≡菜单

24通过CLI管理AWS Transit网关和附件的示例

AWS Transit网关充当连接多个VPC和本地网络的枢纽。除了将VPC附加到传输集线器和路由流量外,还可以将VPN连接或Direct Connect网关附加到传输网关。您还可以对等两个传输网关并在它们之间路由流量。

在多帐户环境中,您可以在中央网络帐户中创建Transit网关,并将其与外部帐户或组织中的帐户共享。

本教程介绍了如何使用CLI命令管理AWS Transit网关和附件。

  • Transit Gateway:示例1至6说明了如何使用CLI命令创建,查看和删除Transit Gateway。
  • VPC的Transit Gateway附件:示例7至14说明了如何创建,修改,查看和删除VPC的Transit Gateway附件。
  • Transit Gateway对VPN的附件:示例15说明了如何使用create-vpn-connection CLI命令完成Transit Gateway对VPN的附件。
  • 共享传输网关:示例16至18说明了如何使用资源访问管理器跨帐户共享传输网关
  • 对等两个传输网关:示例19至22说明了如何对等两个传输网关以及如何使用CLI在它们之间路由流量。
  • 添加路由:示例23和24说明了如何向指向Transit Gateway的VPC路由表添加路由以及如何向Transit Gateway路由表添加路由

1.使用所有默认值创建Transit Gateway

如下所示,使用aws ec2 create-transit-gateway创建传输网关。这将使用所有默认选项创建传输网关。

aws ec2 create-transit-gateway --description prodTGW

当你不穿’t指定任何选项,以下默认值将用于传输网关选项:

  • 亚马逊ASN:64512
  • 自动接受共享附件:禁用
  • 默认关联路由表:启用
  • 默认传播路由表:启用
  • VPN ECMP支持:启用
  • DNS支持:启用

以下是上述命令的输出:

{
  "TransitGateway": {
    "Description": "prodTGW",
    "TransitGatewayArn": "arn:aws:ec2:us-east-1:111111111111:transit-gateway/tgw-000aaabbbccdddeee",
    "CreationTime": "2020-06-13T00:31:03.000Z",
    "State": "pending",
    "TransitGatewayId": "tgw-000aaabbbccdddeee",
    "OwnerId": "111111111111",
    "Options": {
        "DefaultRouteTableAssociation": "enable",
        "DnsSupport": "enable",
        "AutoAcceptSharedAttachments": "disable",
        "AssociationDefaultRouteTableId": "tgw-rtb-000aaabbbcccdddee",
        "PropagationDefaultRouteTableId": "tgw-rtb-000aaabbbcccdddee",
        "AmazonSideAsn": 64512,
        "DefaultRouteTablePropagation": "enable",
        "VpnEcmpSupport": "enable"
    }
  }
}

如果您不熟悉AWS CLI,请参考以下内容: 15 AWS配置命令示例以管理CLI的多个配置文件

2.使用自定义选项创建Transit Gateway–更改AmazonSideASN和AutoAcceptSharedAttachments

如果您要为传输网关的亚马逊端指定自己的ASN,请使用–选项如下所示。此示例还启用了AutoAcceptSharedAttachments选项。

aws ec2 create-transit-gateway --description prodTGW \
  --options=AmazonSideAsn=64516,AutoAcceptSharedAttachments=enable

以下是上述命令的部分输出。

{
  "TransitGateway": {
    ..
    ..
    "Options": {
        "DefaultRouteTableAssociation": "enable",
        "DnsSupport": "enable",
        "AutoAcceptSharedAttachments": "enable",
        "AssociationDefaultRouteTableId": "tgw-rtb-000aaabbbcccdddee",
        "PropagationDefaultRouteTableId": "tgw-rtb-000aaabbbcccdddee",
        "AmazonSideAsn": 64516,
        "DefaultRouteTablePropagation": "enable",
        "VpnEcmpSupport": "enable"
    }
  }
}

