Transit Gateway - Simple

Overview

With AWS Control Tower(CT) there are set of network baselines like configuring the CIDR block range, enabling VPC peering to a VPC and more that can be configured. However, there are other networking services like AWS Transit Gateway(TGW), or Direct Connect(DX) that need to be configured explicitly on the AWS Control Tower environment.

The accounts that are created manually using the Account Factory will be referred to as managed accounts and the accounts which are in the core OU (Log archive, and Audit accounts), created as part of control tower initialization, will be referred to as shared accounts for the remaining of this lab.

In this lab, we will walk through the steps involved in configuring an AWS Transit Gateway in multiple regions of the Audit account in the CT environment. We’ll share the TGW with all the accounts in the organization managed by the AWS Control Tower. In addition, we will also attach the transit gateway to the Audit account, and create a default route of 0.0.0.0/0 with a destination to the central Transit Gateway in the main Route Table of the account’s VPC. We will use CloudFormation StackSets to automate all these steps.

Please read: We are using Audit account for this lab due to logistical needs. Please follow the guidelines from Multi-account-framework for your implementations outside this lab. We recommend to create a Infrastructure_Prod Organizational Unit and create a Network account using Account Factory to deploy additional networking resources.

At the time of lab creation, configuring the Transit Gateway as part of the networking baselines in Account Factory is not natively supported. This may change in the future and become a configurable parameter in the Account Factory. The accounts created could be configured to automatically attach the VPCs to the centralized Transit Gateway.

Architecture Overview

The solution shown in this lab expects you to use CloudFormation templates (provided) to create the transit gateway attachment.

Following are the steps involved in this solution:

1. Create a Transit Gateway in the Audit account.

2. Share the Transit Gateway with the remaining accounts in AWS Control Tower.

3. Create the Transit Gateway Attachment on two regions in the Audit account to attach the VPCs to the central Transit Gateway.

4. Create a default route of 0.0.0.0/0 with a destination to the central Transit Gateway as an example.

We will perform the above steps using two separate CloudFormation templates as outlined below:

• transit-gateway.yaml

Creates the Transit Gateway and shares it with the Organization.

• transit-attachment.yaml

Creates the Transit Gateway Attachment and adds the default route in the Audit account.

Things to know before getting started

• [Important] On the AWS Organization Master account, we need to manually Enable sharing within your AWS Organization if you are using the Resource Access Manager for the first time (instructions provided below).

• We will leverage the roles AWSControlTowerStackSetRole and AWSControlTowerExecution created as part of the Control Tower initialization to perform CloudFormation StackSets operations.

• Due to logistical needs, we create AWS Transit Gateway in Audit account in this lab. For all practical purposes, follow the guidelines from Multi-account-framework for your implementations outside this lab. We recommend to create a Infrastructure_Prod Organizational Unit and create a Network account using Account Factory to deploy additional networking resources.

• The Transit Gateway is created using all default values for this lab. This lab is not intended to discuss various options involved while configuring the Transit Gateway. Please refer to the documentation for best practices and additional information on Transit Gateway.

• The CloudFormation templates provided to attach the transit gateway can be added as product in the AWS Service Catalog and launch after provisioning a new account using Account Factory. For simplicity, we will discuss only using CloudFormation StackSets option in the lab.

• Make sure all the account/region(s) contain valid a VPC configuration with subnets. There is no additional steps needed if the accounts are provisioned with the Account Factory networking baselines in place.

Lab Preparation

Download required files

• Download the following file using the direct links provided to a temporary work directory in your local machine. We will use it later in the lab.

• transit-attachment.yaml

1. Enable AWS Resource Manager

1.1. In the AWS Console, log into the Master account with the AWSAdministratorAccess role.

1.2. Navigate to the AWS Resource Access Manager landing page.

1.3. Click Settings on the left pane.

1.4. Check the Enable sharing within your AWS Organization. Click on Save settings.

2. Create a VPC in both N.Virginia and Ohio

2.1. Go to the AWS Single Sign-On link.

2.2. Click the Audit account and click on Management console next to the AWSAdministratorAccess.

2.3. On the top right of the console, select the US East N.Virginia.

2.4. Navigate to the VPC landing page on AWS.

2.5. Select Launch VPC Wizard.

2.6. From the left menu, select VPC with a Single Public Subnet. Click Select.

2.7. On Step 2, enter below values:

• IPv4 CIDR block : 10.0.0.0/16
• VPC name : vpc-audit-nv-tgw-lab
• Public subnet’s IPv4 CIDR : 10.0.0.0/24

