Transit Gateway - Simple

AWS

Overview

AWS Control Tower (CT) allows you to set up network baselines like create VPCs in multiple regions, configuring CIDR block ranges, enabling VPC peering to a VPC, and more. However, there are other networking services like AWS Transit Gateway(TGW), or Direct Connect(DX) that need to be configured explicitly on the AWS Control Tower environment.

The accounts that are created manually using the Account Factory will be referred as member accounts and the accounts which are in the core OU (Log archive, and Audit accounts), created as part of control tower initialization, will be referred as shared accounts for the remaining of this lab.

In this lab, we will walk through the steps involved in configuring an AWS Transit Gateway in multiple regions of the Audit account in the CT environment. We’ll share the TGW with all the accounts in the organization managed by the AWS Control Tower. In addition, we will also attach the transit gateway (TGW) to the Audit account, and create a default route of 0.0.0.0/0 with a destination to the central Transit Gateway in the main Route Table of the account’s VPC. We will use CloudFormation StackSets to automate all these steps.

As time of creating this lab (GA timeframe), configuring the Transit Gateway as part of the networking baselines in Account Factory is not natively supported. This may change in the future and become a configurable parameter in the Account Factory. The accounts created could be configured to automatically attach the VPCs to the centralized Transit Gateway.

Architecture Overview

The solution shown in this lab expects you to use CloudFormation templates (provided) to create the transit gateway attachment.

Solution-Architecture

Following are the steps involved in this solution:

  1. Create a Transit Gateway in the Audit account.

  2. Share the Transit Gateway with the remaining accounts in the Control Tower.

  3. Create the Transit Gateway Attachment on two regions in the Audit account to attach the VPCs to the central Transit Gateway.

  4. Create a default route of 0.0.0.0/0 with a destination to the central Transit Gateway as an example.

We will perform the above steps using two separate CloudFormation templates as outlined below:

Things to know before getting started

  • [Important] On the AWS Organization Master account, we need to manually Enable sharing within your AWS Organization if you are using the Resource Access Manager for the first time (instructions provided below).

  • We will leverage the roles AWSControlTowerStackSetRole and AWSControlTowerExecution created as part of the Control Tower initialization to perform CloudFormation StackSets operations.

  • The Transit Gateway is created using all default values for this lab. This lab is not intended to discuss various options involved while configuring the Transit Gateway. Please refer to the documentation for best practices and additional information on Transit Gateway.

  • The CloudFormation templates provided to attach the transit gateway can be added as product in the AWS Service Catalog and launch after provisioning a new account using Account Factory. For simplicity, we will discuss only using CloudFormation StackSets option in the lab.

  • In this lab, the AWS Lambda zip files are copied to the individual buckets in each region of deployment and marked objects as globally readable.

  • Make sure all the account/region(s) contain valid a VPC configuration with subnets. There is no additional steps needed if the accounts are provisioned with the Account Factory networking baselines in place.

Lab Preparation

  • The tasks in this section are required for the TGW lab to work.

    Download required files
    Enable AWS Resource Manager
    • Log into the Master account with the AWSAdministratorAccess role.

    • Navigate to the AWS Resource Access Manager service.

    • Click on Settings on the left menu option.

    • Enable the feature by checking on the Enable sharing within your AWS Organization option.

    • Click on Save settings

    Create a VPC in the us-east-1 region (Virginia)
    • Log into the Audit account with the AWSAdministratorAccess role.

    • Select the VPC service

    • Make sure you are on the us-east-1 region (Virginia)

    • Click on Launch VPC Wizard button

    • Select VPC with a Single Public Subnet from the left menu

    • Click on the Select button

    • Type a VPC Name like: vpc-audit-virginia-tgw-lab

    • Click on Create VPC

    Create a VPC in the us-east-2 region (Ohio)
    • Log into the Audit account with the AWSAdministratorAccess role.

    • Select the VPC service

    • Make sure you are on the us-east-2 region (Ohio)

    • Click on Launch VPC Wizard button

    • Select VPC with a Single Public Subnet from the left menu

    • Click on the Select button

    • Type a VPC Name like: vpc-audit-ohio-tgw-lab

    • Click on Create VPC

Create and share the AWS Transit Gateway

Following is the procedure to create AWS Transit Gateway on the Audit account in your Control Tower environment.