3.通过更改所有可用的自定义选项来创建Transit Gateway

以下命令显示在创建传输网关时可以更改的所有可能选项

aws ec2 create-transit-gateway --description prodTGW \
    --options=AmazonSideAsn=64516,AutoAcceptSharedAttachments=enable,DefaultRouteTableAssociation=enable,DefaultRouteTablePropagation=enable,VpnEcmpSupport=enable,DnsSupport=enable

AmazonSideAsn选项采用数字长整型值。其余选项可以是启用或禁用的值。上面的示例通过用逗号分隔选项,将快捷语法格式用于选项。您还可以为选项使用以下JSON语法格式:

{
  "AmazonSideAsn": long,
  "AutoAcceptSharedAttachments": "enable"|"disable",
  "DefaultRouteTableAssociation": "enable"|"disable",
  "DefaultRouteTablePropagation": "enable"|"disable",
  "VpnEcmpSupport": "enable"|"disable",
  "DnsSupport": "enable"|"disable",
  "MulticastSupport": "enable"|"disable"
}

4.使用名称标签和描述创建Transit Gateway

您还可以在创建运输网关时指定标签。以下命令使用自定义选项创建传输网关,并为Name标签分配一个值。

aws ec2 create-transit-gateway --description prodTGW \
  --tag-specifications "ResourceType=transit-gateway,Tags=[{Key=Name,Value=prodTGW}]" \
  --options=AmazonSideAsn=64516,AutoAcceptSharedAttachments=enable,DefaultRouteTableAssociation=enable,DefaultRouteTablePropagation=enable,VpnEcmpSupport=enable,DnsSupport=enable

以下是上述命令的输出:

{
  "TransitGateway": {
      "Description": "prodTGW",
      "TransitGatewayArn": "arn:aws:ec2:us-east-1:111111111111:transit-gateway/tgw-000aaabbbccdddeee",
      "Tags": [
          {
              "Value": "prodTGW",
              "Key": "名称"
          }
      ],
      "CreationTime": "2020-06-13T16:50:26.000Z",
      "State": "pending",
      "TransitGatewayId": "tgw-000aaabbbccdddeee",
      "OwnerId": "111111111111",
      "Options": {
          "DefaultRouteTableAssociation": "enable",
          "DnsSupport": "enable",
          "AutoAcceptSharedAttachments": "enable",
          "AssociationDefaultRouteTableId": "tgw-rtb-000aaabbbcccdddee",
          "PropagationDefaultRouteTableId": "tgw-rtb-000aaabbbcccdddee",
          "AmazonSideAsn": 64516,
          "DefaultRouteTablePropagation": "enable",
          "VpnEcmpSupport": "enable"
      }
  }
}

5.显示现有的公交网关

The following command will display all 有空 transit gateways:

aws ec2 describe-transit-gateways

要仅查看特定传输网关的详细信息,请指定transport-gateway-id,如下所示。

TGW_ID=tgw-000aaabbbccdddeee

aws ec2 describe-transit-gateways --transit-gateway-ids ${TGW_ID}

6.删除公交网关

如下所示使用delete-transit-gateway,方法是提供transit-gateway-id

TGW_ID=tgw-000aaabbbccdddeee

aws ec2 delete-transit-gateway --transit-gateway-id ${TGW_ID}

带有附件的传输网关无法删除。您’会得到以下错误信息:

注意:调用DeleteTransitGateway操作时发生错误(IncorrectState):tgw-000aaabbbccdddeee具有未删除的VPC附件:tgw-attach-000aaabbbcccdddee。

注意:如果您的子网/ vpc的可路由表中有一条路由指向已删除的传输网关,则它们’将具有黑洞的状态。因此,请确保在删除传输网关后删除路由。

7.使用必填字段创建Transit Gateway VPC附件

拥有传输网关后,您可以创建以下三种类型的附件:

