Automate the setup of inter-Region peering with AWS Transit Gateway - AWS Prescriptive Guidance

Automate the setup of inter-Region peering with AWS Transit Gateway

Created by Ram Kandaswamy (AWS)

Environment: Production

Technologies: Networking; Hybrid cloud

AWS services: AWS Transit Gateway; AWS Step Functions; AWS Lambda

Summary

AWS Transit Gateway connects virtual private clouds (VPCs) and on-premises networks through a central hub. Transit Gateway traffic always stays on the global Amazon Web Services (AWS) backbone and doesn't traverse the public internet, which reduces threat vectors, such as common exploits and distributed denial of service (DDoS) attacks.

If you need to communicate between two or more AWS Regions, you can use inter-Region Transit Gateway peering to establish peering connections between transit gateways in different Regions. However, manually configuring inter-Region peering with Transit Gateway can be a time-consuming process that has multiple steps. This pattern provides an automated process to remove these manual steps by using code to perform the peering. You can use this approach if you have to repeatedly configure several Regions and AWS accounts during a multi-Region organization setup.

This pattern uses an AWS CloudFormation stack that includes the AWS Step Functions workflow, AWS Lambda functions, AWS Identity and Access Management (IAM) roles, and log groups in Amazon CloudWatch Logs. You can then start a Step Functions execution and create the inter-Region peering connection for your transit gateways.

Prerequisites and limitations

Prerequisites 

  • An active AWS account.

  • An existing Amazon Simple Storage Service (Amazon S3) bucket.

  • Transit gateways, created and configured in the requestor Region and the acceptor Regions. The requester Region is where a peering request is originated and the acceptor Regions accept the peering request. For more information about this, see Creating and accepting a VPC peering connection in the Amazon VPC documentation.

  • VPCs, installed and configured in the acceptor and requester Regions. For steps to create a VPC, see Create the VPC from Get Started with Amazon VPC in the Amazon VPC documentation.

  • The VPCs must use the addToTransitGateway tag and true value.

  • Security groups and network access control lists (ACLs) for your VPCs, configured according to your requirements. For more information about this, see Security groups for your VPC and Network ACLs in the Amazon VPC documentation.

AWS Regions and limitations

  • Only certain AWS Regions support inter-Region peering. For a full list of Regions that support inter-Region peering, see the AWS Transit Gateway FAQs.

  • In the attached sample code, the requestor Region is assumed to be us-east-2, and the acceptor Region is assumed to be us-west-2. If you want to configure different Regions, you must edit these values in all Python files. To implement a more complex setup that involves more than two Regions, you can change the Step Function to pass the Regions as a parameter to the Lambda function and run the function for each combination.

Architecture

The diagram shows a workflow with the following steps:

  1. The user creates an AWS CloudFormation stack.

  2. AWS CloudFormation creates a Step Functions state machine that uses a Lambda function. For more information about this, see Creating a Step Functions state machine that uses Lambda in the AWS Step Functions documentation.

  3. Step Functions calls a Lambda function for peering. 

  4. The Lambda function creates a peering connection between transit gateways.

  5. Step Functions calls a Lambda function for route table modifications.

  6. The Lambda function modifies the route tables by adding the Classless Inter-Domain Routing (CIDR) block of the VPCs.

Step Functions workflow

The diagram shows the following Step Functions workflow:

  1. The Step Functions workflow calls the Lambda function for the transit gateway peering. 

  2. There is a timer call to wait for one minute.

  3. The peering status is retrieved and sent to the condition block. The block is responsible for the looping. 

  4. If the success condition is not met, the workflow is coded to enter the timer stage. 

  5. If the success condition is met, a Lambda function is called to modify the route tables. After this call, the Step Functions workflow ends.

Tools

  • AWS CloudFormation – AWS CloudFormation is a service that helps you model and set up your AWS resources.

  • Amazon CloudWatch Logs – CloudWatch Logs helps you centralize the logs from all of your systems, applications, and AWS services that you use.

  • AWS Identity and Access Management (IAM) – IAM is a web service for securely controlling access to AWS services.

  • AWS Lambda – Lambda runs your code on a high-availability compute infrastructure and performs all of the administration of the compute resources.

  • AWS Step Functions – Step Functions makes it easy to coordinate the components of distributed applications as a series of steps in a visual workflow. 

Epics

TaskDescriptionSkills required
Upload the attached files to your S3 bucket.

Sign in to the AWS Management Console, open the Amazon S3 console, and then upload the modify-transit-gateway-routes.zip, peer-transit-gateway.zip, and get-transit-gateway-peering-status.zip files (attached) to your S3 bucket.

General AWS
Create the AWS CloudFormation stack.

Run the following command to create an AWS CloudFormation stack using the transit-gateway-peering.json file (attached):

aws cloudformation create-stack --stack-name myteststack --template-body file://sampletemplate.json

The AWS CloudFormation stack creates the Step Functions workflow, the Lambda functions, IAM roles, and CloudWatch log groups.

Make sure that the AWS CloudFormation template refers to the S3 bucket that contains the files that you uploaded earlier.

Note: You can also create a stack by using the AWS CloudFormation console. For more information about this, see Creating a stack on the AWS CloudFormation console in the AWS CloudFormation documentation.

DevOps engineer
Start a new execution in Step Functions.

Open the Step Functions console and start a new execution. Step Functions calls the Lambda function and creates the peering connection for the transit gateways. You don't need an input JSON file. Verify that an attachment is available and that the connection type is Peering.

For more information about this, see Start a new execution from Getting started with AWS Step Functions in the AWS Steps Functions documentation.

DevOps engineer, General AWS
Verify the routes in the route tables.

Inter-Region peering is established between the transit gateways. The route tables are updated with the peer Region VPC's IPv4 CIDR block range. 

Open the Amazon VPC console and choose the Associations  tab in the route table that corresponds to the transit gateway attachment. Verify the VPC CIDR block range of the peered Regions. 

For detailed steps and instructions, see Associate a transit gateway route table in the Amazon VPC documentation.

Network administrator

Related resources

Attachments

To access additional content that is associated with this document, unzip the following file: attachment.zip