Architecture diagram - Network Orchestration for AWS Transit Gateway

Architecture diagram

Deploying this solution with the default parameters deploys the following components in your AWS account.

Architecture diagram of AWS resources deployed to automate managing Transit Gateway attachments.

network orchestration aws transit gateway architecture
Note

CloudFormation resources are created from AWS Cloud Development Kit (AWS CDK) constructs.

  1. This template deploys an Amazon EventBridge rule that monitors specific VPC and subnet tag changes.

    Note

    To identify the VPCs (spoke accounts) for the solution to manage, tag the VPCs and the selected subnets within those VPCs.

  2. An EventBridge rule in the spoke account sends the tags to the EventBridge bus in the hub account.

  3. The rules associated with the EventBridge bus invoke an AWS Lambda function to start the solution workflow. For more information about workflows, refer to Architecture details.

    Note

    Wait for the hub stack launch to complete before you launch spoke templates. The spoke accounts depend on the EventBridge bus that’s created during the hub stack launch.

  4. AWS Step Functions (solution state machine) processes network requests from the spoke accounts.

  5. The state machine workflow attaches a VPC to the transit gateway.

  6. The state machine workflow updates the VPC route table associated with the tagged subnet.

  7. The state machine workflow updates the transit gateway route table with association and propagation changes.

    Note

    This workflow only updates the transit gateway route table defined in the VPC tags.

  8. (Optional) The state machine workflow updates the attachment name with the VPC name and the Organizational Unit (OU) name for the spoke account (retrieved from the Org Management account).

    Note

    This occurs only if you provide your Organizations ARN for the Account List or AWS Organizations ARN template parameter. For more information, see Step 3: Launch the hub stack.

  9. The solution updates Amazon DynamoDB with the information extracted from the event and resources created, updated, or deleted in the workflow.

Users can view tagging event details and the history of network requests from different accounts, and monitor their status in the web UI. Administrators can accept or reject requests when manual approval is required.