Introduction
Versa VOS can peer with TGW using the new high-performance "TGW Connect" attachment type that enables AWS customers to connect third-party SD-WAN hubs and network virtual appliances with AWS Transit Gateway.
A Connect attachment supports the Generic Routing Encapsulation (GRE) tunnel protocol for high performance and Border Gateway Protocol (BGP) for dynamic routing.
After creating a Connect attachment, one or more GRE tunnels (also referred to as Transit Gateway Connect peers) can be created on the Connect attachment to connect the transit gateway and the Versa VOS appliance.
Each GRE tunnel established 2 BGP connections to exchange routing information. The two BGP sessions are for redundancy.
A Connect attachment uses an existing VPC or AWS Direct Connect attachment as the underlying transport mechanism. In this case, the VOS VPC attachment will be used as the underlying transport mechanism
Equal-cost multi-path (ECMP) routing between multiple appliances can be achieved by advertising the same prefixes to the transit gateway with the same BGP AS-PATH attribute ( 64514 in case of Versa LAN )
Each GRE tunnel in TGW connect can support 5 Gbps throughput. There can be 4 GRE tunnels per connect attachment
TGW connect is available in the following regions https://aws.amazon.com/transit-gateway/faqs/
Pre-requisites:
Create AWS TGW in the region.
Configure TGW CIDR ( in this example it is 192.168.0.0/16 )
Create VPC attachments to VOS-VPC and any other spoke VPCs necessary.
Create 2 VOS instances ( preferably in a separate VPC such as VOS-VPC below ).
VOS-1 should be in Availability-Zone-A and VOS-2 should be in Availability-Zone-B as per AWS HA best practice.
Add a route in the respective subnet for the TGW CIDR range ( in this case 192.168.0.0/16) with next-hop as the respective TGW ( in this case ACME-TGW ).
Route table in either WAN subnet or LAN subnet can be used for TGW Connect over the internal IPs. In this example, WAN subnet route table is used.
Any method can be used for instantiation – Versa Director CMS connector/ AWS UI / CloudFormation or Terraform.
Bringing up VOS on existing AWS infra is automated if Versa Director CMS method is used from version 16.X onwards. This is out of scope in this document.
Create the BGP over GRE connection as described below. In GA version 22.1 ( release date Q3/Q4 2021 ), this process is automated.
In earlier versions, service templates/device templates can be used on Versa. Cloud Admin will need to configure the TGW connect peers on AWS.
In this document, individual steps are shown to bring up in pre 22.1 versions.
Network Diagram
Configuration
Step 1 : Create AWS TGW and the infra VPC attachments
Login to the AWS portal → VPC → Transit Gateway → Create
Configure the required values and CIDR range ( in this example 192.168.0.0/24 ). At a later stage, TGW GRE address will be picked from this CIDR range.
This example creates a TGW called ACME-SGP-TGW with TGW id tgw-0dbc0672ad2ae2e03
Attach the required spoke VPCs to the TGW ( out of scope )
Attach the VOS-VPC ( existing infra out of scope ) to the TGW
Step 2 : Add route in VOS VPC GRE originator subnet pointing towards TGW CIDR
In this example, GRE tunnel outer IP is Versa WAN interface private IP. Hence route entry is added to the WAN routing table.
BGP originates from the LAN-VR.
Step 3a : Create the TGW Connect Peer on AWS
Automated in Versa Director release 22.1 GA. For reference in older releases
- Transit Gateway → Attachment → Create → Select type as Connect
Create TGW Connect Peer
Select the TGW Connect attachment → Create Connect Peer
In this example, VOS-02 config is shown :
Transit Gateway GRE address - 192.168.0.123
Peer GRE address - 10.220.11.176
BGP Inside CIDR blocks - 169.254.11.0/29
Transit Gateway ASN – 64512 ( already created )
Peer ASN – 64514
Peer BGP address- 169.254.11.1 ( auto selected from inside CIDR )
Transit Gateway BGP 1 address - 169.254.11.2 ( auto selected from inside CIDR )
Transit Gateway BGP 2 address - 169.254.11.3 ( auto selected from inside CIDR )
Step 3b : Create Versa side BGP over GRE config
Automated in Versa Director release 22.1 GA. For reference in older releases
All config can be parameterized using service templates as per requirement
Create the GRE interface Interfaces → Tunnel → add
Add interface tvi-0/802 under Organization → limits → traffic identification
Add interface tvi-0/802 under Virtual Router → LAN-VR
Optional Step: Add interface tvi-0/802 under zones to be used in NGFW or other policies
Create BGP config on LAN :
Verification
Director UI → monitor → services → BGP → neighbour
In this case, there are no spoke VPCs, else spoke VPC CIDRs will be learnt via eBGP
On AWS UI :
References
In Version 22.1 GA, creating both Versa side and AWS side BGP over GRE tunnels is automated through the use of CMS connector :
To add CMS connector :
Administration → Connectors → CMS → Add → Select type as AWS
Validate the CMS connector by selecting the CMS object and clicking on "validate" on the top right
Add the CMS to the relevant org
Create the required BGP over GRE config under Workflow → Templates
Populate Tunnel info and other dynamically discovered data under Workflow → Devices
Clicking deploy creates the required connect peers on AWS and relevant config on Versa VOS.