Exposing Apps privately over the internet in a multi-site deployment via NetScaler and AWS Transit Gateway

Use case : Many organizations have different departments with separate administrative domains managing their own AWS VPCs within the same region. These departmental VPCs communicate with each other and along with that, they consume sensitive data hosted on private backend application servers in another region, front-ended by NetScaler for seamless application delivery. In this scenario hub and spoke technology in the form of AWS Transit Gateway comes in handy to implement the network topology as it overcomes the limitations of VPC peering.

Network topology:

Configuration:

First, we will set up for the US West (Northern California) Region:

1. Create a VPC.
2. Create an Internet Gateway and attach it to the VPC.
3. Create a Public Subnet.
4. Create a Custom Router, edit the subnet associations and associate it with the Public Subnet, and finally edit the routes and create the routing path for the internet gateway.

5. Create and spin up an EC2 instance (Linux VM) in the Public Subnet, and while creating it, also create a security group with appropriate inbound rules and attach it to the EC2 instance.
6. Now follow the above steps to create as many systems as you want to create as per your requirements in the same region. In this scenario, we have three such systems, which are as follows: Consumer VPC 1, Consumer VPC 2 and Consumer VPC 3.

7. Create a Transit Gateway (Give the name, description, and a unique ASN [Amazon side Autonomous System Number] in the range of 64512 to 65534 or 4200000000 to 4294967294).

8. Create a Transit Gateway Attachment (Give the name, give the Transit Gateway ID that we just created above and keep the attachment type as VPC).

9. Go to Transit Gateway Route Tables  Routes and check if the correct route has been propagated or not.

10. In the custom route table, we need to add the routing path to the Transit Gateway.

Now we will set up for the US East (Northern Virginia) Region:

1. Create a VPC.
2. Create an Internet Gateway and attach it to the VPC.
3. Deploy three NIC NetScaler deployment with no public IPs, i.e., even the VIP and the NSIP would be private. Thus, making the NetScaler completely private.
4. Create two public subnets.
5. In one public subnet spin up a Bastion Server which will be used to SSH into the NetScaler via the management IP and the backend application server.
6. In the other public subnet create a NAT Gateway which will be used by the private backend application server to talk to the internet (outbound only).
7. Create and spin up EC2 instances in the private server subnet of the NetScaler, which will be the backend application server.
8. Create a Transit Gateway (Give the name, description, and a unique ASN [Amazon side Autonomous System Number] in the range of 64512 to 65534 or 4200000000 to 4294967294).
9. Create a Transit Gateway Attachment (Give the name, give the Transit Gateway ID that we just created above and keep the attachment type as VPC).
10. Go to Transit Gateway Route Tables  Routes and check if the correct route has been propagated or not.
11. In the custom route table associated with the private client and management subnet, we need to add the routing path to the Transit Gateway.

Once both set up has been done, we need to create an inter-region peering between the two transit gateways.

1. Go to US West (Northern California) Region and click on Transit Gateway Attachment.
2. Give the Transit Gateway ID of this region, make the attachment type as Peering Connection, then choose the other region where another Transit Gateway resides, and finally give the other region’s Transit Gateway ID.

3. Then go to the Transit Gateway Attachment of the other Region to which the peering connection request was sent and accept the request.

4. Go to the Transit Gateway Route Tables of both regions and create a static route where the destination would be the CIDR of the other region’s VPC and the target would be the ID of the Peering Connection Transit Gateway Attachment in the same region.

Verification:

1. In the US East (Northern Virginia) Region, SSH into the backend application server and install Apache HTTP Server and run the service.
2. SSH into the NetScaler and set up the load balancing configuration.
3. In the US West (Northern California) Region, SSH into any one of the EC2 instances in any one of the Consumer VPCs and curl the VIP of the NetScaler in the US East (Northern Virginia) Region.