Figure 1: Architectural diagram
While Transit Gateway eases network administration and complexity, it does not address typical environment missteps such as configuration drift and multiple worker administration.
9 |Automation through Infrastructure as Code helps combat deployment inconsistencies and assist in managing your network by templatizing your environment as a central source of truth. AWS provides a robust API that allows changes to be made quickly and to automate your environment’s processes. If you are doing a task 10 times, you can codify and automate it. This is the concept of Infrastructure as Code.
10 |AWS CloudFormation is a service that provisions AWS resources quickly and simplifies your infrastructure management. A CloudFormation template describes the configuration of your resources, such as their property values. You can update templates to add, remove, or change the configuration of resources. This process keeps an accurate history of your resources, allowing you to track and document changes between different versions of your templates. So instead of recording changes in a ticketing system, you can reference changes in the versioning of CloudFormation templates.
11 |CloudFormation provides a feature called StackSets, which extends the functionality of stacks by enabling you to create, update, or delete stacks across multiple accounts and Regions with a single operation. A stack set can be created in a central account, referred to as an administrator account, which provisions stacks and resource creation to target accounts.
12 |AWS Organizations helps you centrally govern your accounts and scale your workloads on AWS. You can centrally manage billing, access control, compliance, security, and share resources across AWS accounts. Many existing AWS services take advantage of Organizations to streamline access control and management of resources.This post walks you through a solution that automates the association of transit gateway attachments to a transit gateway in a central account within your organization. It includes the following steps:
13 |You can use the provided CloudFormation templates and code for a Lambda function to accomplish these tasks. The provided files can easily be modified to integrate in to your environment as part of your account creation and baselining.
23 |The following steps and services are instrumental in achieving this goal:
25 |Figure 1: Architectural diagram
Using a CloudFormation template, you can create a transit gateway in a central account and then share it with your organization using AWS Resource Access Manager (AWS RAM). You then can launch a stack set that automates the creation of a transit gateway attachment.
33 |A Lambda function gathers metadata about a VPC based on a user-provided tag value. This metadata is relevant when creating and attaching the transit gateway attachment and VPC, along with route creation to the transit gateway based on a user-provided CIDR range.
34 |The transit gateway in the central account is configured to auto-accept peering connections and to propagate its routing table to ensure bidirectional routing.
35 |For more information about additional transit gateway limitations, see Limits for Your Transit Gateways.
42 |Because stack sets perform stack operations across multiple accounts, you must have the necessary permissions defined in your AWS accounts before you can get started creating your first stack set.
44 |In the central account, create an IAM role named AWSCloudFormationStackSetAdministrationRole. The role must have this exact name. You can do this by creating a stack from the following CloudFormation template. This role enables the following policy on your administrator account:
45 |{
47 | "Version": "2012-10-17",
48 | "Statement": [{
49 | "Action": [
50 | "sts:AssumeRole"
51 | ],
52 | "Resource": [
53 | "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole"
54 | ],
55 | "Effect": "Allow"
56 | }]
57 | }The preceding template creates the following trust relationship:
59 |{
60 | "Version": "2012-10-17",
61 | "Statement": [{
62 | "Effect": "Allow",
63 | "Principal": {
64 | "Service": "cloudformation.amazonaws.com"
65 | },
66 | "Action": "sts:AssumeRole"
67 | }]
68 | }In each target account, create a service role named AWSCloudFormationStackSetExecutionRole that trusts the administrator account. The role must have this exact name. You can do this by creating a stack from the following CloudFormation template. When you use this template, provide the name of the administrator account with which your target account must have a trust relationship.
70 |Be aware that this template grants AdministratorAccess. After you use the template to create a target account execution role, you must scope the permissions in the policy statement to the types of resources that you are creating when using StackSets.