  • 运输网关VPC附件
  • 运输网关VPN附件
  • 与另一个转接网关对等的转接网关对等附件

以下示例显示了如何创建传输网关VPC附件。

TGW_ID=tgw-000aaabbbccdddeee
VPC1=vpc-000111aaabbbcccdd
VPC1_PUBLIC_SUBNET1=子网111222333aaabbbcc
VPC1_PUBLIC_SUBNET2=subnet-000222aaabbbcccdd

aws ec2 create-transit-gateway-vpc-attachment \
    --transit-gateway-id ${TGW_ID} \
    --vpc-id ${VPC1} \
    --subnet-ids ${VPC1_PUBLIC_SUBNET1} ${VPC1_PUBLIC_SUBNET2}

创建vpc附件时,必选选项是vpc-id和该vpc中的子网ID。例如,您可以跨多个可用区为该VPC中的所有公共子网创建传输网关vpc附件。

以下是上述命令的输出:

{
  "TransitGatewayVpcAttachment": {
      "VpcId": "vpc-000111aaabbbcccdd",
      "VpcOwnerId": "111111111111",
      "SubnetIds": [
          "subnet-000222aaabbbcccdd",
          "子网111222333aaabbbcc"
      ],
      "TransitGatewayAttachmentId": "tgw-attach-000aaabbbcccdddee",
      "CreationTime": "2020-06-13T00:48:13.000Z",
      "State": "pending",
      "TransitGatewayId": "tgw-000aaabbbccdddeee",
      "Options": {
          "DnsSupport": "enable",
          "Ipv6Support": "disable"
      }
  }
}

8.使用名称标签创建Transit Gateway VPC附件

以下示例说明如何创建带有名称标签的Transit Gateway VPC附件。您还可以通过在“标签”选项中添加另一个“键/值”对来将多个标签附加到附件。

TGW_ID=tgw-000aaabbbccdddeee
VPC1=vpc-000111aaabbbcccdd
VPC1_PUBLIC_SUBNET1=子网111222333aaabbbcc
VPC1_PUBLIC_SUBNET2=subnet-000222aaabbbcccdd

aws ec2 create-transit-gateway-vpc-attachment \
    --tag-specifications "ResourceType=transit-gateway-attachment,Tags=[{Key=Name,Value=appOnPremAccess}]" \
    --transit-gateway-id ${TGW_ID} \
    --vpc-id ${VPC1} \
    --subnet-ids ${VPC1_PUBLIC_SUBNET1} ${VPC1_PUBLIC_SUBNET2}

以下是上述命令的部分输出。

{
    "TransitGatewayVpcAttachment": {
        "Tags": [
            {
                "Value": "appOnPremAccess",
                "Key": "名称"
            }
        ],
        ..
        ..
    }
}

当你不穿’如果不指定任何选项,将在启用DNS支持和禁用IPv6的情况下创建附件。

注意:调用CreateTransitGatewayVpcAttachment操作时发生错误(DuplicateTransitGatewayAttachment):tgw-000aaabbbccdddeee具有未删除的具有相同VPC ID的Transit Gateway附件。

9.创建具有IPV6支持的Transit Gateway VPC附件

默认情况下,创建传输网关时不支持IPv6。要启用对IPv6的支持,请使用Ipv6Support选项,如下所示。

aws ec2 create-transit-gateway-vpc-attachment \
    --tag-specifications "ResourceType=transit-gateway-attachment,Tags=[{Key=Name,Value=appOnPremAccess}]" \
    --options "Ipv6Support=enable" \
    --transit-gateway-id ${TGW_ID} \
    --vpc-id ${VPC1} \
    --subnet-ids ${VPC1_PUBLIC_SUBNET1} ${VPC1_PUBLIC_SUBNET2}

如果你不这样做’没有与子网关联的IPv6 CIDR块,您’会得到以下错误信息:

注意:调用CreateTransitGatewayVpcAttachment操作时发生错误(InvalidParameterCombination):subnet-000222aaabbbcccdd没有关联的IPv6 CidrBlocks