2.8. Click Create VPC.

2.9. Once your VPC has been launched, click OK.

2.10. Repeat steps 2.4-2.9 in us-east-2 (Ohio) region. Enter below values at Step-2: VPC with a Single Public Subnet.

• IPv4 CIDR block : 10.10.0.0/16
• VPC name : vpc-audit-ohio-tgw-lab
• Public subnet’s IPv4 CIDR : 10.10.0.0/24

3.Create and Share AWS Transit Gateway

3.1. Go to the Single Sign-On link.

3.2. Click the Master account and click on Management console next to the AWSAdministratorAccess.

3.3. Navigate to AWS Organizations.

Note down Master Account ID and Organization ID

3.4. Under Accounts, note-down the Master and Audit account numbers. You will use them in later step.

3.5. In AWS Organizations, select the Settings tab on the right. Note-down the Organization ID for a later step.

3.6. Copy paste the link below in your browser to launch CloudFormation StackSet creation process: https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacksets/new

3.7. In Choose a template page:

• under Specify template, select Amazon S3 URL if required
• for Amazon S3 URL, copy and paste the below URL. https://marketplace-sa-resources.s3.amazonaws.com/ctlabs/transit-gateway.yaml
• choose Next.

3.8. In Specify StackSet details page, enter below values and choose Next:

• StackSet name : transit-gateway-your-alias
• AWSOrganizationId : OrgId-Noted-in-step-3.5
• MasterAccountId : MasterAcctId-Noted-in-step-3.4
• PrivateAmazonASN : 64520

3.9. In Configure StackSet options page:

• under Permissions Choose Self service permissions
• for IAM admin role ARN - optional, expand the options and select AWSControlTowerStackSetRole
• under IAM execution role name, type in AWSControlTowerExecution
• choose Next

3.10. In Set deployment options page:

• under Accounts, Deployment locations, select Deploy stacks in accounts
• under Account numbers, type in Audit Account Id that you noted in step 3.4
• under Specify regions, select both US East(N.Virginia) and US East(Ohio) regions
• choose Next

3.10. In Review page, review the options selected and choose Submit.

3.11. Wait for the StackSet Operations status change to SUCCEEDED. Could take around five minutes.

3.12. Verify the Stack instances status changed to CURRENT for all the stack intances.

Congratulations, you sucessfully created AWS Transit Gateway in N.Virginia and Ohio. You also shared these transit gateways with rest of the organization using AWS Resource Access Manager. Now go to next section to attach transit gateways to VPCs creates

4.Create Transit Gateway Attachment and a default route

4.1. From the AWS SSO page, log into the Master account with the AWSAdministratorAccess role. In the top right corner of the page, make sure you are in the US East (N.Virginia) region.

4.2. Navigate to the VPC landing page and in the left pane under Transit Gateways select Transit Gateways.

4.3. Select the checkbox next to myTransitGateway. In the bottom pane, in the Details tab, note down the Transit Gateway ID for a later step.

4.4. In the top right corner, change the region to US East (Ohio)

4.5. Repeat step 4.3 to note down the transit gateway ID in US East (Ohio). This is required in next step.

4.6. Open the file transit-attachment.yaml you saved from lab preparation steps earlier. Edit line 9 and 11 with the transit gateway IDs you saved in steps 4.3 and 4.5.

Mappings
TransitGatewayId:
us-east-1:
ID: tgw-region-1 # Replace this with value noted in step 4.3
us-east-2:
ID: tgw-region-2 # Replace this with value noted in step 4.5

4.7. Save and close the file.

4.8. Navigate to CloudFormation StackSet Console in US East (N.Virginia) region using the link below. https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacksets/new

4.9. In Choose a template page:

• under Specify template, select Upload a template file
• click on Choose file, and select the file you updated in step 4.6
• choose Next

4.10. In Specify StackSet details page, enter the StackSet name as TransitGateway-Attachment-1 and choose Next:

4.12. In Configure StackSet options page:

• under Permissions Choose Self service permissions
• for IAM admin role ARN - optional, expand the options and select AWSControlTowerStackSetRole
• under IAM execution role name, type in AWSControlTowerExecution
• choose Next

4.11. In Set deployment options page:

• under Accounts, Deployment locations, select Deploy stacks in accounts
• under Account numbers, type in Audit Account Id that you noted in step 3.4
• under Specify regions, select both US East(N.Virginia) and US East(Ohio) regions
• choose Next

4.12. In Review page, scroll down and checkbox I acknowledge that AWS CloudFormation might create IAM resources. and choose Submit.

