Link Search Menu Expand Document

AWS Transit Gateway Network Manager

Configuration > Cloud Services > AWS Network Manager

Orchestrator supports association with Amazon Web Services and their Transit Gateway Network Manager. Orchestrator builds AWS Site-to-Site VPN tunnels, enabling you to securely connect your on-premises network to one or more Transit Gateways (TGWs).

Before you begin configuring AWS Transit Gateway Network Manager in Orchestrator, create an AWS account to authenticate and authorize Orchestrator with your AWS account. Then complete the prerequisite tasks in the following section.

Prerequisites for AWS Transit Gateway Network Manager

Make sure you complete the following tasks in AWS console before configuring Orchestrator:

  • Navigate to the Identity and Access Management (IAM) under Services to create a user profile with permissions for Orchestrator.

  • Navigate to the Virtual Private Cloud (VPC) Dashboard and configure your Transit Gateways for the regions you want.

  • Navigate to Network Manager from the VPC Dashboard under Transit Gateways to create a Global Network.

  • Associate your Transit Gateways to the Global Network.

Create a User Profile in AWS

To create a user profile in AWS, complete the following steps:

  1. Sign in to AWS and navigate to the Identity and Access Management (IAM) service from the main AWS Management Console (Services > Security, Identity, & Compliance > IAM).


  2. Click User in the left menu under Access Management.

  3. Click Add User.

  4. Enter a username in the User name field.

  5. Choose the Access Type: Programmatic Access and AWS Management Console Access.

  6. Click Next: Permissions.

  7. Set the Permissions for your user on this page. You can do this in one of three ways:

    • Adding a user to your group – The user will inherit the permissions assigned to the group.

    • Copying permissions from an existing user – Copy permissions from an existing user in AWS and assign them to the user you want.

    • Attaching existing policies directly – Attach a file containing the permissions and assign it to the user.

  8. Assign optional tags for your user. If you choose to add a tag, complete these steps:

    1. Enter a key – This represents the name of your tag.

    2. Enter a value – Enter text that you want the key/tag to represent.

      NOTE: Tags enable you to provide additional information about your user or group for tracking and organizational purposes. Up to 50 tags are allowed.

  9. Select Next: Review. This page displays the review of the profile you just created for your user. The User Details, Permissions Summary, and additional information such as tag, are shown.

  10. Select Create User. The page should now show the following success message, along with Access Key ID and the Secret Access Key associated with your configured user. Copy and paste the Access Key ID and the Secret Access Key to a secure place for later use. You will need these when adding the AWS account on Orchestrator.

Create Transit Gateways

Next, you must create Transit Gateways (or select existing Transit Gateways you have already created) to associate with your AWS Network Manager, which you create in the steps below. Transit Gateways will terminate the Site-to-Site IPSec tunnels established from the EdgeConnect appliances in your network.

To create a new Transit Gateway, complete the following steps:

  1. Navigate to the Virtual Private Cloud (VPC) Dashboard (Services > Networking & Content Delivery).

  2. Click Transit Gateways, under Transit Gateways in the left menu.

  3. Click Create Transit Gateways.


  4. Complete the following fields to create the Transit Gateway.

    Field Description
    Name Tag Enter a name that represents your Transit Gateway.
    Description Enter a description to help identify your Transit Gateway. This is the description for the Name Tag.
    Amazon side ASN Autonomous System Number that represents your Transit Gateways in AWS. You can use an existing ASN assigned to your global network or a private ASN. See the range limitations in AWS.
    DNS Support Select this check box if you want to enable Domain Name System support for your VPC within your Transit Gateways.
    VPN ECMP support Select this check box if you want to enable Equal Cost Multi-Path routing support in your Transit Gateways. This allows traffic with the same source and destination to be sent across the same multiple paths.
    Default Route Table Association Select this check box if you want to automatically associate other Transit Gateways to the route table that this one is using.
    Default Route Propagation Select this check box if you want to automatically create other Transit Gateways with this same route table.
    Auto-accept shared attachments Select this check box if you want your transit gateways to automatically accept attachments associated with different accounts.
  5. Click Create Transit Gateway. A success message should display along with your Transit Gateway ID.

Create a Network Manager

After you create your Transit Gateway, you must create a Global Network in AWS. A Global Network hosts your specified Transit Gateways. It is managed by the AWS Network Manager.

  1. Navigate to the VPC Dashboard.

  2. Click Network Manager under Transit Gateways.

  3. Click Create Global Network.

  4. Enter a Name and Description for your Global Network.

  5. Click Create.

Orchestrator Configuration

After completing the AWS prerequisites, navigate to the AWS Network Manager tab in Orchestrator. There are six buttons above the table on this tab that you use to complete the AWS and Orchestrator integration: Subscription, Interface Labels, Network Manager Association, Tunnel Settings, VTI Subnet Pool, and Zone.


  1. To begin, click the Subscription button.

  2. Enter the Access Key ID and the Secret Access Key that reflect your user account in AWS. This is the Access Key ID and the Secret Access Key you copied earlier in the Create a User Profile in AWS section.