10.使用所有可用的自定义选项创建Transit Gateway VPC附件

aws ec2 create-transit-gateway-vpc-attachment \
    --tag-specifications "ResourceType=transit-gateway-attachment,Tags=[{Key=Name,Value=appOnPremAccess}]" \
    --options "DnsSupport=disable,Ipv6Support=disable" \
    --transit-gateway-id ${TGW_ID} \
    --vpc-id ${VPC1} \
    --subnet-ids ${VPC1_PUBLIC_SUBNET1} ${VPC1_PUBLIC_SUBNET2}

上面的示例通过用逗号分隔选项,将快捷语法格式用于选项。您还可以为选项使用以下JSON语法格式:

{
  "DnsSupport": "enable"|"disable",
  "Ipv6Support": "enable"|"disable"
}

11.修改Transit Gateway VPC附件–添加或删除子网

创建传输网关VPC附件后,您可以如下所示添加或远程子网。

VPC1_TGW_ATTACHMENT_ID=tgw-attach-000aaabbbcccdddee

aws ec2 modify-transit-gateway-vpc-attachment \
    --transit-gateway-attachment-id ${VPC1_TGW_ATTACHMENT_ID} \
    --remove-subnet-ids 子网111222333aaabbbcc \
    --add-subnet-ids subnet-222111000aaabbbcc

以下是上述命令的输出:

{
  "TransitGatewayVpcAttachment": {
      "TransitGatewayAttachmentId": "tgw-attach-000aaabbbcccdddee",
      "TransitGatewayId": "tgw-000aaabbbccdddeee",
      "VpcId": "vpc-d4ef7eaf",
      "VpcOwnerId": "222222222222",
      "State": "修改",
      "SubnetIds": [
          "subnet-222111000aaabbbcc",
          "子网111222333aaabbbcc",
          "subnet-000222aaabbbcccdd"
      ],
      "CreationTime": "2020-06-13T19:31:19+00:00",
      "Options": {
          "DnsSupport": "enable",
          "Ipv6Support": "disable"
      }
  }
}

从上面的输出中可以看到,状态为“modifying”, you’仍然会看到当前正在删除的子网。几秒钟后状态变为“available”,您应该只看到该传输网关附件的两个子网。

调用ModifyTransitGatewayVpcAttachment操作时发生错误(InvalidSubnetID.NotFound):子网ID‘子网111222333aaabbbcc’ does not exist

12.修改Transit Gateway VPC附件– Changing Options

创建附件后,您还可以更改默认选项。下面的示例显示如何更改传输网关附件上的DNS支持和IPv6支持选项。

VPC1_TGW_ATTACHMENT_ID=tgw-attach-000aaabbbcccdddee

aws ec2 modify-transit-gateway-vpc-attachment \
    --transit-gateway-attachment-id ${VPC1_TGW_ATTACHMENT_ID} \
    --options DnsSupport=disable,Ipv6Support=disable

While 修改 the attachment, you can also modify the options and add/remove subnets at the same time as shown below.

VPC1_TGW_ATTACHMENT_ID=tgw-attach-000aaabbbcccdddee

aws ec2 modify-transit-gateway-vpc-attachment \
    --transit-gateway-attachment-id ${VPC1_TGW_ATTACHMENT_ID} \
    --options DnsSupport=enable,Ipv6Support=disable \
    --remove-subnet-ids subnet-222111000aaabbbcc \
    --add-subnet-ids 子网111222333aaabbbcc

13.显示现有的Transit Gateway附件

The following example will display all 有空 transit gateway attachments in your account:

aws ec2 describe-transit-gateway-attachments

您还可以通过指定transport-gateway-attachment-id来查看特定附件的详细信息,如下所示。

VPC1_TGW_ATTACHMENT_ID=tgw-attach-000aaabbbcccdddee

aws ec2 describe-transit-gateway-attachments --transit-gateway-attachment-ids ${VPC1_TGW_ATTACHMENT_ID}

以下是以上命令的输出:

