How to configure Transit Gateway
This guide walks you through connecting your Konnect-managed Dedicated Cloud Gateways to AWS Transit Gateway, providing a secure and private channel for your API traffic.
How do Transit Gateways work?
flowchart LR A(API or service) B(API or service) C(API or service) D(AWS \n Transit Gateway \n attachment) E( AWS \n Transit Gateway) F(AWS \n Transit Gateway \n attachment) G(Konnect \n#40;fully-managed \ndata plane#41;) H(Konnect \n#40;fully-managed \ndata plane#41;) I(Konnect \n#40;fully-managed \ndata plane#41;) J(fa:fa-wifi \n Internet) subgraph 1 [User AWS Cloud] subgraph 2 [Region] subgraph 3 [Virtual Private Cloud #40;VPC#41;] A B C end A & B & C <--> D end D<-->E end subgraph 4 [Kong AWS Cloud] subgraph 5 [Region] E<-->F F <--private API \n access--> G & H & I subgraph 6 [Virtual Private Cloud #40;VPC#41;] G H I end end end G & H & I <--public API \n access--> J style A stroke:#e07113 style B stroke:#e07113 style C stroke:#e07113 style D stroke:#8c4fff style E stroke:#8c4fff,fill:#8c4fff,color:#fff style F stroke:#8c4fff style 2 stroke:#167eba,color:#167eba,stroke-dasharray:3 style 5 stroke:#167eba,color:#167eba,stroke-dasharray:3 style 3 stroke:#238813,color:#238813,stroke-dasharray:3 style 6 stroke:#238813,color:#238813,stroke-dasharray:3
Figure 3: In this diagram, the User AWS account represents you are running your microservices, APIs, or applications. You can connect your infrastructure securely to Konnect through an AWS Transit Gateway. On the Kong side, the Kong AWS Cloud is the cloud account running your Dedicated Cloud Gateways, which ingests traffic coming in from the Transit Gateway and securely exposes it to the internet.
To establish private connectivity between the Konnect network and your account or VPC, you need to allow traffic via the AWS RAM shared resource flow.
Prerequisites
- A Konnect control plane
- An AWS account with administrative privileges to create resources and manage peering
- The AWS ID. You can find this in Konnect by selecting the desired Network from Gateway Manager > Networks
Configure AWS Transit Gateway
- While logged in to AWS, select the same region as your cloud gateways network.
- Select VPC > Transit Gateways, then click Create Transit Gateway.
- Name the transit gateway and then click Create Transit Gateway.
This will display a Transit Gateway ID, save this.
Configure AWS resources access
- Navigate to the Resource Access Manager, then click Create Resource Share.
- Select Transit Gateways as the resource type, and check the box for the transit gateway that you created in the previous section.
- Give the Resource Share a name.
- Click Next and leave the default managed permission settings as they are.
- On the next screen, select Allow external accounts and then choose AWS Account. Paste the AWS ID you copied from Konnect.
- Click Add, and review your settings before clicking Create.
After creating the resource share, copy the RAM Share ARN. You will need this to finish configuration in Konnect
Configure Konnect
- From Konnect, navigate to the Gateway Manager.
- Within the Networks tab, select the desired network, then select Attach Transit Gateway.
- In the form that appears, enter a Transit Gateway Name.
- Add one or more CIDR blocks that will be forwarded to your AWS Transit Gateway. Ensure these do not overlap with the CIDR of your cloud gateways network.
- Paste the RAM Share ARN and the Transit Gateway ID you saved earlier into the matching fields.
- For DNS configuration, add the IP addresses of DNS servers that will resolve to your private domains, along with any domains you want associated with your DNS. Konnect supports the following mappings:
- 1-1 Mapping
- Each domain is mapped to a unique IP address.
- For example:
example.com
->192.168.1.1
- N-1 Mapping
- Multiple domains are mapped to a single IP address.
-
example.com
,example2.com
->192.168.1.1
- M-N Mapping
- Multiple domains are mapped to multiple IP addresses, not necessarily in a one-to-one relationship.
-
example.com
,example2.com
->192.168.1.1
,192.168.1.2
-
example3.com
->192.168.1.1
- 1-1 Mapping
- Save.
Accept Transit Gateway attachment request
- From the AWS Console, go to VPC > Transit Gateway Attachments.
- Wait for an attachment request coming from the AWS Account ID you used in Konnect.
- Accept the attachment to complete the setup.
Once the transit gateway attachment is successful, add a route where the upstream services are running, and configure the route to forward all traffic for the Konnect managed VPC via the transit gateway. This ensures that traffic from the Konnect data plane reaches the service and the response packets are routed back correctly.