71 |The target account service role requires permissions to perform any operations that your CloudFormation template specifies. Your target account always needs full CloudFormation permissions, which include permissions to create, update, delete, and describe stacks. The role created by this template enables the following policy on a target account:
72 |{
73 | "Version": "2012-10-17",
74 | "Statement": [{
75 | "Effect": "Allow",
76 | "Action": "*",
77 | "Resource": "*"
78 | }]
79 | }The following trust relationship is created by the template. The administrator account’s ID shows as central_account_id:
81 |{
82 | "Version": "2012-10-17",
83 | "Statement": [{
84 | "Effect": "Allow",
85 | "Principal": {
86 | "AWS": "arn:aws:iam::central_account_id:root"
87 | },
88 | "Action": "sts:AssumeRole"
89 | }]
90 | }You can configure the trust relationship of an existing target account execution role to trust a specific role in the administrator account. If you delete the role in the administrator account and create a new one to replace it, you must configure your target account trust relationships with the new administrator account role, represented by central_account_id in the preceding example.
92 |In the central account in which to deploy the transit gateway, open the CloudFormation console.
94 |On the Choose a template page, choose Upload a template file and select the provided transit-gateway.yaml file to upload. Choose Next.
95 |On the Specify stack details page, provide a stack name along with the parameter values for the following fields:
96 |At the time of publication, you cannot change or modify these parameters. To enable or disable these parameters, you must create a new transit gateway.
105 |For this deployment, keep the default values. You can customize these values later for your own deployment.
106 |The Configure stack options page doesn’t require you to enter any values or configuration changes. Choose Next.
107 |On the Review page, verify your values and stack detail and choose Create stack to deploy the transit gateway.
108 |The template takes a few minutes to deploy and reports CREATE_COMPLETE when finished.
109 |In the VPC console, choose Transit Gateway. This page shows your deployed transit gateways and additional metadata. In the next step, you need the Transit Gateway ID.
110 |When the transit gateway is available, you can share it across multiple accounts, an organization, and an organizational unit using AWS RAM. In this example, you share it across an organization. A significant benefit of sharing across an organization is that you can share resources without requiring the exchange of resource share invitations.
111 |When using Organizations to share resources across an organization or organizational unit, you must enable sharing with your organization from your organization’s master account. Sharing within your organization can only be enabled by the master account. The following steps outline this process:
112 |Log back in to the account that contains your transit gateway. In the Resource Access Manager console, choose Create resource share.
119 |Provide a name to the resource share. For Select resource type, choose Transit Gateways. This step populates a field where you can select your transit gateway.
120 |Under Principals, you can add the accounts, organizational units, or your organization with which to share. This step allows you to limit what accounts can view the transit gateway as an available resource to which to attach. For this example, share with the entire organization.
121 |Choose Create resource share. Now you have a transit gateway shared with your organization. Because you shared across the organization, you don’t have to accept sharing invitations in the child accounts.
122 |In the central account, create and deploy a stack set. This stack set deploys CloudFormation stacks in target accounts that create a Lambda function to perform a lookup for your VPC and its associated subnets and default route table, based upon a user-provided tag value.
124 |You can use that information to create and attach the transit gateway attachment and VPC to each other. The transit gateway attachment becomes associated with the central account transit gateway. The target VPC’s default route table populates with a configurable route with the destination to the central account transit gateway. The transit gateway’s route table then populates routes back to the target VPC.
125 |This example deploys a Lambda function in each target account as part of the automation of transit gateway attachments. The code is in a .zip file named lambda.zip. Upload the file to an S3 bucket that allows access permissions to the child account. Amazon S3 bucket policies support the PrincipalOrg, which allows any account that originates from the same Organizations ID to access resources from with S3.
126 |The following is a sample S3 bucket policy to allow the GetObject and ListBucket actions within your organization. Replace S3 bucket ARN and o-id with your own resource values:
{
128 | "Version": "2012-10-17",
129 | "Statement": [
130 | {
131 | "Sid": "S3AccessToTgwLambdaCode",
132 | "Action": [
133 | "s3:GetObject",
134 | "s3:ListBucket"
135 | ],
136 | "Effect": "Allow",
137 | "Resource": [
138 | "S3 bucket ARN",
139 | "S3 bucket ARN/*"
140 | ],
141 | "Condition": {
142 | "StringEquals": {
143 | "aws:PrincipalOrgID": "o-id"
144 | }
145 | },
146 | "Principal": "*"
147 | }
148 | ]
149 | }You can modify this sample policy to allow external account access, but this example locks down the policy to your organization.