{
  "TransitGatewayAttachments": [
      {
          "ResourceOwnerId": "111111111111",
          "TransitGatewayAttachmentId": "tgw-attach-000aaabbbcccdddee",
          "ResourceType": "vpc",
          "ResourceId": "vpc-000111aaabbbcccdd",
          "Tags": [
              {
                  "Value": "appOnPremAccess",
                  "Key": "名称"
              }
          ],
          "CreationTime": "2020-06-13T01:10:17.000Z",
          "State": "有空",
          "TransitGatewayId": "tgw-000aaabbbccdddeee",
          "TransitGatewayOwnerId": "111111111111",
          "Association": {
              "State": "associated",
              "TransitGatewayRouteTableId": "tgw-rtb-000aaabbbcccdddee"
          }
      }
  ]
}

14.删除Transit Gateway VPC附件

以下示例显示了如何删除现有的传输网关vpc附件。

VPC1_TGW_ATTACHMENT_ID=tgw-attach-000aaabbbcccdddee

aws ec2 delete-transit-gateway-vpc-attachment \
  --transit-gateway-attachment-id ${VPC1_TGW_ATTACHMENT_ID}

上面命令的输出将显示附件当前处于删除状态。

{
  "TransitGatewayVpcAttachment": {
      "VpcId": "vpc-000111aaabbbcccdd",
      "VpcOwnerId": "111111111111",
      "TransitGatewayAttachmentId": "tgw-attach-000aaabbbcccdddee",
      "CreationTime": "2020-06-13T00:58:31.000Z",
      "State": "deleting",
      "TransitGatewayId": "tgw-000aaabbbccdddeee"
  }
}

15.创建到VPN的Transit Gateway附件

与创建VPC的传输网关附件类似,您也可以创建VPN的附件。

为此,你’通过指定transit-gateway-id和customer-gateway-id来创建VPN连接,如下所示。

CGW_ID=cgw-000111333aaabbbcc
TGW_ID=tgw-000aaabbbccdddeee

aws ec2 create-vpn-connection \
  --customer-gateway-id ${CGW_ID} \
  --type ipsec.1 \
  --transit-gateway-id ${TGW_ID}

注意:唐’不要忘记将VPN类型指定为ipsec.1

以下是上述命令的部分输出。

{
"VpnConnection": {
    "CustomerGatewayConfiguration": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<vpn_connection id=\"虚拟专用网-
    ..
    ..
    </vpn_connection>",
    "CustomerGatewayId": "cgw-000111333aaabbbcc",
    "Category": "VPN",
    "State": "pending",
    "VpnConnectionId": "虚拟专用网-000111222333aaabb",
    "TransitGatewayId": "tgw-000aaabbbccdddeee",
    "Options": {
        "EnableAcceleration": false,
        "StaticRoutesOnly": false,
        "TunnelOptions": [
          ..
          ..

}

创建VPN连接时,还可以以JSON格式指定各种TunnelOptions。

例如,要仅通过VPN连接使用静态路由,请按上述命令中的以下所示设置选项。

--options "{\"StaticRoutesOnly\":true}"

创建VPN传输网关附件后,’将在describe命令输出中看到ResourceType为“vpn”.

The following example shows that there are two attachments. One is vpc and another 上e is 虚拟专用网.

$ aws ec2 describe-transit-gateway-attachments

{
"TransitGatewayAttachments": [
  {
    "TransitGatewayAttachmentId": "tgw-attach-000aaabbbcccdddee",
    "ResourceType": "vpc",
    ..
    ..
  },
  {
    "TransitGatewayAttachmentId": "tgw-attach-03210321aaabbbccc",
    "ResourceType": "虚拟专用网",
    ..
    ..
  },
...

