Instructions

Interconnecting VPCs through a transit gateway

To interconnect two or more VPCs or specific subnets in these VPCs, you can use transit gateways. The following example shows how to interconnect two VPCs, vpc1 and vpc2, in the same project. If necessary, you can attach to the transit gateway VPCs from other projects (including those of other companies) by providing access to the gateway.

The general procedure is as follows:

• create a transit gateway;

• create attachments in each VPC;

• set the routes in the default route table of the transit gateway to attached VPCs;

• set the route in route table of each VPC through the transit gateway to another VPC;

• allow appropriate traffic, such as ICMP, in the security groups associated with the instances between which this traffic is to be transmitted.

Create a transit gateway

1. Go to the Transit gateways section and open the corresponding subsection.

2. Click Create.

3. Leave the Set route table as default option enabled. When it is selected, all new attachments will be associated with the created default route table.

4. Click Create to create the gateway.

Create attachments

Attachments must be created in each of the attached VPCs. (see about connecting transit gateways)

When creating the first attachment, you can specify subnets in one or more availability zones at will. However, when creating another attachment, you must specify subnets in the same availability zones as for the first one.

Traffic can be exchanged between any subnets in these VPCs, not only those directly attached to the transit gateway — it is only necessary to set routes through the transit gateway in the route tables of these subnets.

Note

Once created, the attachment cannot be associated with other subnets.

1. Go to the Transit gateways section Attachments.

2. Click Create.

3. In the dialog window, set the following parameters:

   • The Name tag to identify the attachment, for example, vpc1 (optionally).

   • The transit gateway you have created

   • The VPC you want to connect.

   • VPC’s subnets to which the transit gateway will be attached.

4. Click Create to create the attachment.

A similar attachment must be created for another VPC.

Specify routes in the transit gateway route table.

The default route table of a transit gateway is created empty. For each attached VPC, you must specify a route to it through the transit gateway:

1. Go to the Transit gateways section Route tables.

2. In the resource table, select the route table of the created transit gateway and click on the table ID to go to its page.

3. Open the Routes tab and click Add.

4. In the dialog window:

   • In the Network field, specify the network that corresponds to vpc1 (you can specify the CIDR block of any existing subnet from vpc1 if traffic must be forwarded to it).

   • Attachment to which vpc1 is attached.

5. Click Create.

6. To set the route to vpc2, repeat steps 3-5.

Specify routes in the VPC route table.

In each VPC, set a route to the transit gateway. Below it is assumed that in a VPC all subnets from which traffic must be routed to another VPC are associated with the main route table of that VPC. If a different route table is associated with some subnets, then for traffic to be transmitted from it to another VPC, a route via the transit gateway must also be set in it.

1. Go to the Route Tables section.

2. In the resource table, select the main route table of vpc1 and click on the table ID to go to its page.

3. Open the Routes tab and click Add.

4. In the dialog window:

   • In the Network field, specify a target subnet in vpc2. In this example, It is the same subnet that you specified when creating the route in the transit gateway route table.

   • In the Gateway Type field, select Transit Gateway.

   • In the Gateway field, select the created transit gateway.

5. Click Add to create the route.

6. For vpc2, repeat steps 2-4.

Enable required traffic

For the traffic to flow between instances, enable the appropriate protocol in the security groups assigned to those instances.

As an example, lets say, you need to mutually ping instances in different VPCs. Here we assume that the default security group of a respective VPC is assigned to the instances.

1. Go to the Security Groups section.

2. In the resource table, find the default security group for vpc1 and click on its ID to go to the group page.

3. Open the Inbound Rules tab and click Add.

4. In the dialog window:

   • In the Protocol field, select ICMP.

   • For the Grant access option, select From network.

   • In the Network field, enter the subnet in vpc2 that you specified when adding routes. The instance from vpc2 must run in this subnet.

5. For vpc2, repeat steps 2-4.

Check that everything is OK. From the instance in vpc2, ping the instance in vpc1 on its internal IP address. Do the same for the instance in vpc1.