Home / Kong Gateway Operator / Konnect / Konnect CRDs: Cloud Gateways
Edit
Report

Create a Transit Gateway with Kong Gateway Operator and AWS

Uses: Kong Gateway Operator
Related Documentation
All Operator Documentation
Incompatible with
on-prem
Tags
#aws
Related Resources
AWS Transit Gateway peering
Azure peering
Dedicated Cloud Gateways
TL;DR

Create a transit gateway in AWS and create a resources share to share the transit gateway with the AWS account linked to your Konnect account. Then, create a KonnectCloudGatewayTransitGateway and accept the transit gateway attachment in AWS.

Prerequisites

AWS account

This tutorial requires an AWS account with permissions to create transit gateways and resource shares.

AWS CLI

For this tutorial, you need the AWS CLI installed and configured:

  1. Install the AWS CLI.

  2. After installing, configure and authenticate with AWS:

     aws configure

Kong Konnect

If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.

  1. The following Konnect items are required to complete this tutorial:
    • Personal access token (PAT): Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.

  2. Set the personal access token as an environment variable:

    export KONNECT_TOKEN='YOUR KONNECT TOKEN'

Kong Gateway Operator running

  1. Add the Kong Helm charts:

    helm repo add kong https://charts.konghq.com
helm repo update

  2. Create a kong namespace:

    kubectl create namespace kong --dry-run=client -o yaml | kubectl apply -f -

  3. Install Kong Ingress Controller using Helm:

    helm upgrade --install kgo kong/gateway-operator -n kong-system --create-namespace  \
  --set image.tag=1.6.1 \
  --set kubernetes-configuration-crds.enabled=true \
  --set env.ENABLE_CONTROLLER_KONNECT=true

Kong Gateway Operator running

  1. Add the Kong Helm charts:

    helm repo add kong https://charts.konghq.com
helm repo update

  2. Create a kong namespace:

    kubectl create namespace kong --dry-run=client -o yaml | kubectl apply -f -

  3. Install Kong Ingress Controller using Helm:

    helm upgrade --install kgo kong/gateway-operator -n kong-system --create-namespace  \
  --set image.tag=1.6.1 \
  --set kubernetes-configuration-crds.enabled=true \
  --set env.ENABLE_CONTROLLER_KONNECT=true

Create a KonnectAPIAuthConfiguration resource

 
kubectl create namespace kong --dry-run=client -o yaml | kubectl apply -f -
echo '
kind: KonnectAPIAuthConfiguration
apiVersion: konnect.konghq.com/v1alpha1
metadata:
  name: konnect-api-auth
  namespace: kong
spec:
  type: token
  token: "'$KONNECT_TOKEN'"
  serverURL: us.api.konghq.com
' | kubectl apply -f -

Create a KonnectCloudGatewayNetwork resource

In order to mange Cloud Gateway Networks you need to have a Cloud Gateway Provider Account associated with your Konnect account. You can obtain the ID to your provider account using the Cloud Gateways API.

curl -s -H 'Content-Type: application/json' -H "Authorization: Bearer $KONNECT_TOKEN" -XGET https://global.api.konghq.com/v2/cloud-gateways/provider-accounts | jq

Export the value of the id field to your environment:

export CLOUD_GATEWAY_PROVIDER_ID='YOUR PROVIDER ID'

Create the KonnectCloudGatewayNetwork resource: 

echo '
kind: KonnectCloudGatewayNetwork
apiVersion: konnect.konghq.com/v1alpha1
metadata:
  name: konnect-network-1
  namespace: kong
spec:
  name: network1
  cloud_gateway_provider_account_id: "'$CLOUD_GATEWAY_PROVIDER_ID'"
  availability_zones:
  - euw1-az1
  - euw1-az2
  - euw1-az3
  cidr_block: 192.168.0.0/16
  region: eu-west-1
  konnect:
    authRef:
      name: konnect-api-auth
' | kubectl apply -f -

It can take some time for the network to finish initializing. Make sure the network is ready before moving on to the next step. You can got to the Konnect Networks page or use the following command to check the network state:

curl -s -H 'Content-Type: application/json' -H "Authorization: Bearer $KONNECT_TOKEN" -XGET https://global.api.konghq.com/v2/cloud-gateways/networks| jq

