With AWS Control Tower(CT) there are set of network baselines like configuring the CIDR block range, enabling VPC peering to a VPC and more that can be configured. However, there are other networking services like AWS Transit Gateway(TGW), or Direct Connect(DX) that need to be configured explicitly on the AWS Control Tower environment.
The accounts that are created manually using the Account Factory will be
referred to as managed accounts and the accounts which are in the core OU
(Log archive
, and Audit
accounts), created as part of control tower
initialization, will be referred to as shared accounts for the remaining of
this lab.
In this lab, we will walk through the steps involved in configuring an AWS
Transit Gateway in multiple regions of the Audit
account in the CT environment.
We’ll share the TGW with all the accounts in the organization managed by the AWS
Control Tower. In addition, we will also attach the transit gateway to
the Audit account, and create a default route of 0.0.0.0/0 with a destination to
the central Transit Gateway in the main Route Table of the account’s VPC. We
will use CloudFormation StackSets to automate all these steps.
Please read: We are using Audit
account for this lab due to logistical needs.
Please follow the guidelines from Multi-account-framework for your implementations outside this lab.
We recommend to create a Infrastructure_Prod
Organizational Unit and create a Network
account using Account Factory
to deploy additional networking resources.
At the time of lab creation, configuring the Transit Gateway as part of the networking baselines in Account Factory is not natively supported. This may change in the future and become a configurable parameter in the Account Factory. The accounts created could be configured to automatically attach the VPCs to the centralized Transit Gateway.
The solution shown in this lab expects you to use CloudFormation templates (provided) to create the transit gateway attachment.
Following are the steps involved in this solution:
Create a Transit Gateway in the Audit
account.
Share the Transit Gateway with the remaining accounts in AWS Control Tower.
Create the Transit Gateway Attachment on two regions in the Audit
account to
attach the VPCs to the central Transit Gateway.
Create a default route of 0.0.0.0/0 with a destination to the central Transit Gateway as an example.
We will perform the above steps using two separate CloudFormation templates as outlined below:
Creates the Transit Gateway and shares it with the Organization.
Creates the Transit Gateway Attachment and adds the default route in the Audit account.
[Important] On the AWS Organization Master account, we need to manually Enable sharing within your AWS Organization if you are using the Resource Access Manager for the first time (instructions provided below).
We will leverage the roles AWSControlTowerStackSetRole and AWSControlTowerExecution created as part of the Control Tower initialization to perform CloudFormation StackSets operations.
Due to logistical needs, we create AWS Transit Gateway in Audit account in this lab.
For all practical purposes, follow the guidelines from Multi-account-framework
for your implementations outside this lab. We recommend to create a Infrastructure_Prod
Organizational Unit
and create a Network
account using Account Factory
to deploy additional networking resources.
The Transit Gateway is created using all default values for this lab. This lab is not intended to discuss various options involved while configuring the Transit Gateway. Please refer to the documentation for best practices and additional information on Transit Gateway.
The CloudFormation templates provided to attach the transit gateway can be added as product in the AWS Service Catalog and launch after provisioning a new account using Account Factory. For simplicity, we will discuss only using CloudFormation StackSets option in the lab.
Make sure all the account/region(s) contain valid a VPC configuration with subnets. There is no additional steps needed if the accounts are provisioned with the Account Factory networking baselines in place.
Download the following file using the direct links provided to a temporary work directory in your local machine. We will use it later in the lab.
1.1. In the AWS Console, log into the Master account with the AWSAdministratorAccess role.
1.2. Navigate to the AWS Resource Access Manager landing page.
1.3. Click Settings on the left pane.
1.4. Check the Enable sharing within your AWS Organization. Click on Save settings.
2.1. Go to the AWS Single Sign-On link.
2.2. Click the Audit account and click on Management console next to the AWSAdministratorAccess.
2.3. On the top right of the console, select the US East N.Virginia.
2.4. Navigate to the VPC landing page on AWS.
2.5. Select Launch VPC Wizard.
2.6. From the left menu, select VPC with a Single Public Subnet. Click Select.
2.7. On Step 2, enter below values:
10.0.0.0/16
vpc-audit-nv-tgw-lab
10.0.0.0/24
2.8. Click Create VPC.
2.9. Once your VPC has been launched, click OK.
2.10. Repeat steps 2.4-2.9
in us-east-2 (Ohio) region. Enter below values at Step-2: VPC with a Single Public Subnet.
