Migrating a CSR Transit to Next Gen Transit for AWS

This document assumes that you have deployed a CSR Transit solution with Transit hub CSR instances and VGWs in Spoke VPCs. The steps below provide instructions to migrate a live CSR deployment to Aviatrix with the Transit Gateway orchestrator.

The objectives here are:

  • No change to any on-prem network.
  • No change to the connectivity between AWS VGW and on-prem. (either over DX or over Internet or both)
  • Re-use AWS VGW deployed in CSR based Transit hub VPC if possible.
  • No change to existing VPC infrastructure.
  • Minimum operation downtime.

There are a couple of patterns during the migration phase, consider the one that meets your requirements.

Note

This document assumes you have already launched an Aviatrix Controller.

Before the migration process starts, plan out what security domains you need to create and which security domains should connect other domains. If you are not sure and need to transition, proceed with no worries. The security domains can be added and modified at any time.

  1. Launch a Transit Gateway Follow Step 1.
  2. Create Security Domains If you have plans for custom security domains, follow Step 2 to create them. Follow Step 3 to build connection policies. If you do not intend to build custom security domains, skip this section.
  3. Launch Aviatrix Transit GW Follow Step 1 and Step 2 to launch an Aviatrix Transit GW and enable HA in the Transit hub VPC. For best practice, create a new Transit hub VPC to deploy the Aviatrix Transit GW.

4a. Reuse VGW: Connect Aviatrix Transit GW to VGW Follow Step 3. At this point, VGW starts to advertise to the Aviatrix Transit GW. Make sure you specify a different “AS” number for the BGP session of the Aviatrix Transit GW connection to the VGW. Also note that if the Transit GW and the VGW are in the same account and same VPC, VGW must be detached from the VPC.

A diagram for this migration path is shown below:

tgw_csr_migrate_pattern1

4b. Connect Aviatrix Transit GW to a new VGW There are certain situations where you need CSR during migration phase for packet forwarding. In such scenarios, create a new VGW and connect it to CSR as a Spoke VPC to CSR Transit, as shown in the diagram below. After all Spoke VPCs are migrated, remove the CSR connection and connect the VGW to on-prem. During migration, the network pattern is shown as below:

tgw_csr_migrate_pattern2

  1. Remove a Spoke VPC Select one Spoke VPC that has VGW deployed. Remove the VPC Transit Network tag. This will effectively detach the Spoke VPC from the CSR Transit Network. Make sure the above Spoke VPC CIDR route entry has been removed from the Transit Network.
  2. Attach Spoke VPC to Transit Gateway Follow Step 1 to attach a VPC to the corresponding security domain.
  3. Repeat the above step 5 and step 6 for the remaining Spoke VPCs.
  4. Remove Transit hub VGW CSR tag After all Spoke VPCs have been migrated to Aviatrix Transit GW, remove the VGW Transit Network tag. This effectively detaches the VGW from CSR.

The effective operation downtime for each Spoke VPC is the time between the Transit Network tag being removed for the Spoke VPC and the Spoke VPC being attached to Aviatrix Transit GW. It should be a few minutes.