Migrating a CSR Transit to Next Gen Transit for AWS

This document assumes that you have deployed a CSR Transit solution with Transit hub CSR instances and VGWs in Spoke VPCs. The steps below provide instructions to migrate a live CSR deployment to Aviatrix with the Transit Gateway orchestrator.

The objectives here are:

  • No change to any on-prem network.
  • No change to the connectivity between AWS VGW and on-prem. (either over DX or over Internet or both)
  • Re-use AWS VGW deployed in CSR based Transit hub VPC if possible.
  • No change to existing VPC infrastructure.
  • Minimum operation downtime.

There are a couple of patterns during the migration phase, consider the one that meets your requirements.

Note

This document assumes you have already launched an Aviatrix Controller.

Before the migration process starts, plan out what security domains you need to create and which security domains should connect other domains. If you are not sure and need to transition, proceed with no worries. The security domains can be added and modified at any time.

Step 1. Launch a Transit Gateway

Follow Step 1.

Step 2. Create Security Domains

If you have plans for custom security domains, follow Step 2 to create them. Follow Step 3 to build connection policies. If you do not intend to build custom security domains, skip this section.

Step 3. Launch Aviatrix Transit GW

Follow Step 1 and Step 2 to launch an Aviatrix Transit GW and enable HA in the Transit hub VPC. For best practice, create a new Transit hub VPC to deploy the Aviatrix Transit GW.

The next step has two options.

Step 4, option A. Reuse VGW: Connect Aviatrix Transit GW to VGW

Follow Step 3. At this point, VGW starts to advertise to the Aviatrix Transit GW. Make sure you specify a different “AS” number for the BGP session of the Aviatrix Transit GW connection to the VGW. Also note that if the Transit GW and the VGW are in the same account and same VPC, VGW must be detached from the VPC.

A diagram for this migration path is shown below:

tgw_csr_migrate_pattern1

Step 4, option B. Connect Aviatrix Transit GW to CSR

There are certain situations where you need to keep the CSR as the connection point to on-prem (for example, you need to use CSR route summarization feature to control routes to VGW to be under 100.). In such scenario, use External Device option in Transit VPC workflow to create an IPSec and BGP connection to CSR, as shown in the diagram below. After all Spoke VPCs are migrated, delete the connection to CSR, connect the Aviatrix Transit GW to VGW.

tgw_csr_migrate_pattern2

Step 5. Remove a Spoke VPC

Select one Spoke VPC that has VGW deployed. Remove the VPC Transit Network tag. This will effectively detach the Spoke VPC from the CSR Transit Network. Make sure the above Spoke VPC CIDR route entry has been removed from the Transit Network.

Step 6. Attach Spoke VPC

Follow TGW Build workflow Step 1 to attach a VPC to the corresponding security domain.

Step 7

Repeat the above step 5 and step 6 for the remaining Spoke VPCs.

Step 8. Remove Transit hub VGW CSR tag

After all Spoke VPCs have been migrated to Aviatrix Transit GW, remove the VGW Transit Network tag. This effectively detaches the VGW from CSR.

The effective operation downtime for each Spoke VPC is the time between the Transit Network tag being removed for the Spoke VPC and the Spoke VPC being attached to Aviatrix Transit GW. It should be a few minutes.