physical infrastructure. You can configure AWS Transit Gateway to support VRF isolation when you connect your on-premises network to AWS. This pattern uses a sample architecture to connect on-premises VRFs to different transit gateway route tables.
This pattern uses transit virtual interfaces (VIFs) in AWS Direct Connect and transit gateway Connect attachments to extend the VRFs. A [transit VIF](https://docs.aws.amazon.com/directconnect/latest/UserGuide/WorkingWithVirtualInterfaces.html) is used to access one or more Amazon VPC transit gateways that are associated with Direct Connect gateways. A [transit gateway Connect attachment](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-connect.html) connects a transit gateway with a third-party virtual appliance that is running in a VPC. A transit gateway Connect attachment supports the Generic Routing Encapsulation (GRE) tunnel protocol for high performance, and it supports Border Gateway Protocol (BGP) for dynamic routing.
The approach described in this pattern has the following benefits:
+ Using Transit Gateway Connect, you can advertise up to 1,000 routes to the Transit Gateway Connect peer and receive up to 5,000 routes from it. Using the Direct Connect transit VIF feature without Transit Gateway Connect is limited to 20 prefixes per transit gateway.
+ You can maintain the traffic isolation and use Transit Gateway Connect to provide hosted services on AWS, regardless of the IP address schemas your customers are using.
+ The VRF traffic doesn’t need to traverse a public virtual interface. This makes it easier to adhere to compliance and security requirements in many organizations.
+ Each GRE tunnel supports up to 5 Gbps, and you can have up to four GRE tunnels per transit gateway Connect attachment. This is faster than many other connection types, such as AWS Site-to-Site VPN connections that support up to 1.25 Gbps.
## Prerequisites and limitations
**Prerequisites**
+ The required AWS accounts have been created (see the architecture for details)
+ Permissions to assume an AWS Identity and Access Management (IAM) role in each account.
+ The IAM roles in each account must have permissions to provision AWS Transit Gateway and AWS Direct Connect resources. For more information, see [Authentication and access control for your transit gateways](https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-authentication-access-control.html) and see [Identity and access management for Direct Connect](https://docs.aws.amazon.com/directconnect/latest/UserGuide/security-iam.html).
+ The Direct Connect connections have successfully been created. For more information, see [Create a connection using the Connection wizard](https://docs.aws.amazon.com/directconnect/latest/UserGuide/dedicated_connection.html#create-connection).
**Limitations**
+ There are limits for transit gateway attachments to the VPCs in the production, QA, and development accounts. For more information, see [Transit gateway attachments to a VPC](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-vpc-attachments.html).
+ There are limits for creating and using Direct Connect gateways. For more information, see [AWS Direct Connect quotas](https://docs.aws.amazon.com/directconnect/latest/UserGuide/limits.html).
## Architecture
**Target architecture**
The following sample architecture provides a reusable solution to deploy transit VIFs with transit gateway Connect attachments. This architecture provides resilience by using multiple Direct Connect locations. For more information, see [Maximum resiliency](https://docs.aws.amazon.com/directconnect/latest/UserGuide/maximum_resiliency.html) in the Direct Connect documentation. The on-premises network has production, QA, and development VRFs that are extended to AWS and isolated by using dedicated route tables.
![\[Architecture diagram of using AWS Direct Connect and AWS Transit Gateway resources to extend VRFs\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/db17e177-6c94-4d81-ab39-0923ecab2f1b/images/10be0625-8574-40eb-bc00-bb0a07d0dc26.png)
In the AWS environment, two accounts are dedicated to extending the VRFs: a *Direct Connect account* and a *network hub account*. The Direct Connect account contains the connection and the transit VIFs for each router. You create the transit VIFs from the Direct Connect account but deploy them to the network hub account so that you can associate them with the Direct Connect gateway in the network hub account. The network hub account contains the Direct Connect gateway and transit gateway. The AWS resources are connected as follows:
1. Transit VIFs connect the routers in the Direct Connect locations with AWS Direct Connect in the Direct Connect account.
1. A transit VIF connects Direct Connect with the Direct Connect gateway in the network hub account.
1. A [transit gateway association](https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-transit-gateways.html) connects the Direct Connect gateway with the transit gateway in the network hub account.