10.10.0.0/16
vpc-audit-ohio-tgw-lab
10.10.0.0/24
3.1. Go to the Single Sign-On link.
3.2. Click the Master account and click on Management console next to the AWSAdministratorAccess.
3.3. Navigate to AWS Organizations.
3.4. Under Accounts, note-down the Master and Audit account numbers. You will use them in later step.
3.5. In AWS Organizations, select the Settings tab on the right. Note-down the Organization ID for a later step.
3.6. Copy paste the link below in your browser to launch CloudFormation StackSet creation process: https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacksets/new
3.7. In Choose a template page:
3.8. In Specify StackSet details page, enter below values and choose Next:
transit-gateway-your-alias
OrgId-Noted-in-step-3.5
MasterAcctId-Noted-in-step-3.4
64520
3.9. In Configure StackSet options page:
AWSControlTowerExecution
3.10. In Set deployment options page:
Audit Account Id
that you noted in step 3.4
US East(N.Virginia)
and US East(Ohio)
regions3.10. In Review page, review the options selected and choose Submit.
3.11. Wait for the StackSet Operations status change to SUCCEEDED. Could take around five minutes.
3.12. Verify the Stack instances status changed to CURRENT for all the stack intances.
Congratulations, you sucessfully created AWS Transit Gateway in N.Virginia and Ohio. You also shared these transit gateways with rest of the organization using AWS Resource Access Manager. Now go to next section to attach transit gateways to VPCs creates
4.1. From the AWS SSO page, log into the Master account with the AWSAdministratorAccess role. In the top right corner of the page, make sure you are in the US East (N.Virginia) region.
4.2. Navigate to the VPC landing page and in the left pane under Transit Gateways select Transit Gateways.
4.3. Select the checkbox next to myTransitGateway. In the bottom pane, in the Details tab, note down the Transit Gateway ID for a later step.
4.4. In the top right corner, change the region to US East (Ohio)
4.5. Repeat step 4.3
to note down the transit gateway ID in US East (Ohio). This is required in next step.
4.6. Open the file transit-attachment.yaml you saved from lab preparation steps earlier.
Edit line 9 and 11
with the transit gateway IDs you saved in steps 4.3
and 4.5
.
Mappings
TransitGatewayId:
us-east-1:
ID: tgw-region-1 # Replace this with value noted in step 4.3
us-east-2:
ID: tgw-region-2 # Replace this with value noted in step 4.5
4.7. Save and close the file.
4.8. Navigate to CloudFormation StackSet Console in US East (N.Virginia) region using the link below. https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacksets/new
4.9. In Choose a template page:
step 4.6
4.10. In Specify StackSet details page, enter the StackSet name as TransitGateway-Attachment-1
and choose Next:
4.12. In Configure StackSet options page:
AWSControlTowerExecution
4.11. In Set deployment options page:
Audit Account Id
that you noted in step 3.4
US East(N.Virginia)
and US East(Ohio)
regions4.12. In Review page, scroll down and checkbox I acknowledge that AWS CloudFormation might create IAM resources. and choose Submit.
4.13. Wait for the StackSet Operations status change to SUCCEEDED. Could take around five minutes.
4.14. Verify the Stack instances status changed to CURRENT for all the stack intances.
Congratulations, you sucessfully created attached your VPCs from N.Virginia and Ohio to transit gateways in respective regions.
You can verify the Transit Gateway by navigating to the VPC Console in the Audit account.
5.1. Log into the Audit
account.
5.2. Make sure you are in the us-east-1
region
5.3. In the VPC service, check the Transit Gateway section.
5.4. Review the Transit Gateway details, check the Details and Sharing tabs.
5.5. Verify the TGW attachments by checking the Transit Gateway Attachments section.
5.6. In the Transit Gateway Route Tables section
5.7. Check the tab Details
5.8. Check the tab Associations to see the associated VPC
5.9. Check the Propagations to see it enabled
5.10. Check the Routes and see the CIDR range
5.11. In addition, navigating to Route Tables and verifying that the main VPC route table has a route of 0.0.0.0/0 with a destination of the transit gateway id will confirm success of baselining.
5.12. Now switch to the us-east-2
region
5.13. You can now check for the above items
In this lab you created Transit Gateways on two region, and attached the transit gateway to a VPC on each region. However, few additional steps required to verify the connectivity between subnets from two different VPCs with in a region.
Use below steps to validate network connectivity[one of many ways]:
Note the Availability zone for vpc-audit-ohio-tgw-lab
Create a new VPC with a subnet in the same availability zone you noted above.
vpcattach-1
, select the Availability Zone as noted above and choose Create VPC.Launch EC2 instances on both the VPCs and test the connectivity between those two.
I. From the Master
account delete the TGW Attachment StackSet instances within the StackSet
Master
account with the AWSAdministratorAccess RoleAudit
account number.II. From the Master
account delete the Transit Gateway StackSet instances with in the StackSet
Master
account with the AWSAdministratorAccess RoleAudit
account number.III. Remove the VPC in the Audit
account for the us-east-1 region (Virginia)
IV. Remove the VPC in the Audit
account for the us-east-2 region (Ohio)