Skip to content

aws-samples/aws-hub-and-spoke-with-connect-peer-terraform

AWS Hub and Spoke Architecture with Shared Services and Transit Gateway Connect VPCs - Terraform Sample

This repository contains terraform code to deploy a sample AWS Hub and Spoke architecture with Shared Services and Transit Gateway Connect VPC, with the following centralized services:

  • Managing EC2 instances using AWS Sytems Manager - ssm, ssmmessages and ec2messages VPC Endpoints.
  • Deploy a Cisco CSR1000v iinto the Transit Gateway Connect VPC
    • Configure the Cisco CSR1000v using a templated user_data boot strap:
      • Connect to the Transit Gateway Connect Peer using a GRE Tunnel
      • Peer with the Transit Gateway Connect Peer BGP address using BGP
  • Deploy a Cisco CSR1000v into a Remote Spoke VPC
    • Configure IPsec from the Remote Spoke VPC CSR1000v instance to the Connect VPC CSR1000v instance
    • Configure BGP neighbours between the Remote Spoke CSR1000v and the CSR1000v in the Connect VPC over the IPSec tunnel

The resources deployed and the architectural pattern they follow is purely for demonstration/testing purposes.

Prerequisites

  • An AWS account with an IAM user with the appropriate permissions
  • Have a local RSA key (~/.ssh/id_rsa and ~/.ssh/id_rsa.pub). If none exists, use 'ssh-keygen' to generate
  • Have an AWS Marketplace subscription for Cisco Cloud Services Router (CSR) 1000v - Transit Network VPC - BYOL software
  • Terraform installed

Code Principles:

  • Writing DRY (Do No Repeat Yourself) code using a modular design pattern

Usage

  • Clone the repository
  • Edit the variables.tf file in the project root directory. This file contains the variables that are used to configure the VPCs to create, and Hybrid DNS configuration needed to work with your environment.
  • To change the configuration about the Security Groups and VPC endpoints to create, edit the locals.tf file in the project root directory
  • Initialize Terraform using terraform init
  • Deploy the template using terraform apply

Terraform Output:

After the 'terraform apply' has completed, the output will provide all the information required to connect to the CSR 1000v as well as the AWS CLI command to query the relevant AWS Transit Gateway Route Table for propogated routes once BGP neighbours have formed between the AWS Transit Gateway and the Cisco CSR1000v.


Target Architecture

Architecture diagram


References

Cleanup

Remember to clean up after your work is complete. You can do that by doing terraform destroy.

Note that this command will delete all the resources previously created by Terraform.


Requirements

Name Version
terraform >= 1.1.0
aws ~> 4.4

Providers

Name Version
aws 4.4.0
external 2.2.0
random 3.1.0

Modules

Name Source Version
compute ./modules/compute n/a
connect_vpc ./modules/connect_vpc n/a
iam_kms ./modules/iam_kms n/a
key_pairs ./modules/key_pairs n/a
remote_vpc ./modules/remote_vpc n/a
transit_gateway ./modules/transit_gateway n/a
vpc ./modules/vpc n/a
vpc_endpoints ./modules/vpc_endpoints n/a

Resources

Name Type
aws_eip.csr_public_ip resource
random_password.isakmp_secret resource
external_external.curlip data source

Inputs

Name Description Type Default Required
amazon_side_asn BGP ASN for the TGW. number 64512 no
aws_region AWS Region to create the environment. string "eu-west-1" no
connect_peer_cidr_blocks cidr blocks for connect peer list(string)
[
"169.254.200.0/29"
]
no
eips n/a map(any)
{
"connect_csr_eip": {
"tags": {
"Name": "connect-csr-eip",
"Type": "ConnectCSR"
}
},
"remote_csr_eip": {
"tags": {
"Name": "remote-csr-eip",
"Type": "RemoteSR"
}
}
}
no
on_premises_cidr On-premises CIDR block. string "192.168.0.0/16" no
project_identifier Project Name, used as identifer when creating resources. string "hub-spoke-connect" no
transit_gateway_cidr_block cidr blocks for connect peer string "192.168.100.0/24" no
tunnel_cidr_block cidr blocks for connect peer string "169.254.201.0/29" no
vpcs VPCs to create. map(any)
{
"connect-vpc-1": {
"cidr_block": "10.132.0.0/16",
"csr_hostname_prefix": "csr",
"csr_instance_size": "c5.large",
"instance_count": 1,
"local_bgp_asn": 64515,
"number_azs": 2,
"remote_bgp_asn": 64512,
"spoke_type": "connect"
},
"remote-vpc-1": {
"cidr_block": "10.251.0.0/16",
"csr_hostname_prefix": "csr",
"csr_instance_size": "c5.large",
"instance_count": 1,
"local_bgp_asn": 64516,
"number_azs": 2,
"remote_bpg_asn": 64515,
"spoke_type": "remote"
},
"spoke-vpc-1": {
"cidr_block": "10.11.0.0/16",
"instance_type": "t2.micro",
"number_azs": 1,
"spoke_type": "spoke"
},
"spoke-vpc-2": {
"cidr_block": "10.12.0.0/16",
"instance_type": "t2.micro",
"number_azs": 1,
"spoke_type": "spoke"
}
}
no

Outputs

Name Description
connect_aws_eip_csr_public_ip Public IP of the AWS EIP Connect CSR instance
connect_csr_instance_id Instance ID of the CSR instance created
instances_created Instances created in each VPC
isakmp_secret ISAKMP secret key
remote_aws_eip_csr_public_ip Public IP of the AWS EIP remote CSR instance
tgw_route_table_id Transit Gateway Route Table ID
transit_gateway Transit Gateway ID
vpc_endpoints DNS name (regional) of the VPC endpoints created.
vpcs List of VPCs created
z_output_user_message Route table search command
| |

Security

See CONTRIBUTING for more information.


License

This library is licensed under the MIT-0 License. See the LICENSE file.

About

No description, website, or topics provided.

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •