How to configure AWS Transit Gateway

This guide walks you through connecting your Konnect-managed Dedicated Cloud Gateways to AWS Transit Gateway, providing a secure and private channel for your API traffic.

How do Transit Gateways work?

Figure 3: In this diagram, the User AWS account represents you are running your microservices, APIs, or applications. You can connect your infrastructure securely to Konnect through an AWS Transit Gateway. On the Kong side, the Kong AWS Cloud is the cloud account running your Dedicated Cloud Gateways, which ingests traffic coming in from the Transit Gateway and securely exposes it to the internet.

To establish private connectivity between the Konnect network and your account or VPC, you need to allow traffic via the AWS RAM shared resource flow.

Prerequisites

• A Konnect control plane
• An AWS account with administrative privileges to create resources and manage peering
• The AWS ID. You can find this in Konnect by selecting the desired Network from Gateway Manager > Networks

Configure AWS Transit Gateway

1. While logged in to AWS, select the same region as your cloud gateways network.
2. Select VPC > Transit Gateways, then click Create transit gateway.
3. Name the transit gateway and then click Create transit gateway.

This will display a Transit Gateway ID, save this.

Configure AWS resources access

1. Navigate to the Resource Access Manager, then click Create Resource Share.
2. Select Transit Gateways as the resource type, and check the box for the transit gateway that you created in the previous section.
3. Give the Resource Share a name.
4. Click Next and leave the default managed permission settings as they are.
5. On the next screen, select Allow external accounts and then choose AWS Account. Paste the AWS ID you copied from Konnect.
6. Click Add, and review your settings before clicking Create.

After creating the resource share, copy the RAM Share ARN. You will need this to finish configuration in Konnect

Configure Konnect

1. From Konnect, navigate to the Gateway Manager.
2. Within the Networks tab, select the desired network, then select Attach Transit Gateway.
3. In the form that appears, enter a Transit Gateway Name.
4. Add one or more CIDR blocks that will be forwarded to your AWS Transit Gateway. Ensure these do not overlap with the CIDR of your cloud gateways network.
5. Paste the RAM Share ARN and the Transit Gateway ID you saved earlier into the matching fields.
6. For DNS configuration, add the IP addresses of DNS servers that will resolve to your private domains, along with any domains you want associated with your DNS. Konnect supports the following mappings:
   • 1-1 Mapping
     • Each domain is mapped to a unique IP address.
     • For example: example.com -> 192.168.1.1
   • N-1 Mapping
     • Multiple domains are mapped to a single IP address.
     • example.com, example2.com -> 192.168.1.1
   • M-N Mapping
     • Multiple domains are mapped to multiple IP addresses, not necessarily in a one-to-one relationship.
     • example.com, example2.com -> 192.168.1.1, 192.168.1.2
     • example3.com -> 192.168.1.1
7. Save.

Accept Transit Gateway attachment request

1. From the AWS Console, go to VPC > Transit Gateway Attachments.
2. Wait for an attachment request coming from the AWS Account ID you used in Konnect.
3. Accept the attachment to complete the setup.

Configure AWS Transit Gateway and VPC Routing Tables

To properly route traffic between your AWS VPCs and Kong Dedicated Cloud Gateways (DCGW) via AWS Transit Gateway, additional routing steps are required:

1. From your AWS Console, navigate to VPC > Transit Gateways.
2. Select your transit gateway, then select Transit Gateway Attachments.
3. Click Create transit gateway attachment and attach each AWS VPC that needs connectivity to your Kong DCGW.
4. After attachments are created, navigate to Transit Gateway Route Tables.
5. If the attachment is associated with (and propagating to) the route table, the VPC CIDRs appears automatically.
6. If not, select the relevant Transit Gateway route table, then click Create route to add routes to your Kong DCGW VPC CIDR range and AWS VPC CIDR ranges. Ensure these CIDR blocks do not overlap.
7. Next, navigate to your AWS VPCs, select Route Tables, and update your route tables:
   • Add a new route for the Kong DCGW VPC CIDR with the Target set to your Transit Gateway ID.
   • For example:
     Destination: 192.168.0.0/16 -> Target: tgw-xxxxxxxx
8. Verify your AWS Security Groups and Network ACLs:
   • Allow necessary inbound/outbound traffic for ports and protocols used by your upstream applications and Kong DCGW.
   • Ensure Network ACLs permit traffic between AWS VPCs and Kong DCGW.
9. Confirm connectivity by testing communication between your AWS VPC resources and Kong DCGW endpoints with ping, telnet, or traceroute).

Once the transit gateway attachment is successful and you’ve configured routing in your AWS VPC, add a route where the upstream services are running, and configure the route to forward all traffic for the Konnect managed VPC via the transit gateway. This ensures that traffic from the Konnect data plane reaches the service and the response packets are routed back correctly.

More information

• Dedicated Cloud Gateways
• Network Resiliency and availability
• Getting started with transit gateways - Amazon VPC