IBM Cloud Docs
Creating a transit gateway

Creating a transit gateway

To order IBM Cloud Transit Gateway, you must determine the location connecting to IBM Cloud, complete the required configuration information, and then submit your order.

Creating a transit gateway in the UI

To get started using IBM Cloud Transit Gateway, follow these steps:

  1. Review requirements and configuration considerations in Planning for Transit Gateway.

  2. From your browser, open the IBM Cloud catalog and log in to your account.

  3. Select Networking in the navigation pane, then click the Transit Gateway tile. The Transit Gateway ordering page displays.

    You can also access the ordering page from the IBM Cloud console by selecting the Navigation Menu icon Menu icon on the upper left of the page. Then, click Infrastructure > Network > Transit Gateway. Click Create to open the provisioning page.

  4. Enter a name for the transit gateway and choose a resource group. You can select a resource group from the list, or keep the default selection.

  5. Optional: Click the GRE enhanced route propagation toggle to allow GRE tunnel traffic to flow across all GRE tunnels connected to this transit gateway.

    Make sure to review GRE enhanced propagation considerations before enabling this toggle.

  6. Choose a routing option:

    All of your classic resources and Direct Link connections across MZRs can be accessed regardless of whether local or global routing is enabled.

    • Select Local routing to allow your transit gateway to connect to all VPC and classic resources within the transit gateway's provisioned region.
    • Select Global routing to allow your transit gateway to connect to VPC resources in all IBM Multi-Zone Regions (MZRs).

    You can upgrade routing options at a later point if your needs change. Pricing is changed accordingly.

  7. Choose the location where you want to provision your transit gateway.

    If you are using local routing, the specified location limits you to connect VPCs located in that region only. If you are using global routing, the specified location affects network latency, so choose the region closest to the resources that you need connected.

  8. Add connections to your transit gateway now, or after it has been provisioned.

    1. Select the network connection to be attached to the transit gateway. To add connections later, see Adding a connection.

      You can add a connection on the same account as the connection type, or request to connect to a network in another account.

      Select from the following connection types:

      • Classic infrastructure networks allow you to connect to IBM Cloud classic resources. Only one classic infrastructure connection is allowed per account.

      • Direct Link creates a network connection to and from Direct Link gateways so that there is a secure connection to on-premises networks and other resources connected to the transit gateway.

        If you select Direct Link, you must also log in to the Direct Link console and specify Transit Gateway as the type of network connection for your direct link.

      • Power Virtual Server - Creates a network connection to a Power Virtual Server workspace to access the resources in a Power Virtual Server colo.

        If you select Power Virtual Server, a Power Virtual Server workspace must be created in a PER-enabled data center. For a list of PER-enabled data centers, see Getting started with the Power Edge Router.

      • Redundant GRE allows unbound GRE tunnels to connect to endpoints in either VPC or classic infrastructure networks, thus allowing you to build in redundancy for GRE tunnels. See Creating a redundant GRE tunnel for further instructions.

      • Unbound GRE tunnel allows a transit gateway to connect to overlay networks hosted on classic infrastructure resources. See Creating an unbound GRE tunnel for further instructions.

      • VPC networks can contain compute resources, allowing you to connect to your account's VPC resources, or, with approval, another account's VPC resources.

    2. REVIEW Optionally, expand the Prefix filtering section to show the Permit prefixes toggle where you can create prefix filters. Prefix filtering allows you to set an ordered list of filters that determine the routes your transit gateway should accept or deny.

      Make sure to review Prefix filtering considerations before creating prefix filters. Also, note that the default filter applies to all prefixes except those that you create.

      To create a prefix filter, click Create prefix filter, then complete the following information:

      1. Select an action type: Permit or Deny.
      2. Enter the network prefix along with its subnet mask (for example, 10.0.0.0/16).
      3. Optionally, enter values for whether the network should be greater than or equal to the subnet mask you chose.
      4. Click Save to add the prefix filter.

      Connections are denied or permitted based on the order of the filters in the list. Edit the prefix filter list to adjust the order in which prefixes are processed.