151 |In the CloudFormation console, choose StackSets, Create StackSet.
152 |On the Choose a template page, choose Upload a template file. Select the provided transit-gateway-association.yaml file and choose Next.
153 |On the Specify stack details page, provide a name for the stack set along with the parameter values for the following fields, then choose Next.
154 |On the Configure StackSet options page, enter AWSCloudFormationStackSetExecutionRole for the IAM execution role name. This field should already have this value populated. You do not need an optional IAM admin role ARN. Choose Next.
162 |In the Set deployment options screen, provide the account numbers or the organizational unit ID in which to deploy the solution. You can use either value depending on your use case. The benefit of selecting accounts is that you limit the deployment to the specific accounts in which to deploy. The organizational units deploy in all accounts within that organizational unit.
163 |You can specify the Region or Regions that the solution deploys in for each account. You can also set deployment options to deploy one at a time, or increase the options to deploy in multiple accounts at the same time. However, transit gateways are Region-specific, and you must deploy the stack set in the same Region in which the transit gateway resides. You can further customize the template with multiple transit gateways in multiple Regions, which could have mappings defined to associate the correct transit gateway with the deployment Region.
164 |After you enter the preceding information, choose Next.
165 |On the following screen, verify your settings and choose Submit. This step begins the operation of deploying the stack set to the target account.
166 |You can add additional accounts as stack instances by navigating to the console for the newly created stack set. Choose Actions, Add new stacks to StackSet, and repeat the preceding process.
167 |After the stack set is running, you can log in to the target account. In the CloudFormation console, view the newly created stack. The Resources tab shows a list of created items.
169 |To verify success, log in to a target account. In the VPC console, in the left navigation pane, choose Transit Gateway Attachments. You should see a transit gateway attachment associated with the transit gateway in the central account. You can navigate to your route tables and verify that a route is now in the VPC’s default route table with the transit gateway as the destination.
170 |In the central account, in the VPC console, choose Transit Gateway Routes. There you can verify that there are routes back to the target VPCs.
171 |The provided templates serve as a starting point to build out more complex solutions that you can integrate into your environment. You can modify the stack set to handle multiple transit gateways that could reside in different Regions or for different workloads.
173 |You can also build logic into the CloudFormation template to handle conditions and determine which transit gateways to attach to or how to construct the route tables. This process can become part of the foundation for automating your environment and network management across multiple VPCs and AWS accounts.
174 | 175 | 176 | ## License 177 | 178 | This library is licensed under the MIT-0 License. See the LICENSE file. 179 | 180 | -------------------------------------------------------------------------------- /lambda.