1. [Transit gateway Connect attachments](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-connect.html) connect the transit gateway with the VPCs in the production, QA, and development accounts.
*Transit VIF architecture*
The following diagram shows the configuration details for the transit VIFs. This sample architecture uses a VLAN for the tunnel source, but you could also use a loopback.
![\[Configuration details for the transit VIF connections between the routers and AWS Direct Connect\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/db17e177-6c94-4d81-ab39-0923ecab2f1b/images/e88d2546-61ef-4531-972b-089cdf44ed67.png)
The following are the configuration details, such as autonomous system numbers (ASNs), for the transit VIFs.
|
|
| Resource | Item | Detail |
| --- |--- |--- |
| router-01 | ASN | 65534 |
| router-02 | ASN | 65534 |
| router-03 | ASN | 65534 |
| router-04 | ASN | 65534 |
| Direct Connect gateway | ASN | 64601 |
| Transit gateway | ASN | 64600 |
| CIDR block | 10.100.254.0/24 |
*Transit gateway Connect architecture*
The following diagram and tables describe how to configure a single VRF through a transit gateway Connect attachment. For additional VRFs, assign unique tunnel IDs, transit gateway GRE IP addresses, and BGP inside CIDR blocks. The peer GRE IP address matches the router peer IP address from the transit VIF.
![\[Configuration details for the GRE tunnels between the routers and the transit gateway\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/db17e177-6c94-4d81-ab39-0923ecab2f1b/images/e58278e1-f3b4-442d-95d9-1dafab4aa5ac.png)
The following table contains router configuration details.
|
|
| Router | Tunnel | IP address | Source | Destination |
| --- |--- |--- |--- |--- |
| router-01 | Tunnel 1 | 169.254.101.17 | VLAN 60169.254.100.1 | 10.100.254.1 |
| router-02 | Tunnel 11 | 169.254.101.81 | VLAN 61169.254.100.5 | 10.100.254.11 |
| router-03 | Tunnel 21 | 169.254.101.145 | VLAN 62169.254.100.9 | 10.100.254.21 |
| router-04 | Tunnel 31 | 169.254.101.209 | VLAN 63169.254.100.13 | 10.100.254.31 |
The following table contains transit gateway configuration details.
|
|
| Tunnel | Transit gateway GRE IP address | Peer GRE IP address | BGP inside CIDR blocks |
| --- |--- |--- |--- |
| Tunnel 1 | 10.100.254.1 | VLAN 60169.254.100.1 | 169.254.101.16/29 |
| Tunnel 11 | 10.100.254.11 | VLAN 61169.254.100.5 | 169.254.101.80/29 |
| Tunnel 21 | 10.100.254.21 | VLAN 62169.254.100.9 | 169.254.101.144/29 |
| Tunnel 31 | 10.100.254.31 | VLAN 63169.254.100.13 | 169.254.101.208/29 |
**Deployment**
The [Epics](#extend-vrfs-to-aws-by-using-aws-transit-gateway-connect-epics) section describes how to deploy a sample configuration for a** **single VRF across multiple customer routers. After steps 1–5 are complete, you can create new transit gateway Connect attachments by using steps 6–7 for every new VRF that you’re extending into AWS:
1. Create the transit gateway.
1. Create a Transit Gateway route table for each VRF.
1. Create the transit virtual interfaces.
1. Create the Direct Connect gateway.
1. Create the Direct Connect gateway virtual interface and gateway associations with allowed prefixes.
1. Create the transit gateway Connect attachment.
1. Create the Transit Gateway Connect peers.
1. Associate the transit gateway Connect attachment with the route table.
1. Advertise routes to the routers.
## Tools
**AWS services**
+ [AWS Direct Connect](https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html) links your internal network to a Direct Connect location over a standard Ethernet fiber-optic cable. With this connection, you can create virtual interfaces directly to public AWS services while bypassing internet service providers in your network path.
+ [AWS Transit Gateway](https://docs.aws.amazon.com/vpc/latest/tgw/what-is-transit-gateway.html) is a central hub that connects virtual private clouds (VPCs) and on-premises networks.
+ [Amazon Virtual Private Cloud (Amazon VPC)](https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html) helps you launch AWS resources into a virtual network that you’ve defined. This virtual network resembles a traditional network that you’d operate in your own data center, with the benefits of using the scalable infrastructure of AWS.
