AWS Transit Gateway peering

When you host your Data Plane nodes on Dedicated Cloud Gateways in Konnect, you can use AWS Transit Gateway to establish private connectivity between your AWS-hosted services and the Konnect platform. This creates a secure and scalable network path that avoids exposing internal APIs to the public internet.

 
flowchart LR

A(API or Service)
B(API or Service)
C(API or Service)
D(AWS Transit Gateway attachment)
E( AWS Transit Gateway)
F(AWS Transit Gateway attachment)
G(Konnect #40;fully-managed Data Plane#41;)
H(Konnect #40;fully-managed Data Plane#41;)
I(Konnect #40;fully-managed Data Plane#41;)
J(Internet)

subgraph 1 [User AWS Cloud]
    subgraph 2 [Region]
        subgraph 3 [Virtual Private Cloud #40;VPC#41;]
        A
        B
        C
        end
        A & B & C <--> D
    end
   D<-->E
end

subgraph 4 [Kong AWS Cloud]
    subgraph 5 [Region]
        E<-->F
        F <--private API access--> G & H & I
        subgraph 6 [Virtual Private Cloud #40;VPC#41;]
        G
        H
        I
        end
    end
end

G & H & I <--public API access--> J


  

This process includes three main steps:

1. Create and share the Transit Gateway in AWS:

   1. Navigate to VPC > Transit Gateways in the AWS Console.
   2. Select Create transit gateway, provide a name, and create the gateway.
   3. Save the Transit Gateway ID.
   4. Open the Resource Access Manager, and select Create Resource Share.
   5. Choose Transit Gateways as the resource type and select the newly created gateway.
   6. Name the resource share and retain default managed permission settings.
   7. Enable Allow external accounts, choose AWS Account, and enter the AWS ID from the Konnect UI (Gateway Manager > Networks).
   8. Create the resource share and save the resulting RAM Share ARN.

2. Accept the Transit Gateway Attachment in AWS:

   1. Go to VPC > Transit Gateway Attachments in the AWS Console.
   2. Locate the incoming attachment request from the Konnect AWS Account ID.
   3. Accept the request to establish the connection.
   4. Important: Make sure a Transit Gateway Attachment is set up for each AWS VPC that needs to send or receive traffic.

   Each AWS VPC that needs to send or receive traffic must have its own Transit Gateway attachment.

To finish setup in Konnect:

1. Go to Gateway Manager, select your Dedicated Cloud Gateway, and click **Networks in the sidebar.
2. Select your network and click Attach Transit Gateway.
3. Provide the following information:
   • Transit Gateway Name
   • One or more CIDR blocks (must not overlap with your Konnect network)
   • RAM Share ARN
   • Transit Gateway ID
4. Add the IP addresses of DNS servers that will resolve to your private domains, along with any domains you want associated with your DNS. Konnect supports the following mappings:

To accept the Transit Gateway attachment in AWS, do the following:

1. In the AWS Console, go to VPC > Transit Gateway Attachments.
2. Wait for an attachment request from the Konnect AWS Account ID.
3. Accept the request.

Ensure that each AWS VPC requiring traffic forwarding has its own Transit Gateway attachment.

After the attachment is active, create a route in your AWS VPC to forward traffic to the Konnect managed VPC through the Transit Gateway. This ensures proper traffic flow from Konnect to your Services and back.

Configure AWS Transit Gateway and VPC Routing Tables

To properly route traffic between your AWS VPCs and Dedicated Cloud Gateways via AWS Transit Gateway, additional routing steps are required:

1. From your AWS Console, navigate to VPC > Transit Gateways.
2. Select your transit gateway, then select Transit Gateway Attachments.
3. Click Create transit gateway attachment and attach each AWS VPC that needs connectivity to your Kong DCGW.
4. After attachments are created, navigate to Transit Gateway Route Tables.
5. If the attachment is associated with (and propagating to) the route table, the VPC CIDRs appears automatically.
6. If not, select the relevant Transit Gateway route table, then click Create route to add routes to your Kong DCGW VPC CIDR range and AWS VPC CIDR ranges. Ensure these CIDR blocks do not overlap.
7. Next, navigate to your AWS VPCs, select Route Tables, and update your route tables:
   • Add a new route for the Kong DCGW VPC CIDR with the Target set to your Transit Gateway ID.
   • For example:
     Destination: 192.168.0.0/16 -> Target: tgw-xxxxxxxx
8. Verify your AWS Security Groups and Network ACLs:
   • Allow necessary inbound/outbound traffic for ports and protocols used by your upstream applications and Kong DCGW.
   • Ensure Network ACLs permit traffic between AWS VPCs and Kong DCGW.
9. Confirm connectivity by testing communication between your AWS VPC resources and Kong DCGW endpoints with ping, telnet, or traceroute).

Once the transit gateway attachment is successful and you’ve configured routing in your AWS VPC, add a route where the upstream services are running, and configure the route to forward all traffic for the Konnect managed VPC via the transit gateway. This ensures that traffic from the Konnect data plane reaches the service and the response packets are routed back correctly.