|
| 1 | +--- |
| 2 | +Title: Connect to Amazon Web Services Transit Gateway |
| 3 | +linkTitle: Transit Gateway |
| 4 | +description: |
| 5 | +weight: 80 |
| 6 | +alwaysopen: false |
| 7 | +categories: ["RC"] |
| 8 | +aliases: |
| 9 | +--- |
| 10 | + |
| 11 | +[Amazon Web Services (AWS) Transit Gateway](https://docs.aws.amazon.com/vpc/latest/tgw/how-transit-gateways-work.html) acts as a Regional virtual router for traffic flowing between your virtual private cloud(s) (VPCs) and on-premises networks. You can attach different resources to your Transit Gateway which include: |
| 12 | + |
| 13 | +- One or more VPCs |
| 14 | +- One or more virtual private network (VPN) connections |
| 15 | +- One or more AWS Direct Connect gateways |
| 16 | +- One or more Transit Gateway Connect attachments |
| 17 | +- One or more transit gateway peering connections |
| 18 | + |
| 19 | +You can connect your Redis flexible subscription to a Transit Gateway which is attached to the VPC of your application. This lets your application connect securely to your Redis Cloud database while optimizing performance. |
| 20 | + |
| 21 | +{{< note >}} |
| 22 | +Transit Gateway is available only with Flexible or Annual subscriptions. It is not supported for Fixed or Free subscriptions. |
| 23 | +{{< /note >}} |
| 24 | + |
| 25 | +## Considerations |
| 26 | + |
| 27 | +You can use Transit Gateway as an alternative to [VPC peering]({{<relref "/rc/security/vpc-peering">}}), or you can enable both for your subscription. |
| 28 | + |
| 29 | +Compared to VPC peering, Transit Gateway: |
| 30 | + |
| 31 | +- Supports complex network topologies, such as multiple VPCs or site-to-site VPNs. |
| 32 | + |
| 33 | +- Uses security groups and network ACLs to control traffic between VPCs. |
| 34 | + |
| 35 | +- Has a higher network latency and cost than VPC peering due to Transit Gateway infrastructure costs. |
| 36 | + |
| 37 | +Consider using VPC peering and Transit Gateway in parallel for the following situations: |
| 38 | + |
| 39 | +- When migrating from one connectivity solution to the other. |
| 40 | + |
| 41 | +- If different applications need to connect to the same database but have different latency or security requirements. |
| 42 | + |
| 43 | +## Prerequisites |
| 44 | + |
| 45 | +Before you can set up Transit Gateway: |
| 46 | + |
| 47 | +1. [Create a flexible subscription]({{< relref "/rc/subscriptions/create-flexible-subscription" >}}) from the Redis cloud [admin console](https://app.redislabs.com/#/). |
| 48 | + |
| 49 | +1. [Create a transit gateway](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-transit-gateways.html#create-tgw) from the [AWS VPC console](https://console.aws.amazon.com/vpc/). |
| 50 | + |
| 51 | +1. [Share the transit gateway](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-transit-gateways.html#tgw-sharing) from the [AWS resource access manager](https://console.aws.amazon.com/ram/). |
| 52 | + |
| 53 | +## AWS Transit Gateway |
| 54 | + |
| 55 | +To set up Transit Gateway: |
| 56 | + |
| 57 | +1. [Associate your resource share with the Redis AWS account](#associate-resource-share). |
| 58 | + |
| 59 | +1. [Accept the resource share and create an attachment](#accept-resource-share). |
| 60 | + |
| 61 | +1. [Add consumer CIDRs](#add-consumer-cidrs) to the attachment. |
| 62 | + |
| 63 | +1. [Update AWS route tables](#update-route-tables) with the Redis Cloud producer CIDRs. |
| 64 | + |
| 65 | +### Associate resource share with Redis Cloud {#associate-resource-share} |
| 66 | + |
| 67 | +In this step, you will associate your resource share with your subscription's AWS account. You can do this either in the [AWS console](#aws-console) or with the [AWS CLI](#aws-cli). |
| 68 | + |
| 69 | +#### AWS Console |
| 70 | + |
| 71 | +To use the AWS console to set up the resource share: |
| 72 | + |
| 73 | +1. From the [Redis Cloud admin console](https://app.redislabs.com/), select the **Subscriptions** menu and then select your subscription from the list. |
| 74 | + |
| 75 | +1. Select **Connectivity > Transit Gateway** to view the transit gateway settings. |
| 76 | + |
| 77 | +1. In the **Share Transit Gateway** section, select **Copy** under **AWS console** to copy the Redis AWS Account number. |
| 78 | + |
| 79 | + {{<image filename="images/rc/tgw-share-transit-gateway.png" width="80%" alt="The Share Transit Gateway section." >}}{{< /image >}} |
| 80 | + |
| 81 | +1. Follow the guide to [Update a resource share](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing-update.html) in the [AWS resource access manager](https://console.aws.amazon.com/ram/). |
| 82 | + |
| 83 | + During the **Grant access to principals** step, select **AWS Account** in the **Select principal type** field. Enter the copied AWS account number in the **Enter an AWS Account ID** field. |
| 84 | + |
| 85 | + {{<image filename="images/rc/aws-tgw-add-principal.png" width="80%" alt="The AWS Add principal field." >}}{{< /image >}} |