## Epics
### Plan the architecture
| Task | Description | Skills required |
| --- | --- | --- |
| Create custom architecture diagrams. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/extend-vrfs-to-aws-by-using-aws-transit-gateway-connect.html) | Cloud architect, Network administrator |
### Create the Transit Gateway resources
| Task | Description | Skills required |
| --- | --- | --- |
| Create the transit gateway. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/extend-vrfs-to-aws-by-using-aws-transit-gateway-connect.html) | Network administrator, Cloud architect |
| Create the transit gateway route table. | Follow the instructions in [Create a transit gateway route table](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-route-tables.html#create-tgw-route-table). Note the following for this pattern:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/extend-vrfs-to-aws-by-using-aws-transit-gateway-connect.html) | Cloud architect, Network administrator |
### Create the transit virtual interfaces
| Task | Description | Skills required |
| --- | --- | --- |
| Create the transit virtual interfaces. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/extend-vrfs-to-aws-by-using-aws-transit-gateway-connect.html) | Cloud architect, Network administrator |
### Create the Direct Connect resources
| Task | Description | Skills required |
| --- | --- | --- |
| Create a Direct Connect gateway. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/extend-vrfs-to-aws-by-using-aws-transit-gateway-connect.html) | Cloud architect, Network administrator |
| Attach the Direct Connect gateway to the transit VIFs. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/extend-vrfs-to-aws-by-using-aws-transit-gateway-connect.html) | Cloud architect, Network administrator |
| Create the Direct Connect gateway associations with allowed prefixes. | In the network hub account, follow the instructions in [To associate a transit gateway](https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-transit-gateways.html#associate-tgw-with-direct-connect-gateway). Note the following for this pattern:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/extend-vrfs-to-aws-by-using-aws-transit-gateway-connect.html)Creating this association automatically creates a Transit Gateway attachment that has a Direct Connect Gateway resource type. This attachment does not need to be associated with a transit gateway route table. | Cloud architect, Network administrator |
| Create the transit gateway Connect attachment. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/extend-vrfs-to-aws-by-using-aws-transit-gateway-connect.html) | Cloud architect, Network administrator |
| Create the Transit Gateway Connect peers. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/extend-vrfs-to-aws-by-using-aws-transit-gateway-connect.html) | |
### Advertise routes to the routers
| Task | Description | Skills required |
| --- | --- | --- |
| Advertise the routes. | Associate the new transit gateway Connect attachment with the route table you created previously for this VRF. For example, associate the production transit gateway Connect attachment with the `Production-VRF` route table.Create a static route for the prefix that is advertised to the routers.[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/extend-vrfs-to-aws-by-using-aws-transit-gateway-connect.html) | Network administrator, Cloud architect |
## Related resources
**AWS documentation**
+ Direct Connect documentation
+ [Working with Direct Connect gateways](https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-gateways.html)
+ [Transit gateway associations](https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-transit-gateways.html)
+ [AWS Direct Connect virtual interfaces](https://docs.aws.amazon.com/directconnect/latest/UserGuide/WorkingWithVirtualInterfaces.html)
+ Transit Gateway documentation
+ [Working with transit gateways](https://docs.aws.amazon.com/vpc/latest/tgw/working-with-transit-gateways.html)
+ [Transit gateway attachments to a Direct Connect gateway](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-dcg-attachments.html)
+ [Transit gateway Connect attachments and Transit Gateway Connect peers](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-connect.html)
+ [Create a transit gateway Connect attachment](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-connect.html#create-tgw-connect-attachment)
**AWS blog posts**
+ [Segmenting hybrid networks with AWS Transit Gateway connect](https://aws.amazon.com/blogs/networking-and-content-delivery/segmenting-hybrid-networks-with-aws-transit-gateway-connect/)
+ [Using AWS Transit Gateway connect to extend VRFs and increase IP prefix advertisement](https://aws.amazon.com/blogs/networking-and-content-delivery/using-aws-transit-gateway-connect-to-extend-vrfs-and-increase-ip-prefix-advertisement/)
## Attachments
To access additional content that is associated with this document, unzip the following file: [attachment.zip](samples/p-attach/db17e177-6c94-4d81-ab39-0923ecab2f1b/attachments/attachment.zip)