AWS Transit Gateway

Prerequisites

  • An active Harmony SASE Administrator Portal account and network.

  • Make sure you have installed the Harmony SASE Agent on your devices.

  • Administrator account in the Firewall/ Router/ Cloud Management Portal.

Step 1 - Configurations in the AWS Management Console

Creating the Transit Gateway and Transit Gateway Attachments

  1. Access the AWS Management console and go to the VPC section.

  2. On the left pane, click Transit Gateways.

  3. On the top pane, click Create transit gateway.

    The Create transit gateway attachment page appears.

  4. In the Name tag field, enter a name of the Transit Gateway.

    Keep the default values for rest of the fields.

  5. Click Create transit gateway.

Creating the Transit Gateway Attachments

You can create an attachment for VPCs, other VPNs, and other Peered Transit Gateways located on another AWS region. All connected attachments can communicate with each other as defined in the Transit Gateway's routes.

A single VPC attachment connects one VPC to the Transit Gateway. You may connect multiple VPC attachments to a single Transit Gateway.

Creating the Transit Gateway VPC Attachments

Note - If you already have a Transit Gateway Attachment to your VPC, skip this procedure and go to Creating the Transit Gateway VPN Attachment.

  1. Access the AWS Management console and go to the VPC section.

  2. On the left pane, click Transit Gateway Attachments.

  3. On the top pane, click Create transit gateway attachment.

    The Create transit gateway attachment page appears.

  4. Enter these:

    1. Name Tag - Name of the Transit Gateway Attachment.

    2. Transit gateway ID - Select the newly created Transit gateway.

    3. Attachment Type - VPC

    4. VPC ID - Select the relevant VPC.

      Keep the default values for rest of the fields.

  5. Click Create transit gateway attachment.

Note - Repeat the above procedure for each of the VPCs that you want to access to.

Creating the Transit Gateway VPN Attachment

  1. Access the AWS Management console and go to the VPC section.

  2. On the left pane, click Transit Gateway Attachments.

  3. On the top pane, click Create transit gateway attachment.

    The Create transit gateway attachment page appears.

  4. Enter these:

    1. Transit gateway ID - Select the newly created Transit gateway.

    2. Attachment Type - VPN

    3. Customer Gateway - New

    4. IP address - IP address of the relevant Gateway in the Harmony SASE Administrator Portal.

    5. BGP ASN - Keep the default value.

    6. Routing Options - Static

      Keep the default values for rest of the fields.

  5. Click Create transit gateway attachment.

Configuring the Tunnel

  1. Access the AWS Management console and on the left pane, in the Virtual Private Network (VPN) section, click Site-to-Site VPN Connections.

  2. Select the newly created Transit Gateway VPN connection record.

  3. On the top pane, click Download Configuration.

    The Download configuration window appears.

  4. Enter these:

    1. Vendor - Strongswan

    2. Platform - Ubuntu version

    3. Software - Strongswan version

    4. Ike version - Ikev2

  5. Click Download.

Configuring the Routing

  1. Access the AWS Management console and go to the VPC section.

  2. In the Transit Gateways section, select Transit Gateway Route Tables.

  3. Select the relevant Transit Gateway Route Table.

  4. If your routes do not propagate automatically:

    1. At the bottom, click Propagations.

    2. Verify that all of the Transit Gateway Attachments are included.

      Note - If any of the Transit Gateway Attachments is missing a route, click Create propagation and add the missing route.

    3. At the bottom, click Associations.

    4. Verify that all of the Transit Gateway Attachments are included (same as the previous step).

      Note - If any of the Transit Gateway Attachments is missing a route, click Create propagation and add the missing route.

    5. At the bottom, click Routes.

      The Create static route window appears.

    6. In the CIDR field, enter your Harmony SASE subnet. To find your Harmony SASE network subnet:

      1. Go to the Harmony SASE Administrator Portal > Networks page.

      2. In your network, click next to your network.

      3. Click Edit Network.

      4. Copy the Subnet value.

    7. Select Type as Active.

    8. From the Choose attachment list, select the VPN attachment.

    9. Click Create static route.

  5. In the left pane, in the Virtual Private Cloud section, click Route Tables.

  6. Select the Route Table for one of the attached VPCs.

  7. At the bottom, click Routes.

  8. Click Edit Routes.

    The Edit routes window appears.

  9. Click Add route.

  10. Enter these:

    1. Destination - Your Harmony SASE subnet. To find your Harmony SASE network subnet, see step 4f above.

    2. Target - Select Transit Gateway and pick the relevant Transit Gateway.

  11. Click Save changes.

Step 2 - Creating the Tunnel in the Harmony SASE Administrator Portal

  1. Access the Harmony SASE Administrator Portal and click Networks.

  2. Click the network where you want to create the tunnel.

  3. In the required gateway, click > Add Tunnel.

  4. Click IPSec Site-2-Site Tunnel and click Continue.

  5. Click Single Tunnel and click Continue.

    The IPSec Site-2-Site Tunnel window appears.

  6. To automatically populate the tunnel configuration values, in the General Settings section, click Upload File and upload the configuration file downloaded from the AWS Management console.

  7. For manual configuration, open the configuration file you downloaded and copy and paste these attributes.

    1. Shared Secret - Paste the value marked in yellow. Omit the quotation marks.

    2. Public IP & Remote ID - Paste the IP address marked in red. This is your AWS external IP address.

    3. Perimeter 81 Gateway Proposal Subnets - 0.0.0.0/0.

    4. Remote Gateway Proposal Subnets - 0.0.0.0/0.

  8. In the Advanced Settings section, enter the information for your tunnel type:

    Field

    IKE Version

    IKE Lifetime

    Tunnel Lifetime

    Dead Peer Detection Delay

    Dead Peer Detection Timeout

    Encryption (Phase 1)

    Encryption (Phase 2)

    Integrity (Phase 1)

    Integrity (Phase 2)

    Diffie Hellman Groups (Phase 1)

    Diffie Hellman Groups (Phase 2)

    Cloud Vendor

    Amazon AWS

    Single Tunnel - AWS Virtual Gateway V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21 21
    Single Tunnel - AWS Transit Gateway V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21 21
    Redundant Tunnels - AWS Virtual Private Gateway V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21 21
    Redundant Tunnels - AWS Transit Gateway V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21 21

    Google Cloud Platform

    Single Tunnel 1 V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21 21

    Redundant Tunnels

    		 V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21

    21
    Microsoft Azure  

    Single Tunnel -

    Azure Virtual Network Gateway

    V2

    3600s

    27000s

    10s

    45s

    		 aes256 aes256 sha1 sha1

    2

    2

    Redundant Tunnels - Virtual Network Gateway

    V2

    9h

    9h

    		 10s 30s aes256 aes256 sha1 sha1

    2

    2

    Redundant Tunnels - Virtual WAN

    V2

    8h

    		 1h 10s 30s aes256 aes256

    sha256

    sha256

    14

    14

    Other tunnel types

     
    Alibaba Cloud V1 8h 1h 10s 30s aes256 aes256 sha1 sha1 2 2

    IBM Cloud

    V1

    		 8h 1h 10s 30s aes256 aes256

    sha256

    sha256

    21

    21

    1 Suggested values. For other supported ciphers, see this Google article.

  9. Click Add Tunnel.