Create a KonnectGatewayControlPlane resource

Use the following command to create a Control Plane:

echo '
kind: KonnectGatewayControlPlane
apiVersion: konnect.konghq.com/v1alpha1
metadata:
  name: gateway-control-plane
  namespace: kong
spec:
  name: gateway-control-plane
  konnect:
    authRef:
      name: konnect-api-auth
  cloud_gateway: true
' | kubectl apply -f -

Create a transit gateway in AWS
  1. Use this command to create a transit gateway in AWS: 
    aws ec2 create-transit-gateway

    Notes:

    • Make sure to create the transit gateway in the same region as the Konnect network provider. You can set the region in the AWS CLI configuration or use the --region flag in each command.
    • If you have issues creating resources with AWS CLI, try using the env variables instead of the aws configure command for credentials. Make sure to include AWS_REGION or use the --region flag in every command.
  2. Export the transit gateway ID and ARN to your environment: 
    export TRANSIT_GATEWAY_ID='YOUR TRANSIT GATEWAY ID'
export TRANSIT_GATEWAY_ARN='YOUR TRANSIT GATEWAY ARN'

Create a resource share in AWS

Create a resource share to allow the AWS account associated with your Konnect account to access the AWS Transit Gateway.

  1. Fetch the information about the AWS account associated with your Konnect:

    curl -s -H 'Content-Type: application/json' -H "Authorization: Bearer $KONNECT_TOKEN" -XGET https://global.api.konghq.com/v2/cloud-gateways/provider-accounts | jq

  2. Export the value of the provider_account_id field to your environment:

    export CLOUD_AWS_ACCOUNT_ID='KONNECT AWS ACCOUNT ID'
  3. Use this command to create a resource share: 
    aws ram create-resource-share --name transit-gateway-resource-share --resource-arns $TRANSIT_GATEWAY_ARN --principals $CLOUD_AWS_ACCOUNT_ID
  4. Export the resource share ARN to your environment: 
    export RESOURCE_SHARE_ARN='YOUR-RESOURCE-SHARE-ARN'

Create the KonnectCloudGatewayTransitGateway resource

Create your Transit Gateway in Konnect with the KonnectCloudGatewayTransitGateway resource:

echo '
kind: KonnectCloudGatewayTransitGateway
apiVersion: konnect.konghq.com/v1alpha1
metadata:
  name: konnect-aws-transit-gateway-1
  namespace: kong
spec:
  networkRef:
    type: namespacedRef
    namespacedRef:
      name: konnect-network-1
  type: AWSTransitGateway
  awsTransitGateway:
    name: aws-transit-gateway-1
    cidr_blocks:
    - 10.10.0.0/24
    attachment_config:
      transit_gateway_id: "'$TRANSIT_GATEWAY_ID'"
      ram_share_arn: "'$RESOURCE_SHARE_ARN'"
' | kubectl apply -f -

Accept the transit gateway attachment in AWS
  1. Fetch the list of transit gateway VPC attachments: 
    aws ec2 describe-transit-gateway-vpc-attachments
  2. Export the relevant attachment ID: 
    export ATTACHMENT_ID='YOUR-AWS-TRANSIT-GATEWAY-VPC-ATTACHMENT-ID'
  3. Accept the transit gateway attachment: 
    aws ec2 accept-transit-gateway-vpc-attachment --transit-gateway-attachment-id $ATTACHMENT_ID

Validation

Check that Programmed is True on the konnect-aws-transit-gateway-1 resource:

You can verify the KonnectCloudGatewayTransitGateway was reconciled successfully by checking its Programmed condition.

kubectl get -n kong konnectcloudgatewaytransitgateway konnect-aws-transit-gateway-1 \
  -o=jsonpath='{.status.conditions[?(@.type=="Programmed")]}' | jq

The output should look similar to this:

{
  "observedGeneration": 1,
  "reason": "Programmed",
  "status": "True",
  "type": "Programmed"
}

FAQs

Can I create a Konnect Transit Gateway linked to an Azure virtual network?

Yes, refer to Azure peering to learn how to configure your VNET Peering App on Azure, then configure the KonnectCloudGatewayTransitGateway resource with the azureTransitGateway field.

I’m getting a unable to create transit gateway with cidr block 10.10.0.0/24 because it overlaps with cidr blocks from an existing attachment error when I try to validate my transit gateway resource, how do I fix it?

This is caused by a CIDR block overlap. Contact Kong Support to resolve this.

Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support