4.13. Wait for the StackSet Operations status change to SUCCEEDED. Could take around five minutes.

4.14. Verify the Stack instances status changed to CURRENT for all the stack intances.

Congratulations, you sucessfully created attached your VPCs from N.Virginia and Ohio to transit gateways in respective regions.

5. Verify the Transit Gateway Attachments

You can verify the Transit Gateway by navigating to the VPC Console in the Audit account.

5.1. Log into the Audit account.

5.2. Make sure you are in the us-east-1 region

5.3. In the VPC service, check the Transit Gateway section.

5.4. Review the Transit Gateway details, check the Details and Sharing tabs.

5.5. Verify the TGW attachments by checking the Transit Gateway Attachments section.

5.6. In the Transit Gateway Route Tables section

5.7. Check the tab Details

5.8. Check the tab Associations to see the associated VPC

5.9. Check the Propagations to see it enabled

5.10. Check the Routes and see the CIDR range

5.11. In addition, navigating to Route Tables and verifying that the main VPC route table has a route of 0.0.0.0/0 with a destination of the transit gateway id will confirm success of baselining.

5.12. Now switch to the us-east-2 region

5.13. You can now check for the above items

[Bonus Point] Verify the Network Connectivity

In this lab you created Transit Gateways on two region, and attached the transit gateway to a VPC on each region. However, few additional steps required to verify the connectivity between subnets from two different VPCs with in a region.

Use below steps to validate network connectivity[one of many ways]:

• Create a new VPC on the same availability zone as the original VPC.
• Attach the new VPC to the Transit Gateway
• Add static routes in your VPC
• Launch EC2 instances on both the VPCs and test the connectivity between those two.

Create a new VPC on the same availability zone as the original VPC

• Log in to us-east-2 (ohio) region and go to Subnets under VPC

• Note the Availability zone for vpc-audit-ohio-tgw-lab

• Create a new VPC with a subnet in the same availability zone you noted above.

  • Go to VPC Console
  • Choose Launch VPC Wizard
  • Under Step 1: Select a VPC Configuration, select VPC with a Single Public Subnet, and choose Select
  • Give VPC name as vpcattach-1, select the Availability Zone as noted above and choose Create VPC.

Attach the new VPC to the Transit Gateway

• Go to Create Transit Gateway Attachments page and type in as shown below.

Attach static routes in your VPC

• Go to VPC Console, go to route tables, select the options as shown below.
• Repeat the above steps for other route table as shown below

Launch EC2 instances and test the connectivity

Launch EC2 instances on both the VPCs and test the connectivity between those two.

Cleaning up the TGW lab

I. From the Master account delete the TGW Attachment StackSet instances within the StackSet

1. Log in to your Control Tower Master account with the AWSAdministratorAccess Role
2. Make sure you are in the region where CT was deployed in.
3. Access https://console.aws.amazon.com/cloudformation/stacksets/ to jump to StackSets console.
4. Click on the TransitGateway-Attachment-1 and expand Actions button.
5. Select Manage stacks in StackSets
6. Select Delete Stacks and click on Next
7. Select Delete stacks from account. Enter the Audit account number.
8. Scroll down to Specify regions, and select all the regions under Available regions and click Add->
9. Click Next to continue, and click on Delete stacks
10. Once all the Stacks are deleted. Click on Delete StackSet button on the top right.

II. From the Master account delete the Transit Gateway StackSet instances with in the StackSet

1. Log in to your Control Tower Master account with the AWSAdministratorAccess Role
2. Make sure you are in the region where you deployed the StackSet. In this case us-east-1.
3. Access https://console.aws.amazon.com/cloudformation/stacksets/ to jump to StackSets console.
4. Click on the transit-gateway- and expand Actions button.
5. Select Manage stacks in StackSets
6. Select Delete stacks and click on Next
7. Select Delete stacks from account. Enter the Audit account number.
8. Scroll down to Specify regions, and select all the regions under Available regions and click Add->
9. Click Next to continue, and click on Delete stacks
10. Once all the Stacks are deleted. Click on Delete StackSet button on the top right.

III. Remove the VPC in the Audit account for the us-east-1 region (Virginia)

IV. Remove the VPC in the Audit account for the us-east-2 region (Ohio)

References

• Getting Started with Transit Gateways