Migrating TGW Orchestrator to Multi-Cloud Transit

This document helps you migrate from an Aviatrix deployed TGW Orchestrator to an Aviatrix Multi-Cloud Transit deployment.

The objectives here are:

  • Minimum downtime during migration.
  • No change to existing VPC infrastructure.
  • Minimum change to on-prem connectivity.
  • Transferring Security Domains and Connection Policies in TGW to multi-cloud transit.

The Solution

The migration architecture is shown as the diagram below. We assume the current TGW Orchestrator deployment deploys Aviatrix Transit Gateway to connect to on-prem.

tgw_to_multi-cloud_transit

1. Migrate to ActiveMesh 2.0

If the Aviatrix Transit Gateways was deployed prior to Release 6.0. A migration step to ActiveMesh 2.0 is necessary before migrating to multi-cloud transit.

  1. Upgrade to Release 6.0. Go to Settings -> Maintenance -> Upgrade to the Latest.
  2. After upgrading to 6.0 is complete and successful, go to Settings -> Maintenance -> Migration -> ActiveMesh 2.0 Migration. Click to migrate. It should take a few minutes.

2. (Optional) Create multi-cloud security domains

If TGW Orchestrator configured Security Domains and Connection policies other than the default domains, create the corresponding security domains and connection policies. Otherwise skip this step and proceed. (You can always setup security domains for multi-cloud transit later.)

Follow the Multi-Cloud Transit Segmentation workflow to plan.

3. Migrate

  1. Enable Connected Transit on the Aviatrix Transit Gateway if it is not already configured. This configuration mode ensures that migrated Spoke VPCs can communicate with Spoke VPCs that are still attached to TGW.
  2. Launch an Aviatrix Spoke gateway in Spoke-1 VPC, enable HA if required.
  3. Detach Spoke-1 from TGW. Go to TGW Orchestrator -> Build -> Detach.
  4. Attach Aviatrix Spoke-1 gateway to Aviatrix Transit Gateway. Go to Multi-Cloud Transit -> Attach (Step 6a)
  5. Repeat the above steps for all remaining Spoke VPCs during the migration process.
  6. (Optional) After all Spoke VPCs have been migrated, setup multi-cloud connection policies. Go to Multi-Cloud Transit -> Segmentation -> Build to associate each Aviatrix Spoke gateway with a security domain.
  7. Done.

4. Other Components

4.1 Hybrid Connectivity

If Hybrid connectivity is accomplished via TGW DXGW or TGW VPN, these connections can continue to serve the new deployment after migration to not to change the connectivity to on-prem.

4.2 FireNet

If TGW FireNet has been deployed with TGW Orchestrator, migrate that to Transit FireNet where firewall instances can be attached too the Aviatrix Transit Gateway. Disassociate firewall instances from FireNet and launch and associate to Aviatrix Transit Gateway after Spoke migration is complete.