/transit-gateway-migrator

A tool written in python which will seamlessly migrate network traffic away from transit-vpc to AWS Transit Gateway

OtherNOASSERTION

Transit Gateway Migrator



Description
The TGW Migrator is a tool which provides a seamless migration path from transit VPC solutions to AWS Transit Gateway. It can also be used to quickly attach and enable routing between VPCs through a common AWS Transit Gateway even if they are not part of a transit VPC.

You start by deploying a Cloudformation stack which in turn provisions a new dedicated VPC, subnet and EC2 which is used to run the TGW Migrator tool. You access the python-based tool by simply SSH'ing into the provisioned EC2 and running it per the instructions below.

Also, please feel free to check out the AWS Official Blog on this tool.

Important Limitations

  • This tool can only migrate VPCs to a Transit Gateway which are all in the same AWS region.
  • The tool is capable of migrating all "spoke VPCs" in a transit VPC to a Transit Gateway. However, it cannot automate the migration of on-prem VPNs to the Transit Gateway. This portion must be done manually.

Benefits of Using TGW Migrator

Aside from quickly and seamlessly migrating your VPCs to the Transit Gateway, this tool is also provides a quick option to roll back the migration if something went wrong. A process that could take minutes to hours to do manually (depending on how many VPCs you have) is easily accomplished within a few seconds.

General Deployment

  1. Click Here to launch the Cloudformation Stack
  2. In the Cloudformation console wait for the stack to complete deployment and then click on the Outputs tab for the stack. This section will have the public IP that you need to SSH into the TGW Migrator EC2
  3. SSH into the TGW Migrator EC2 then change into the tool's directory:
    cd tgw-migrator/
  4. Finally, start the tool:
    ./tgw-migrator.py

Instructions to Migrate Transit VPC to Transit Gateway

If you have been using a transit VPC in AWS then your architecture likely looks like the following diagram


When you deploy the TGW Migrator tool, you will move your VPCs off of transit VPC unto Transit Gateway in two steps:

  1. Start the tool and choose A) Attach VPCs to registered TGW. At some point during the attachment process, you will be asked to provide the Customer Gateway (CGW) public IP of one of the hub routers in your transit VPC. Note that if you are running two or more hub routers for redundancy, you can simply choose one of their IPs at random (so '1.1.1.1' could be used in the Figure 1 for example). The tool will use this to trace down all the connected VPNs and their respective spoke VPCs that need to be migrated to the Transit Gateway.
  2. Once the tool has finished attaching the VPCs, run it again and choose B) Enable routing between attached VPCs. This step will actually move your traffic off of the transit VPC since it inserts static routes into each of the VPCs' main route table which point to the Transit Gateway as the next hop (static routes take preference over BGP propagated routes from the transit VPC)
  3. If you find that the migration was not successful you can roll it back by starting the tool once more and choosing C) Disable routing between attached VPCs

Below is an illustration of these steps:


Instructions to Attach Standalone VPCs to Transit Gateway

The TGW Migrator can also be used as a tool to easily and quickly attach any VPC to a Transit Gateway, not just spoke VPCs that are part of a transit VPC solution. To attach a standalone VPC simply add a tag to the VPC, with the Key being attach-tgw and the Value being true (note: this is case sensitive so make sure to make them lowercase)

Your tag should then look like this

Once you have tagged the VPCs you want to attach:

  1. Start the tool and choose A) Attach VPCs to registered TGW
  2. Once the tool has finished attaching the VPCs, run it again and choose B) Enable routing between attached VPCs. This step will actually start routing your traffic between VPCs over the TGW
  3. If you find that the migration was not successful you can roll it back by starting the tool once more and choosing C) Disable routing between attached VPCs

Enabling Cross-Account Access for the TGW Migrator

You can optionally grant the TGW Migrator tool API access to secondary AWS accounts. The tool will share a Transit Gateway with any secondary accounts through Resource Access Manager (RAM) automatically, attach the accounts' VPCs to the TGW and finally enabling routing between all VPCs in all accounts. Granting cross-account access can be done in the following steps:

  1. First, launch the TGW Cloudformation stack in a primary account
  2. SSH into the TGW Migrator EC2 and run the tool once the Cloudformation stack has fully deployed from step #1
  3. Choose B) Share registered TGW with other AWS accounts. This will lead you through the steps to add any secondary AWS account Ids that you would like the TGW migrator to share the TGW with,attach VPCs from and enabling routing for.
  4. Once you provide the secondary account numbers, the TGW migrator tool will continuously poll for successful access to the secondary accounts. At this time you will want to launch the Secondary Account Cloudformation stack in any secondary accounts. This template will deploy appropriate IAM permissions for the tool in the primary account to make cross-account API calls.
  5. You should eventually see the TGW migrator go from a polling state to stating "Success!!! All secondary accounts are ready for deployment!" and return you to the main menu. At this point you can proceed with attaching VPCs, enabling routing, etc through the tool. The tool which check each account automatically.


Contributors


Ben Fowler
AWS Sr.Cloud Support Engineer // Software Developer


Bhavin Desai
AWS Sr.Solutions Architect // Evangelist

Please feel free to subscribe to the YouTube channel here for frequent demos on different network use-cases, solutions and tools in AWS.