16.在第一个帐户中为Transit Gateway创建资源访问共享

要跨帐户共享传输网关,请使用AWS Resource Access Manager。

以下示例显示了如何创建资源共享并将传输网关与其关联。

在此示例中,中转网关是在111111111111帐户中创建的。通过此帐户,我们正在创建资源共享并将其与222222222222帐户共享。

aws ram create-resource-share \
  --name tgwDevShares \
  --resource-arns arn:aws:ec2:us-east-1:111111111111:transit-gateway/tgw-000aaabbbccdddeee \
  --principals 222222222222 \
  --tags "key=Name,value=devShare"

这是上述命令的输出。

{
  "resourceShare": {
      "status": "ACTIVE",
      "owningAccountId": "111111111111",
      "allowExternalPrincipals": true,
      "name": "tgwDevShares",
      "tags": [
          {
              "value": "devShare",
              "key": "名称"
          }
      ],
      "creationTime": 1641722024.078,
      "resourceShareArn": "arn:aws:ram:us-east-1:111111111111:resource-share/11111111-2222-aaaa-bbbb-cccccccccccc",
      "lastUpdatedTime": 1522722024.064
  }
}

17.从第二个帐户接受Transit Gateway资源共享

确保AWS CLI现在已连接到第二个帐户222222222222。

执行以下命令以查看第二个帐户上的所有资源共享邀请。

aws ram get-resource-share-invitations

输出表明此邀请仍处于待处理状态。

{
  "resourceShareInvitations": [
    {
      "resourceShareInvitationArn": "arn:aws:ram:us-east-1:111111111111:resource-share-invitation/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
      "resourceShareName": "tgwDevShares",
      "resourceShareArn": "arn:aws:ram:us-east-1:111111111111:resource-share/11111111-2222-aaaa-bbbb-cccccccccccc",
      "senderAccountId": "111111111111",
      "receiverAccountId": "222222222222",
      "invitationTimestamp": "2020-06-13T10:00:24.249000-07:00",
      "status": "PENDING"
    }
  ]
}

从上面的输出中获取resourceShareInvitationArn。

注意:资源共享邀请的ARN与资源共享ARN不同。

使用resourceShareInvitationArn接受邀请,如下所示:

aws ram accept-resource-share-invitation \
--resource-share-invitation-arn arn:aws:ram:us-east-1:111111111111:resource-share-invitation/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee

接受邀请后,此资源共享邀请的状态将更改为已接受,如下所示。

{
  "resourceShareInvitation": {
    "resourceShareInvitationArn": "arn:aws:ram:us-east-1:111111111111:resource-share-invitation/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
    "resourceShareName": "tgwDevShares",
    "resourceShareArn": "arn:aws:ram:us-east-1:111111111111:resource-share/11111111-2222-aaaa-bbbb-cccccccccccc",
    "senderAccountId": "111111111111",
    "receiverAccountId": "222222222222",
    "invitationTimestamp": "2020-06-13T10:57:03.509000-07:00",
    "status": "ACCEPTED"
  }
}

18.从第一个帐户接受在第二个帐户中创建的Transit Gateway附件

现在,传输网关已从第一个帐户共享到第二个帐户,您可以在第二个帐户上创建传输网关附件。

此后,如果在传输网关上禁用了AutoAcceptSharedAttachments,则应从第一个帐户手动接受附件。

首先,执行以下命令以查看是否需要接受任何附件。

aws ec2 describe-transit-gateway-vpc-attachments

如下所示,如果仍不接受附件,则状态将显示为未决接受。

{
  "TransitGatewayVpcAttachments": [
    {
      "TransitGatewayAttachmentId": "tgw-attach-000aaabbbcccdddee",
      ..
      ..
      "State": "pendingAcceptance",
    }
  ]
}

从上面的输出中获取TransitGatewayAttachmentId并接受附件,如下所示:

aws ec2 accept-transit-gateway-vpc-attachment \
  --transit-gateway-attachment-id tgw-attach-000aaabbbcccdddee

The status will change from pending acceptance to pending to 有空.

