EMnify mobile core network being hosted in AWS, we have the possibility to keep all data traffic of our customers using AWS private by connecting both Virtual private clouds (VPC) via a Transit Gateway (TGW).
1. EUI configuration
To create a TGW, the first step is to get in contact with your Customer Success Manager in order to whitelist your account, if you miss this important step is not possible to do all that follows.
Once you have done this operation, your CSM will confirm that and you have to login to the EUI and click on the link symbol on the top right corner of the EMnify portal and scroll down to the option "Cloud Connect".
Click on "+create" and select Transit Gateway. The following window should appear:
- Enter a name of your choice to identify your attachment;
- Choose the region to which you would like to connect to. Make sure you select the same region in the Service Profile that you wish to use with the attachment;
- Enter your AWS Account ID which can be retrieved under "My Account" in the AWS portal
- Add up to 3 CIDRs used in your VPC. Select the CIDRs to which data will be sent to. Note that the CIDRs must be valid RFC 1918 private address prefixes and the ranges must be between /32 and /22. The default /16 CIDR will be declined. If the CIDR is already taken on our side, a warning will be displayed when you try to validate the TGW because AWS TGW does not support overlapping IP addresses.
- Add a description of your choice
Before creating the attachment your Service Profiles are reviewed in order to enforce the validation described at step 2 above. A summary of your configuration is also available.
Make sure everything is correct and click on "Create Attachment". The configuration data will be validated and if any error is encountered error messages will be accordingly displayed, like for instance in case the configured CIDR is not available:
In such a case, enter a new CIDR and repeat the process. Once the setup is complete, your transit gateway should be "active". You now need to accept the resource share on your AWS account and configure the attachment.
1.2. Endpoint IP range configuration
All IP ranges assigned to the customer's account need to be configured on the EMnify side. By default, each account has a /22 range (1022 IP addresses). Inform EMnify via ticket when a new range is manually added to your EMnify account. Send an email to firstname.lastname@example.org stating which new range should be configured for your IPSec.
2. AWS configuration
2.1. Accept resource share
Once the above mentioned process is finished, a Transit Gateway has been shared with your AWS account. A Resource Share invitation in the Resource Access Manager console should be available. Navigate to the Resource Access Manager in the region you selected in step 2 (Ireland, Singapore or Virginia) to find the shared resource.
Select the resource share and accept it.
The Transit Gateway is now active on both the AWS account and the EMnify User Interface. Note that the Transit Gateway is owned by EMnify (the displayed owner ID is EMnify's) and it is not possible to configure it in any way (e.g. assign it a Name tag) or attach any routing table to it.
2.2 Routing Configuration
You now need to configure the routing on your AWS account by following the next steps:
2.2.1. Create Transit Gateway Attachment
In the VPC dashboard in the right region, navigate to "Transit Gateways Attachments". Create a Transit Gateway Attachment and attach the VPC where the Application Servers are located to the shared Transit Gateway. During the process, the Transit Gateway can be configured to attach to one or multiple subnets of the VPC.
2.2.2 Configuring the VPC Route Tables
Your account's VPC routing table(s) have to be configured to send data through the TGW under "VPC dashboard - Route Tables" Route table entries shall be added to all the relevant Route Tables, to specify that traffic towards the IP address ranges allocated to your EMnify endpoints is routed via the shared Transit Gateway,
To configure this correctly, please check AWS support center.
To avoid the necessity to update the route tables each time a new IP address range is allocated for the customer endpoints, an “all including” address space (e.g. 100.64.0.0/16) may be configured from the start. This is a safe practice and no interference with foreign endpoints will occur because on the EMnify side the routing to each individual IP address space is done on a per-customer basis.
2.2.3 Configure the VPC Security Groups
As the last step, Security Groups shall be configured so that traffic from your EMnify endpoints is allowed to reach the customer Application Servers. The exact process depends again on the specifics of the your deployment. One way to do it is to define a dedicated Security Group (see Figure 8) and associate it to each Application Server, in addition to the existing Security Groups, as illustrated in Figure 9.
The Security Group rules may be made more specific by narrowing down the port and protocol to the specific applications and application servers used.
At this stage traffic between the endpoints and application servers can flow in both directions.
Figure 8 Security Group Configuration
Figure 9 Routing via the Virtual Network Gateway