    3. Complete base network information (different depending on selected network connection) and choose a connection reach option:

      • Add new connection in this account - Enter a connection name and any other required information for your connection.

        • For Power Virtual Server, select a location for the Power Virtual Server workspace. Then, select from the list of Power Virtual Server workspaces that are enabled for Transit Gateway. Keep in mind that not all Power Virtual Server workspaces show in this menu.

      • Request connection to a network in another account - Enter either the IBM Cloud ID or Cloud Resource Name (CRN) of the account that manages the network where you want to connect. Then, complete any remaining information. All resources connected to that transit gateway will be accessible from the other network. For more information, including how to obtain the Cloud ID or CRN, see Adding a cross-account connection.

        • IBM Cloud ID - Required by Classic infrastructure and Unbound GRE tunnel.
        • CRN - Required by all other connections.

        To find out if your Power Systems Virtual Server workspace is set up correctly, go to the Power Systems Virtual Server UI and check the navigation for a Cloud connections page. If there isn't a Cloud connections page, the workspace leverages Transit Gateway. Otherwise, you must configure virtual connections with Cloud connections on the Power Systems Virtual Server.

  9. Click Create to complete your order.

Creating a transit gateway from the CLI

Before you begin, complete these prerequisites to use the Transit Gateway CLI, which is implemented as an IBM Cloud CLI plug-in.

  1. Install the IBM Cloud CLI.

  2. Install the tg-cli/tg CLI plug-in to the IBM Cloud CLI.

    To install:

    ibmcloud plugin install tg

If you are going to use the CLI with a Virtual Private Endpoint (VPE), you must set the following variable:

export IBMCLOUD_TG_API_ENDPOINT=private.transit.cloud.ibm.com

To create a transit gateway from the CLI, enter the following command:

ibmcloud tg gateway-create|gwc --name NAME --location LOCATION [--routing ROUTING] [--gre-enhanced-route-propagation true | false] [--resource-group-id RES_GROUP_ID] [--output json] [-h, --help]

Where:

  • --name - Name for the new gateway.
  • --location - Location of the gateway (see possible values by using : ibmcloud tg locations)
  • --routing - Gateway routing of resources (global | local). Use global to connect resources across regions. The default value is local.
  • --resource-group-id - Optional: Gateway resource group ID. Uses the default resource group, if not specified.
  • --gre-enhanced-route-propagation - Optional: Specify if you want to enable route propagation across all GREs connected to the same transit gateway. One of: true or false (default).
  • --output json - Optional: Specify to display the output in JSON format.
  • --help | -h - Optional: Get help on this command.

Example

The following example illustrates creating a gateway named myGateway in us-south with local routing and using the default resource group:

ibmcloud tg gwc --name myGateway --location us-south

Creating a transit gateway using the API

Follow these steps to create a transit gateway with the API:

  1. Set up your API environment.

  2. Store any additional variables to be used in the API commands.

  3. When all variables are initiated, create the transit gateway:

    curl -X POST --location --header "Authorization: Bearer
{iam_token}" \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '{ "location": "us-south", "name": "Transit_Service_BWTN_SJ_DL" }' \
"{base_url}/transit_gateways?version={version}"

For more information, see Creates a Transit Gateway in the Transit Gateway API reference.

Creating a transit gateway using Terraform

Review the following argument references that you can specify for your resource when creating a transit gateway using Terraform:

Argument references for creating a transit gateway
Argument Details
location
Optional
Forces new resource
integer 		The location of the transit gateway.
Example: us-south
name
Required
string 		The unique user-defined name for the gateway.
Example: myGateway
global
Required
boolean 		The gateways with global routing (true) are able to connect to networks outside their associated region.
gre_enhanced_route_propagation
Optional
boolean 		Specify if you want to enable route propagation across all GREs connected to the same transit gateway.
resource_group
Optional
Forces new resource
string 		The resource group ID where the transit gateway is to be created.

Example

This example illustrates creating a transit gateway in Terraform:

resource "ibm_tg_gateway" "new_tg_gw"{
name="transit-gateway-1"
location="us-south"
global=true
gre_enhanced_route_propagation=false
resource_group="30951d2dff914dafb26455a88c0c0092"
}