How To Configure AWS Transit Gateway Connect with Versa VOS

• Introduction
• Pre-requisites:
• Network Diagram
• Configuration
  • Step 1 : Create AWS TGW and the infra VPC attachments
  • Step 2 : Add route in VOS VPC GRE originator subnet pointing towards TGW CIDR
  • Step 3a : Create the TGW Connect Peer on AWS
  • Step 3b : Create Versa side BGP over GRE config
• Verification
• References

Introduction

• Versa VOS can peer with TGW using the new high-performance "TGW Connect" attachment type that enables AWS customers to connect third-party SD-WAN hubs and network virtual appliances with AWS Transit Gateway.

• A Connect attachment supports the Generic Routing Encapsulation (GRE) tunnel protocol for high performance and Border Gateway Protocol (BGP) for dynamic routing.

• After creating a Connect attachment, one or more GRE tunnels (also referred to as Transit Gateway Connect peers) can be created on the Connect attachment to connect the transit gateway and the Versa VOS appliance.

• Each GRE tunnel established 2 BGP connections to exchange routing information. The two BGP sessions are for redundancy.

• A Connect attachment uses an existing VPC or AWS Direct Connect attachment as the underlying transport mechanism. In this case, the VOS VPC attachment will be used as the underlying transport mechanism

• Equal-cost multi-path (ECMP) routing between multiple appliances can be achieved by advertising the same prefixes to the transit gateway with the same BGP AS-PATH attribute ( 64514 in case of Versa LAN )

• Each GRE tunnel in TGW connect can support 5 Gbps throughput. There can be 4 GRE tunnels per connect attachment

• TGW connect is available in the following regions https://aws.amazon.com/transit-gateway/faqs/

Pre-requisites:

• Create AWS TGW in the region.

  • Configure TGW CIDR ( in this example it is 192.168.0.0/16 )

  • Create VPC attachments to VOS-VPC and any other spoke VPCs necessary.

• Create 2 VOS instances ( preferably in a separate VPC such as VOS-VPC below ).

  • VOS-1 should be in Availability-Zone-A and VOS-2 should be in Availability-Zone-B as per AWS HA best practice.

  • Add a route in the respective subnet for the TGW CIDR range ( in this case 192.168.0.0/16) with next-hop as the respective TGW ( in this case ACME-TGW ).

    • Route table in either WAN subnet or LAN subnet can be used for TGW Connect over the internal IPs. In this example, WAN subnet route table is used.

  • Any method can be used for instantiation – Versa Director CMS connector/ AWS UI / CloudFormation or Terraform.

    • Bringing up VOS on existing AWS infra is automated if Versa Director CMS method is used from version 16.X onwards. This is out of scope in this document.

• Create the BGP over GRE connection as described below. In GA version 22.1 ( release date Q3/Q4 2021 ), this process is automated.

  • In earlier versions, service templates/device templates can be used on Versa. Cloud Admin will need to configure the TGW connect peers on AWS.

  • In this document, individual steps are shown to bring up in pre 22.1 versions.

Network Diagram

Configuration

Step 1 : Create AWS TGW and the infra VPC attachments

• Login to the AWS portal  → VPC →  Transit Gateway → Create

• Configure the required values and CIDR range ( in this example 192.168.0.0/24 ). At a later stage, TGW GRE address will be picked from this CIDR range.

• This example creates a TGW called ACME-SGP-TGW with TGW id tgw-0dbc0672ad2ae2e03

Attach the required spoke VPCs to the TGW ( out of scope )
Attach the VOS-VPC ( existing infra out of scope ) to the TGW

Step 2 : Add route in VOS VPC GRE originator subnet pointing towards TGW CIDR

In this example, GRE tunnel outer IP is Versa WAN interface private IP. Hence route entry is added to the WAN routing table.
BGP originates from the LAN-VR.

Step 3a : Create the TGW Connect Peer on AWS

• Automated in Versa Director release 22.1 GA. For reference in older releases
• Transit Gateway → Attachment → Create → Select type as Connect

Create TGW Connect Peer
Select the TGW Connect attachment →  Create Connect Peer
In this example, VOS-02 config is shown :

• Transit Gateway GRE address - 192.168.0.123

• Peer GRE address - 10.220.11.176

• BGP Inside CIDR blocks - 169.254.11.0/29

• Transit Gateway ASN – 64512 ( already created )

• Peer ASN – 64514

• Peer BGP address- 169.254.11.1 ( auto selected from inside CIDR )

• Transit Gateway BGP 1 address - 169.254.11.2 ( auto selected from inside CIDR )

• Transit Gateway BGP 2 address - 169.254.11.3 ( auto selected from inside CIDR )

Step 3b : Create Versa side BGP over GRE config

• Automated in Versa Director release 22.1 GA. For reference in older releases
• All config can be parameterized using service templates as per requirement
• Create the GRE interface Interfaces →  Tunnel →  add

Add interface tvi-0/802 under Organization →  limits → traffic identification

Add interface tvi-0/802 under Virtual Router → LAN-VR

Optional Step: Add interface tvi-0/802 under zones to be used in NGFW or other policies

Create BGP config on LAN :

Verification

Director UI →  monitor → services → BGP →  neighbour

In this case, there are no spoke VPCs, else spoke VPC CIDRs will be learnt via eBGP

On AWS UI :

References

In Version 22.1 GA, creating both Versa side and AWS side BGP over GRE tunnels is automated through the use of CMS connector :
To add CMS connector :
Administration → Connectors → CMS →  Add → Select type as AWS

Validate the CMS connector by selecting the CMS object and clicking on "validate" on the top right

Add the CMS to the relevant org

Create the required BGP over GRE config under Workflow → Templates

Populate Tunnel info and other dynamically discovered data under Workflow → Devices

Clicking deploy creates the required connect peers on AWS and relevant config on Versa VOS.