  1. Log in to your Control Tower master account with the AWSAdministratorAccess Role

  2. Go to My Organization from the AWS Console menu. Identify and save the Master and Audit account numbers.

  3. In the AWS Organizations, click on Settings and save the Organization ID.

  4. When ready, click on the link below to launch the CloudFormation StackSet creation process:

    https://console.aws.amazon.com/cloudformation/stacksets/home?region=us-east-1#/stacksets/new

  5. Select Specify an Amazon S3 template URL, copy and paste the link below into the field Specify Amazon S3 location and click Next.

    https://s3.amazonaws.com/aws-control-tower-labs/transit-gateway-multi-user.yaml

  6. Name the StackSet name like: [transit-Gateway-<your-alias>] and use a unique alias.

    Enter AWS Organization ID and the Master account number

    You can use the default value of 64512 for PrivateAmazonASN

  7. Type the Audit account number under Deploy stacks in accounts.

    In this lab, we will create the Transit Gateway in us-east-1 and us-east-2 regions.

    From the Available regions select US East (N.Virginia) and US East (Ohio) and click Add

    click Next

  8. Select AWSControlTowerStackSetRole from the list under IAM Admin Role ARN.

    Type AWSControlTowerExecution for IAM Execution Role Name

    click Next

  9. Review the settings.

    Check the box I acknowledge that AWS CloudFormation might create IAM resources and click on Create.

    Wait for the StackSet launch operation to complete on all selected account/region(s).

    Wait for all the Stacks to change from OUTDATED to CURRENT as shown below.

    Your StackSets status would look like the image below on a successful operation.

Create Transit Gateway Attachment and default route

  1. From the AWS SSO web page, log in to your Audit account with the AWSAdministratorAccess Role. Make sure the us-east-1 region is active in the AWS Console.

  2. Go to the VPC service and select Transit Gateway. Save the Transit Gateway ID for us-east-1 for later.

  3. Change the region to us-east-2

    Save the Transit Gateway ID for us-east-2 for later.

  4. With your favorite text editor, edit the file transit-attachment.template that you saved earlier in your temporary folder

    Edit the section:

        Mappings
          TransitGatewayId:
            us-east-1:
              ID: tgw-region-1
            us-east-2:
              ID: tgw-region-2     
        
    • Replace the us-east-1 ID with the TGW ID saved in the steps above
    • Now, Replace the us-east-2 ID with the TGW ID saved in the steps above
    • Save the file
  5. Log in to your Control Tower master account with the AWSAdministratorAccess Role

  6. Go to the S3 service.

    Set the Block all public access to off

    Click on the left Block public access (account settings)

    Click on the Edit button and uncheck Block all public access

    Click on Save and you’ll see the following message

  7. Create a bucket in the us-east-1 region (Virginia)

    Click on Buckets on the left menu

    Click on + Create bucket button

    The bucket name should be: us-east-1-<your_alias>-ct-tgw-demo

    From the drop down list, select the region: US East (N. Virginia)

    Click Next and click Next again

    Uncheck the box Block all public access

    Accept all remaining defaults and create the bucket

    Then, upload the tgwlambda.zip file to it

    Click on Upload and choose the tgwlambda.zip file

    Click Next and make sure to make it public read

  8. Now for our second bucket in the us-east-2 region (Ohio)

    Click on Buckets on the left menu

    Click on + Create bucket button

    The bucket name should be: us-east-2-<your_alias>-ct-tgw-demo

    From the drop down list, select the region: US East (Ohio)

    Click Next and click Next again

    Uncheck the box Block all public access

    Accept all remaining defaults and create the bucket

    Then, upload the tgwlambda.zip file to it

    Click on Upload and choose the tgwlambda.zip file

    Click Next and make sure to make it public read

  9. Make sure you are still logged in to the CT master account with AWSAdministratorAccess Role and go to:

    https://console.aws.amazon.com/cloudformation/stacksets/home?region=us-east-1#/stacksets/new

  10. Select Upload a template to Amazon S3

    Click on Browse and select the transit-attachment.template file.

    Click on Next.

    Image

  11. Type the StackSet name. You can use: tgwAttachment-1

    In the field pS3BucketSuffix type ONLY the suffix of the bucket name. Exclude the region.

    For the field pS3Key type tgwlambda.zip

  12. Type the Audit account number under Deploy stacks in accounts.

    In this lab, we will create the Transit Gateway in us-east-1 and us-east-2 regions.

    From the Available regions select US East (N.Virginia) and US East (Ohio) and click Add

    click Next

  13. Select AWSControlTowerStackSetRole from the list under IAM Admin Role ARN.

    Type AWSControlTowerExecution for IAM Execution Role Name

    Click on Next

  14. Review the settings.

    Check the box I acknowledge that AWS CloudFormation might create IAM resources and click on Create.