19.从第一个帐户为TGW对等创建传输网关附件

当您有两个传输网关时,可以对等它们并在它们之间路由通信。您可以从其他地区甚至从另一个帐户查看对等传输网关。

为此,您应该首先从第一个TGW所在的第一个帐户创建一个传输网关对等附件。

在第一个帐户中,执行以下命令以创建对等附件:

TGW_ID=tgw-000aaabbbccdddeee
PEER_TGW_ID=tgw-222333444aaabbbcc
PEER_ACCOUNT_ID=222222222222
PEER_REGION=us-east-2

aws ec2 create-transit-gateway-peering-attachment \
  --transit-gateway-id ${TGW_ID} \
  --peer-transit-gateway-id ${PEER_TGW_ID} \
  --peer-account-id ${PEER_ACCOUNT_ID} \
  --peer-region ${PEER_REGION}

在上面:
TGW_ID–这是您帐户(第一个帐户)中的第一个运输网关
PEER_TGW_ID–这是PEER_ACCOUNT_ID引用的另一个帐户(第二帐户)中的第二运输网关
PEER_REGION The region in which the PEER_TGW_IDexists

以下是上述命令的输出。

{
  "TransitGatewayPeeringAttachment": {
    "TransitGatewayAttachmentId": "tgw-attach-111222333aaabbbcc",
    "RequesterTgwInfo": {
        "TransitGatewayId": "tgw-000aaabbbccdddeee",
        "OwnerId": "111111111111",
        "Region": "us-east-1"
    },
    "AccepterTgwInfo": {
        "TransitGatewayId": "tgw-222333444aaabbbcc",
        "OwnerId": "111111111111",
        "Region": "us-east-2"
    },
    "State": "initiatingRequest",
    "CreationTime": "2020-06-13T22:15:54+00:00"
  }
}

最初,状态为发起请求,然后更改为等待接受

20.接受来自第二个帐户的Transit Gateway对等附件请求

现在登录到上述命令中PEER_ACCOUNT_ID引用的第二个帐户,并接受对等附件请求。

PEER_TGW_ATTACHMENT_ID=tgw-attach-111222333aaabbbcc
PEER_REGION=us-east-2

aws ec2 accept-transit-gateway-peering-attachment \
  --transit-gateway-attachment-id ${PEER_TGW_ATTACHMENT_ID} \
  --region ${PEER_REGION}

以下是上述命令的输出:

{
  "TransitGatewayPeeringAttachment": {
    "TransitGatewayAttachmentId": "tgw-attach-111222333aaabbbcc",
    "RequesterTgwInfo": {
        "TransitGatewayId": "tgw-000aaabbbccdddeee",
        "OwnerId": "111111111111",
        "Region": "us-east-1"
    },
    "AccepterTgwInfo": {
        "TransitGatewayId": "tgw-222333444aaabbbcc",
        "OwnerId": "222222222222",
        "Region": "us-east-2"
    },
    "State": "pending",
    "CreationTime": "2020-06-13T22:16:17+00:00"
  }
}

创建对等附件后,修改传输网关路由表并添加静态路由以指向该对等附件。

21.列出所有Transit网关对等附件

执行以下命令以查看现有的传输网关对等附件的详细信息。

aws ec2 describe-transit-gateway-peering-attachments
{
  "TransitGatewayPeeringAttachments": [
    {
      "TransitGatewayAttachmentId": "tgw-attach-111222333aaabbbcc",
      "RequesterTgwInfo": {
          "TransitGatewayId": "tgw-000aaabbbccdddeee",
          "OwnerId": "111111111111",
          "Region": "us-east-1"
      },
      "AccepterTgwInfo": {
          "TransitGatewayId": "tgw-222333444aaabbbcc",
          "OwnerId": "111111111111",
          "Region": "us-east-2"
      },
      "Status": {
          "Code": "有空",
          "Message": "Available"
      },
      "State": "有空",
      "CreationTime": "2020-06-13T22:15:54+00:00",
      "Tags": []
    }
  ]
}

22.删除Transit Gateway对等附件

使用以下delete-transit-gateway-peing-attachment删除对等附件。

PEER_TGW_ATTACHMENT_ID=tgw-attach-111222333aaabbbcc

aws ec2 delete-transit-gateway-peering-attachment \
  --transit-gateway-attachment-id ${PEER_TGW_ATTACHMENT_ID}