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-transit-gateway-attachment-automation/afa232448d0be0584b6a609b4944becc96e68b48/lambda.zip -------------------------------------------------------------------------------- /transit-gateway-association.yaml: -------------------------------------------------------------------------------- 1 | # (c) 2019 Amazon Web Services, Inc. or its affiliates. All Rights Reserved. This AWS Content is provided subject to the terms of the AWS Customer 2 | # Agreement available at https://aws.amazon.com/agreement/ or other written agreement between Customer and Amazon Web Services, Inc. 3 | AWSTemplateFormatVersion: '2010-09-09' 4 | Description: Deploys an AWS Lambda Function that performs a Transit Gateway Attachment and Route creation to a centralized AWS Transit Gateway (RCS-1463) 5 | Metadata: 6 | AWS::CloudFormation::Interface: 7 | ParameterGroups: 8 | - Label: 9 | default: 'Parameter Settings' 10 | Parameters: 11 | - pVpcTag 12 | - pTransitGatewayId 13 | - pRoute 14 | - Label: 15 | default: 'Lambda Settings' 16 | Parameters: 17 | - pTGWLambdaS3Bucket 18 | - pTGWLambdaS3Key 19 | ParameterLabels: 20 | pVpcTag: 21 | default: VPC Tag 22 | pTransitGatewayId: 23 | default: Transit Gateway Id 24 | pRoute: 25 | default: Route Destination CIDR 26 | pTGWLambdaS3Bucket: 27 | default: S3 Bucket 28 | pTGWLambdaS3Key: 29 | default: S3 Key 30 | 31 | 32 | Parameters: 33 | pVpcTag: 34 | Description: VPC Tags that you would like to associate with the Transit Gateway (Comma Separated) 35 | Type: String 36 | pTransitGatewayId: 37 | Description: The ID of the Central Account Transit Gateway 38 | Type: String 39 | pRoute: 40 | Description: Destination Route for traffic to the Central Account Transit Gateway 41 | Type: String 42 | Default: '0.0.0.0/0' 43 | pTGWLambdaS3Bucket: 44 | Description: S3 Bucket for Transit Gateway Attachment Lambda Code 45 | Type: String 46 | AllowedPattern: "^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$" 47 | pTGWLambdaS3Key: 48 | Description: The Key location of the Lambda zip for Transit Gateway Attachment. 49 | Type: String 50 | AllowedPattern: ^[a-zA-Z0-9[\\].\/()!:=?#,@+&;{}$-_]* 51 | 52 | 53 | Resources: 54 | rGetVpcLambdaRole: 55 | Type: AWS::IAM::Role 56 | Properties: 57 | AssumeRolePolicyDocument: 58 | Version: '2012-10-17' 59 | Statement: 60 | - Effect: Allow 61 | Principal: 62 | Service: 63 | - lambda.amazonaws.com 64 | Action: 65 | - sts:AssumeRole 66 | Path: "/" 67 | Policies: 68 | - PolicyName: TransitGatewayAttachments 69 | PolicyDocument: 70 | Version: '2012-10-17' 71 | Statement: 72 | - Effect: Allow 73 | Action: 74 | - logs:CreateLogGroup 75 | - logs:CreateLogStream 76 | - logs:PutLogEvents 77 | Resource: !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:* 78 | - Effect: Allow 79 | Action: 80 | - ec2:* 81 | - iam:ListRoles 82 | - iam:CreateServiceLinkedRole 83 | Resource: "*" 84 | 85 | rGetVpcLambda: 86 | Type: AWS::Lambda::Function 87 | DependsOn: 88 | - rGetVpcLambdaRole 89 | Properties: 90 | FunctionName: !Sub TransitGatewayAttachmentsAndRoute 91 | Role: !GetAtt rGetVpcLambdaRole.Arn 92 | Description: Captures VPC metadata for Transit Gateway Attachments 93 | Handler: index.lambda_handler 94 | Runtime: python3.6 95 | Timeout: 120 96 | Code: 97 | S3Bucket: !Ref pTGWLambdaS3Bucket 98 | S3Key: !Ref pTGWLambdaS3Key 99 | 100 | rGetVpcLambdaCustomIvoke: 101 | Type: Custom::GetVPCLambdaInvoke 102 | DependsOn: rGetVpcLambda 103 | Properties: 104 | ServiceToken: !GetAtt [ rGetVpcLambda, Arn ] 105 | Vpc_Tags: !Ref pVpcTag 106 | Account: !Sub ${AWS::AccountId} 107 | Region: !Sub ${AWS::Region} 108 | CIDR: !Ref pRoute 109 | Transit_Gateway_Id: !Ref pTransitGatewayId 110 | 111 | # Lambda permission - event rule can trigger evaluation 112 | rLambdaPermission: 113 | Type: AWS::Lambda::Permission 114 | DependsOn: rGetVpcLambda 115 | Properties: 116 | Action: lambda:InvokeFunction 117 | FunctionName: !GetAtt 'rGetVpcLambda.Arn' 118 | Principal: events.amazonaws.com 119 | -------------------------------------------------------------------------------- /transit-gateway.yaml: -------------------------------------------------------------------------------- 