| 86 | + |
| 87 | + After the principal is added, it may take some time before it is associated. You can see the status of the principals under **Shared Principals** in the resource share page. |
| 88 | + |
| 89 | +#### AWS CLI |
| 90 | + |
| 91 | +To use the AWS CLI to set up the resource share: |
| 92 | + |
| 93 | +1. From the [Redis Cloud admin console](https://app.redislabs.com/), select the **Subscriptions** menu and then select your subscription from the list. |
| 94 | + |
| 95 | +1. Select **Connectivity > Transit Gateway** to view the transit gateway settings. |
| 96 | + |
| 97 | +1. In the **Share Transit Gateway** section, select **Copy** under **AWS CLI Command** to copy the Redis AWS Account number. |
| 98 | + |
| 99 | + {{<image filename="images/rc/tgw-share-transit-gateway.png" width="80%" alt="The Share Transit Gateway section." >}}{{< /image >}} |
| 100 | + |
| 101 | +1. Enter the copied CLI command into a terminal shell. Replace `<TGW ARN>` with the Amazon resource name of your transit gateway. |
| 102 | + |
| 103 | +### Accept resource share and create attachment {#accept-resource-share} |
| 104 | + |
| 105 | +After you've associated the Redis AWS account with your resource share, you must accept the resource share in the admin console. |
| 106 | + |
| 107 | +1. In your Redis Cloud subscription's Transit Gateway settings, you should now see that a **Resource Share** is available. Select **Resource Shares** to view the resource share you initiated. |
| 108 | + |
| 109 | + {{<image filename="images/rc/tgw-resource-shares-button.png" width="250px" alt="The Share Transit Gateway section." >}}{{< /image >}} |
| 110 | + |
| 111 | +1. Select **Accept** to associate the **Resource Share** with your admin console account. |
| 112 | + |
| 113 | + {{<image filename="images/rc/tgw-accept-resource-shares.png" width="80%" alt="The Accept resource shares section." >}}{{< /image >}} |
| 114 | + |
| 115 | +1. Select **Close** to close the **Accept resource shares** section. |
| 116 | + |
| 117 | +1. You will now see your transit gateway in the **Transit Gateways** section. After the **TGW status** is **Available**, select **Create Attachment** under **Attachment status**. |
| 118 | + |
| 119 | + {{<image filename="images/rc/tgw-create-attachment-button.png" width="250px" alt="The Create attachment button." >}}{{< /image >}} |
| 120 | + |
| 121 | + This will request a peering attachment representing Redis's AWS account to the Transit Gateway. |
| 122 | + |
| 123 | +1. If your transit gateway does not automatically accept peering attachment requests, the attachment will be in **Pending acceptance** status. Follow the guide to [Accept a peering attachment request](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-peering.html#tgw-peering-accept-reject) from the [AWS VPC console](https://console.aws.amazon.com/vpc/). |
| 124 | + |
| 125 | +### Add consumer CIDRs |
| 126 | + |
| 127 | +1. In your Redis Cloud subscription's Transit Gateway settings, in the **Transit Gateways** section, select **Add CIDRs** under **Consumer CIDRs**. |
| 128 | + |
| 129 | + {{<image filename="images/rc/tgw-add-cidrs-button.png" width="150px" alt="The Add CIDRs button." >}}{{< /image >}} |
| 130 | + |
| 131 | +1. Enter the IPv4 CIDR of the VPC you want to connect to that is also connected to your transit gateway. To find this, go to the [AWS VPC console](https://console.aws.amazon.com/vpc/) and select **Your VPCs**. |
| 132 | + |
| 133 | + Select **Add** to add another CIDR if needed. |
| 134 | + |
| 135 | + {{<image filename="images/rc/tgw-add-additional-cidrs-button.png" width="150px" alt="The Add button for adding additional CIDRs." >}}{{< /image >}} |
| 136 | + |
| 137 | + Select **Save** to save your changes. |
| 138 | + |
| 139 | +### Update AWS route tables {#update-route-tables} |
| 140 | + |
| 141 | +To finish Transit gateway setup, [update your route tables for the peering connection](https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-routing.html) with the following details: |
| 142 | + |
| 143 | +1. In the **Destination** field, enter the producer deployment CIDRs. |
| 144 | + |
| 145 | + You can find the producer deployment CIDRs on the Redis Cloud console in the Transit Gateway settings by selecting **More actions > View Attachment** in the **Transit Gateway** section. |
| 146 | + |
| 147 | + {{<image filename="images/rc/tgw-attachment-more-actions-menu.png" width="300px" alt="The More actions menu." >}}{{< /image >}} |
| 148 | + |
| 149 | + {{<image filename="images/rc/tgw-producer-cidr-copy.png" width="100%" alt="The Producer deployment CIDRs in the Attachment settings. " >}}{{< /image >}} |
| 150 | + |
| 151 | +1. In the **Target** field, select **Transit Gateway** and select the relevant **Transit gateway ID**. |
| 152 | + |
| 153 | +After Transit gateway is established, we recommend switching your application connection string to the private endpoint. |
| 154 | + |
| 155 | + |
0 commit comments