AWS Transit Gateway Connect Plugin
The 128T-aws-transit-gateway-connect plugin provides integration between an SSR and a Transit Gateway. It does so with the use of BGP for sharing routes and GRE tunnels to encapsulate the BGP traffic as well as any other traffic to be sent to the Transit Gateway.
The instructions for installing and managing the plugin can be found here.
The router configuration that is generated is only compatible with SSR versions which have native GRE support (128T >= 5.2.0).
The plugin is designed to operate on an AWS conductor. Installing the plugin on a non AWS environment can cause delay with config commits for up to 5 seconds. Please refer to the link here on how to identify EC2 linux instances.
- Transit Gateway - A cloud router which connects VPCs and on-premise networks through a central hub.
- Virtual Private Cloud (VPC) - A logically isolated virtual network in AWS where resources exist.
- Transit Gateway Attachment - How the Transit Gateway attaches to a network.
Transit Gateway Connect Terms:
- Transit Gateway Connect - A logical unit containing the Connect Attachment, Transport Attachment, a Connect VPC, and the SSR.
- Transit Gateway Connect Attachment - A new type of Transit Gateway Attachment which operates on top of an existing Transport Transit Gateway Attachment.
- Transport Transit Gateway Attachment - An attachment on top of which a Connect Attachment is created. Must be either of type VPC or VPN.
- Transit Gateway Connect Peer - A peer that communicates over GRE and with BGP to the Transit Gateway Connect. In our case, this is an SSR.
Configure the following components, in order:
- Transit Gateway
- Transport Transit Gateway Attachment
- Transit Gateway Connect Attachment
- Additionally, the routing tables must be configured to transport the GRE traffic to the Transit Gateway network interface.
The plugin interacts with the AWS APIs to identify an existing "Connect Peer" that applies to the given node. Matching is based on the network interface IP address and the Connect Peer's peer address. If there is no existing Connect Peer, the plugin creates one on behalf of the user. The plugin chooses the first
available Transit Gateway Connect Attachment to create the Transit Gateway Connect Peer.
This logic collects the necessary data for the plugin to generate the appropriate BGP and GRE configuration for connection.
Setup Credentials on the Conductor
Use the following steps to configure the Conductor to query and create AWS objects. On each Conductor node:
- Install the AWS CLI if not already installed.
- Configure AWS CLI using
aws configure. Be sure to specify the credentials, and
To determine which nodes/interfaces are to be used to connect to the transit gateway, the plugin configuration datamodel needs a tagging mechanism on the
address to let the plugin know which interfaces are to be used for peering.
If the router you are tagging is in a different region than the conductor, you must configure the region of the router.
- Due to the nature of tagging a specific
network-interface, this plugin only supports peering over an interface with a static IP address.
/var/log/128technology/persistentDataManager.log file at trace level will show whether the configuration generation was run, as well as output and return code.
Configuration generation logs can be found on the conductor under
After the configuration is generated, the BGP peering status can be queried on the SSR side using the following commands on the router:
show bgp neighbors
show bgp summary
On the AWS Portal, under
Transit Gateway Attachments >
<your connect attachments> >
Connect peers, there will be entries for the SSR as a connect peer and the BGP status.
Example Configuration Generation
With the example configuration and the following AWS TGW connect peer
|TGW GRE IP||10.128.2.201|
|TGW BGP IP 1||169.254.192.26|
|TGW BGP IP 2||169.254.192.27|
|SSR GRE IP||10.128.2.25|
|SSR BGP IP||169.254.192.25|
The following config will be generated:
base device-interface already exists and the
gre network-interface is generated under the
description "Auto-generated host KNI interface for aws-transit-gateway-connect"
static-route 169.254.192.26/32 1
next-hop-interface Node1 gre
static-route 169.254.192.27/32 1
next-hop-interface Node1 gre
PLUGIN-1311 Commit on conductor could take up to 2 minutes to complete with plugin installed when conductor is not runnning inside AWS, even if the plugin was unconfigured.
PLUGIN-1343 Unnecessary additional steps needed to set up AWS CLI to utilize TGW Connect APIs.
PLUGIN-1322 Assets would become stuck in connected state after uninstalling plugin.