    Wait for the StackSet launch operation to complete on all selected account/region(s).

    Wait for all the Stacks to change from OUTDATED to CURRENT as shown below.

    Your StackSets status would look like the image below on a successful operation.

Verify the Transit Gateway Attachments

You can verify the Transit Gateway by navigating to the VPC Console in the Audit account.

  • Log into the Audit account.
  • Make sure you are in the us-east-1 region
  • In the VPC service, check the Transit Gateway section.
  • Review the Transit Gateway details, check the Details and Sharing tabs.
  • Verify the TGW attachments by checking the Transit Gateway Attachments section.
  • In the Transit Gateway Route Tables section
  • Check the tab Details
  • Check the tab Associations to see the associated VPC
  • Check the Propagations to see it enabled
  • Check the Routes and see the CIDR range
  • In addition, navigating to Route Tables and verifying that the main VPC route table has a route of 0.0.0.0/0 with a destination of the transit gateway id will confirm success of baselining.
  • Now switch to the us-east-2 region
  • You can now check for the above items

[Bonus Point] Verify the Network Connectivity

In this lab you created Transit Gateways on two region, and attached the transit gateway to a VPC on each region. However, need if additional steps to verify the connectivity between subnets from two different VPCs with in a region.

Use below steps to validate network connectivity[one of many ways]:

  • Create a new VPC on the same availability zone as the original VPC.
  • Attach the new VPC to the Transit Gateway
  • Add static routes in your VPC
  • Launch EC2 instances on both the VPCs and test the connectivity between those two.
Create a new VPC on the same availability zone as the original VPC
  1. Log in to us-east-2 (ohio) region and go to Subnets under VPC
  2. Note the Availability zone for vpc-audit-ohio-tgw-lab CaptureAZ

  3. Create a new VPC with a subnet in the same availability zone you noted above.

    • Go to VPC Console
    • Choose Launch VPC Wizard
    • Under Step 1: Select a VPC Configuration, select VPC with a Single Public Subnet, and choose Select
    • Give VPC name as vpcattach-1, select the Availability Zone as noted above and choose Create VPC.
Attach the new VPC to the Transit Gateway
  1. Go to Create Transit Gateway Attachments page and type in as shown below.

TGW Attach

Attach static routes in your VPC
  1. Go to VPC Console, go to route tables, select the options as shown below. TGW Static Route
  2. Repeat the above steps for other route table as shown below TGW Static Route

Launch EC2 instances and test the connectivity

Launch EC2 instances on both the VPCs and test the connectivity between those two.

Cleaning up the TGW lab

I. From the Master account delete the TGW Attachment StackSet instances within the StackSet

  1. Log in to your Control Tower Master account with the AWSAdministratorAccess Role
  2. Make sure you are in the region where CT was deployed in.
  3. Access https://console.aws.amazon.com/cloudformation/stacksets/ to jump to StackSets console.
  4. Click on the tgwAttachment-1 and expand Actions button.
  5. Select Manage stacks in StackSets
  6. Select Delete Stacks and click on Next
  7. Select Delete stacks from account. Enter the Audit account number.
  8. Scroll down to Specify regions, and select all the regions under Available regions and click Add->
  9. Click Next to continue, and click on Delete stacks
  10. Once all the Stacks are deleted. Click on Delete StackSet button on the top right.

II. From the Master account delete the Transit Gateway StackSet instances with in the StackSet

  1. Log in to your Control Tower Master account with the AWSAdministratorAccess Role
  2. Make sure you are in the region where you deployed the StackSet. In this case us-east-1.
  3. Access https://console.aws.amazon.com/cloudformation/stacksets/ to jump to StackSets console.
  4. Click on the ct-transitgw-1 and expand Actions button.
  5. Select Manage stacks in StackSets
  6. Select Delete stacks and click on Next
  7. Select Delete stacks from account. Enter the Audit account number.
  8. Scroll down to Specify regions, and select all the regions under Available regions and click Add->
  9. Click Next to continue, and click on Delete stacks
  10. Once all the Stacks are deleted. Click on Delete StackSet button on the top right.

III. Remove the VPC in the Audit account for the us-east-1 region (Virginia)

IV. Remove the VPC in the Audit account for the us-east-2 region (Ohio)

V. Delete the tgwlambda.zip file from both buckets in the Master account

VI. Delete S3 buckets from the Master account

us-east-1-<your_alias>-ct-tgw-demo

us-east-2-<your_alias>-ct-tgw-demo

References