这是上面命令的输出:

{
  "TransitGatewayPeeringAttachment": {
    "TransitGatewayAttachmentId": "tgw-attach-111222333aaabbbcc",
    "RequesterTgwInfo": {
        "TransitGatewayId": "tgw-000aaabbbccdddeee",
        "OwnerId": "111111111111",
        "Region": "us-east-1"
    },
    "AccepterTgwInfo": {
        "TransitGatewayId": "tgw-222333444aaabbbcc",
        "OwnerId": "111111111111",
        "Region": "us-east-2"
    },
    "State": "deleting",
    "CreationTime": "2020-06-13T22:15:54+00:00"
  }
}

请注意,您不能使用vpc-attachment命令将其删除。您’将会得到如下所示的错误。

$ aws ec2 delete-transit-gateway-vpc-attachment \
  --transit-gateway-attachment-id ${PEER_TGW_ATTACHMENT_ID}

An error occurred (InvalidTransitGatewayAttachmentID.NotFound) when calling the DeleteTransitGatewayVpcAttachment operation: Transit Gateway Attachment tgw-attach-111222333aaabbbcc was deleted or does not exist.

23.将路由添加到VPC路由表,其中的条目指向Transit Gateway

创建传输网关后,可以将路由添加到子网路由表中,将其指向传输网关,如下所示。

VPC1_PUBLIC_SUBNET_ROUTETABLE=rtb-111222333444555

aws ec2 create-route \
  --route-table-id ${VPC1_PUBLIC_SUBNET_ROUTETABLE} \
  --destination-cidr-block 10.0.0.0/8 \
  --transit-gateway-id ${TGW_ID}

如果路由添加正确,则您’会得到以下消息:

{
    "Return": true
}

注意:调用CreateRoute操作时发生错误(MissingParameter):请求必须完全包含以下其中一个:gatewayId,natGatewayId,networkInterfaceId,vpcPeeringConnectionId,egressOnlyInternetGatewayId,transitionGatewayId,localGatewayId或instanceId

24.向中转网关路由表添加路由

如果要直接将路由添加到传输网关路由表,请使用create-transit-gateway-route选项,如下所示。

在此示例中,给定的静态路由被添加到TGW_ROUTE_TABLE_ID路由表中。在此路由中,所有前往CIDR的流量都将使用TGW_ATTACHMENT_ID。

CIDR=10.10.10.0/32
TGW_ROUTE_TABLE_ID=tgw-rtb-555444333222aaabb
TGW_ATTACHMENT_ID=tgw-attach-03210321aaabbbccc

aws ec2 create-transit-gateway-route \
  --destination-cidr-block ${CIDR} \
  --transit-gateway-route-table-id ${TGW_ROUTE_TABLE_ID} \
  --transit-gateway-attachment-id ${TGW_ATTACHMENT_ID}

以下是上述命令的输出。这表明静态路由已成功添加并且’s active.

{
  "Route": {
    "DestinationCidrBlock": "10.10.10.0/32",
    "TransitGatewayAttachments": [
        {
            "ResourceId": "虚拟专用网-000aaacccddd66655",
            "TransitGatewayAttachmentId": "tgw-attach-03210321aaabbbccc",
            "ResourceType": "虚拟专用网"
        }
    ],
    "Type": "static",
    "State": "active"
  }
}

如果您喜欢这篇文章,您可能还会喜欢..

  1. 50个Linux Sysadmin教程
  2. 50个最常用的Linux命令(包括示例)
  3. 排名前25位的最佳Linux性能监视和调试工具
  4. 妈妈,我找到了! – 15个实用的Linux Find命令示例
  5. Linux 101 Hacks第二版电子书 Linux 101黑客手册

Bash 101 Hacks书 Sed和Awk 101黑客手册 Nagios Core 3书 Vim 101黑客手册

{ 0 评论… 加一 }

发表评论