  3. Click Save after you finish entering the information in the table below. The AWS Reachability field should reflect Connected.

    Field Description
    AWS Reachability Connection status of the AWS Network Manager to Orchestrator: Connected or Not Connected.
    Access Key ID Access Key given to you in AWS to log in to the AWS console.
    Secret Access Key Secret Access Key given to you in AWS to log in to the AWS console.
    Polling Interval Indicates how often Orchestrator should check for configuration changes in the AWS transit gateways or Network Manager. The default polling interval is ten minutes.
  4. Click Save.

You now should have an established connection with Orchestrator to your AWS account.

Interface Labels

The Build Tunnels Using These Interfaces dialog box enables you to select the interfaces to build your tunnels to AWS.

  1. Click the Interface Labels button. The Build Tunnels Using These Interfaces dialog box opens.

  2. Drag the interface labels you want to apply from the column on the right into the Primary columns.

  3. Click Save.

Network Manager Association

In this dialog box, you can choose which Transit Gateways you want to associate with your EdgeConnect appliances.

NOTE: You must first select the EdgeConnect appliances on the Orchestrator appliance tree, and then open the Network Manager Association tab to associate the appliances to your Transit Gateways.

  1. Select or clear the check box next to the appliance you want to connect to or disconnect from the Network Manager.

  2. See the following table for field descriptions.

    Field Description
    Hostname Host name of the appliance you want to connect to or disconnect from the Network Manager.
    Transit Gateways Present Lists the Transit Gateways that are already associated with the EdgeConnect appliances.
    Transit Gateways Changes Displays the EdgeConnect appliances that will be added or removed from the Transit Gateways.
  3. Click Save.

    Orchestrator starts to establish the Site-to-Site IPSec tunnels from the EdgeConnect appliances to the selected Transit Gateways.

Tunnel Settings

The Tunnel Settings dialog box shows IKE and IPSec parameters used by Orchestrator when building Site-to-Site IPSec tunnels from the EdgeConnect appliances to the Transit Gateways. No changes are necessary for these parameters.

VTI Subnet Pool

In this dialog box, set the Subnet IP address and the mask for the AWS subnet pool. Enter the subnet IP address and the mask ID in the designated fields.

  • Any updates to the subnet pool configuration results in service disruption.

  • You can have duplicated ASNs if you have a site with the same name.

NOTE: This is an AWS-specific subnet pool. Therefore, every subnet IP address must start with 169.254 to be included in this pool.


You can apply configured segments to your VTI interfaces associated for AWS. Click the Zone icon and select the zone you want to apply from the drop-down list.


You can verify the stability and connectivity of your tunnels to the AWS Network Manager using the Connection Status column on the AWS Network Manager tab. This column shows the BGP Peer status. You can find additional details on the Tunnels, VTI, and BGP tabs.

Also, you can verify the AWS resources that Orchestrator created on the VPC Dashboard. To view the resources on the VPC dashboard, navigate back to the Virtual Private Network section in AWS and select Customer Gateways and Site-to-Site VPN Connections. On these tabs, you can confirm that the IPSec tunnels you created in Orchestrator are functioning correctly.

The tunnels should be in the ‘available’ state.


The IPSec tunnel statuses should be ‘UP’.


Route Tables and Static Routes

After the tunnels and the BGP sessions are established, the TGW route table shows the routes learned from the EdgeConnect devices. To create a route table for your transit gateways, navigate to the VPC Dashboard in AWS and click Transit Gateway Route Tables under Transit Gateways. To create a static route, select the transit gateway from the Route Table and navigate to the Routes tab.


Complete the following fields, and then click Create Static Route.

Field Description
CIDR Specified range of IPv4 addresses for your VPC.
Blackhole Enable if you want your matched traffic to be dropped.
Choose attachment Choose the attachment for your static route.


To begin sending traffic from the spoke VPCs where your AWS workloads are running, you must peer the VPCs with the Transit Gateways. To peer your configured Transit Gateways, navigate back to your VPC dashboard in AWS and click Transit Gateway Attachments under Transit Gateways. Complete the following steps.


  1. Select the check box next to the available transit gateways you want to peer.

  2. Click Create Transit Gateway Attachment.

  3. Choose the Transit Gateway ID from the drop-down menu.

  4. For Attachment Type, select Peering Connection.

  5. For Attachment Name Tag, enter text for identification purposes.

  6. For Account, select the check box for My Account.

  7. For Region, choose the destination region you want the BGP peering to connect with.

Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP.

To view the end-user software agreement, go to HPE Aruba Networking EULA.

Open Source Code:

This product includes code licensed under certain open source licenses which require source compliance. The corresponding source for these components is available upon request. This offer is valid to anyone in receipt of this information and shall expire three years following the date of the final distribution of this product version by Hewlett Packard Enterprise Company. To obtain such source code, please check if the code is available in the HPE Software Center at but, if not, send a written request for specific software version and product for which you want the open source code. Along with the request, please send a check or money order in the amount of US $10.00 to:

Hewlett Packard Enterprise Company
Attn: General Counsel
WW Corporate Headquarters
1701 E Mossy Oaks Rd Spring, TX 77389
United States of America