Deploying Aviatrix User VPN with AWS TGW

This document describes how to deploy the Aviatrix UserVPN solution with an AWS TGW (Transit Gateway). See Overview of AWS Transit Gateway Orchestrator Features for more information about AWS TGWs.

Use AWS Transit Gateway to Access Multiple VPCs in One Region

This reference guide will show how you can use an AWS Transit Gateway (TGW) to allow remote users to connect to multiple VPCs in the same region. Please see the overview images below for reference. In this walkthrough, it is assumed you have created VPCs in your environment. If not, you can create and deploy VPCs directly from Aviatrix CoPilot. See Create a VPC.

vpn_with_tgw_one_region

Creating a TGW

The first step is to create a TGW from Aviatrix CoPilot.

Enable Split Tunnel mode for this gateway.

createTGW

To learn more about Transit Gateway deployment, see Aviatrix AWS Transit Gateway Orchestrator FAQ.

Creating a Security Domain

Now, create three security domains:

  1. Shared Service Domain

  2. Dev Domain

  3. Prod Domain

Building Connection Policies

You have now created Network Domains. The next step is to use connection policies to connect:

  1. The Shared Service Domain to the Dev Domain.

  2. The Shared Service Domain to the Prod Domain.

You can call these domains any name and use as many domains as needed. As seen in the images below, Dev and Prod are simply called Domain 1 and Domain 2.

Attaching VPCs to TGW

The next step is to attach your existing VPCs to the Transit Gateway (TGW) created above. Use the Shared Service Domain for this attachment.

Launching a VPN Gateway

After attaching VPCs to the TGW, create a VPN Gateway so users can access the instances in the VPCs. Use the VPC, Shared Service Domain, and region used above.

A new VPN Gateway will be created in the Shared Service VPC.

Adding Dev and Prod Domains to Split Tunnel Mode

  1. Return to the TGW you created and edit it.

  2. In the Split Tunnel section that appeared when you enabled Split Tunnel mode, In the Additional CIDRs field of the Split Tunnel section, add the IPv4 CIDR ranges for the Dev and Prod VPCs.

  3. Click Save.

Configuring Aviatrix VPN Client

The first step is to add a new VPN User. For the VPC ID, use the Shared Service VPC ID.

  1. Next, download your UserVPN configuration file.

  2. Download the latest Aviatrix VPN Client from the Docs page here:

  3. After installing the client, import your UserVPN configuration file to the Aviatrix VPN Client. Once the client is open, click + and choose your .ovpn file.

  4. After the configuration file is imported, click Connect.

    avtx_VPN_client_setup

You are now connected via the Aviatrix VPN Client. Test that everything has been correctly configured.

1. First, find and save the Private IP address of the EC2 instance running in either Dev or Prod VPCs. These IPs can be found in the AWS Console page under the EC2 banner.

  1. Now, open a terminal on your computer and see if you can ping the EC2 instance using its private IP address. If you are connected to the Aviatrix VPN Client, you should see a response.

  2. To check, disconnect from the Aviatrix VPN Client. You should not see a response.

See below for an example of a proper ping response.

ping_test

Last Steps

One last option for testing connection policies:

  • As a test, remove either the Dev or Prod Domain from the Connected list.

  • Remove Dev from the "Connected" list for the Shared Service Policy and run a Ping test. You should receive no response from the EC2 instance in the Development VPC.