1 | # (c) 2017 Amazon Web Services, Inc. or its affiliates. All Rights Reserved. This AWS Content is provided subject to the terms of the AWS Customer 2 | # Agreement available at https://aws.amazon.com/agreement/ or other written agreement between Customer and Amazon Web Services, Inc. 3 | AWSTemplateFormatVersion: '2010-09-09' 4 | Description: This is the CloudFormation script for deployment of a Transit Gateway (RCS-1463) 5 | Metadata: # Metadata Section 6 | AWS::CloudFormation::Interface: 7 | ParameterGroups: # Parameter Groups 8 | - Label: # Transit Gateway Configuration 9 | default: Transit Gateway Configuration 10 | Parameters: # Label Parameters 11 | - pAmazonAsn 12 | - pAutoAcceptSharedAttachments 13 | - pDefaultRouteTableAssociation 14 | - pDefaultRouteTablePropagation 15 | - pDnsSupport 16 | - pVpnEcmpSupport 17 | 18 | ParameterLabels: # Parameter Labels 19 | pAmazonAsn: 20 | default: Amazon Side ASN 21 | pAutoAcceptSharedAttachments: 22 | default: Auto Accept Share Attachments 23 | pDefaultRouteTableAssociation: 24 | default: Auto Associate Route Table Association 25 | pDefaultRouteTablePropagation: 26 | default: Automatic Route Propagation 27 | pDnsSupport: 28 | default: DNS Support 29 | pVpnEcmpSupport: 30 | default: Equal Cost Multipath Protocol 31 | 32 | Parameters: # CloudFormation Parameters 33 | pAmazonAsn: # Amazon side BGP ASN 34 | Type: String 35 | Description: A private Autonomous System Number (ASN) for the Amazon side of a BGP session. 36 | Default: 65000 37 | MinLength: 5 38 | MaxLength: 10 39 | ConstraintDescription: The range is 64512 to 65534 for 16-bit ASNs and 4200000000 to 4294967294 for 32-bit ASNs. 40 | 41 | pAutoAcceptSharedAttachments: # enable/disable attachment requests 42 | Type: String 43 | Description: Indicates whether cross-account attachment requests are automatically accepted. 44 | Default: "enable" 45 | AllowedValues: 46 | - "enable" 47 | - "disable" 48 | 49 | pDefaultRouteTableAssociation: # enable/disable automatic route table association 50 | Type: String 51 | Description: Enable or disable automatic association with the default association route table. 52 | Default: "enable" 53 | AllowedValues: 54 | - "enable" 55 | - "disable" 56 | 57 | pDefaultRouteTablePropagation: # enable/disable automatic route propagation to the default route table 58 | Type: String 59 | Description: Enable or disable automatic propagation of routes to the default propagation route table. 60 | Default: "enable" 61 | AllowedValues: 62 | - "enable" 63 | - "disable" 64 | 65 | pDnsSupport: # Enable or disable DNS support 66 | Type: String 67 | Description: Enable or disable DNS support. 68 | Default: "enable" 69 | AllowedValues: 70 | - "enable" 71 | - "disable" 72 | 73 | pVpnEcmpSupport: # Enable or disable Equal Cost Multipath Protocol 74 | Type: String 75 | Description: Enable or disable Equal Cost Multipath Protocol. 76 | Default: "disable" 77 | AllowedValues: 78 | - "enable" 79 | - "disable" 80 | 81 | Resources: # CloudFormation Resources 82 | rTransitGateway: 83 | Type: "AWS::EC2::TransitGateway" 84 | Properties: 85 | AmazonSideAsn: !Ref pAmazonAsn 86 | AutoAcceptSharedAttachments: !Ref pAutoAcceptSharedAttachments 87 | DefaultRouteTableAssociation: !Ref pDefaultRouteTableAssociation 88 | DefaultRouteTablePropagation: !Ref pDefaultRouteTablePropagation 89 | Description: "Transit Gateway serves as a centralized outgoing gateway for networking traffic" 90 | DnsSupport: !Ref pDnsSupport 91 | Tags: 92 | - Key: Name 93 | Value: 'My Transit Gateway' 94 | VpnEcmpSupport: !Ref pVpnEcmpSupport 95 | 96 | Outputs: 97 | oTransitGatewayId: #Outputs the Transit Gateway ID 98 | Description: The Transit Gateway ID 99 | Value: !Ref rTransitGateway 100 | --------------------------------------------------------------------------------