Solution components - Network Orchestration for AWS Transit Gateway

Solution components

AWS Lambda

This solution deploys three AWS Lambda functions.

custom-resource: This function is responsible for solution helper tasks like generating unique ID for the deployment, sending metrics to aws-solutions and triggering the solution core state machine.

state-machine: This function performs all the transit gateway related tasks, including transit network changes, Amazon DynamoDB updates, sending Amazon Simple Notification Service (Amazon SNS) notifications, tagging spoke resources, and accepting AWS Resource Access Manager (AWS RAM) resource share invitations from the spoke account.

tgw-peering: This function handles creating, updating, and deleting transit gateway peering attachments, thereby establishing intra/inter-Region peering connections between transit gateways.

AWS Step Functions

The Network Orchestration for AWS Transit Gateway state machine contains AWS Step Functions that orchestrate the changes required to tether the network components. The state machine activates network administrators to analyze each event and troubleshoot any unexpected errors.

The Peering Attachment state machine contains AWS Step Functions that coordinate the changes required to peer inter-Region transit gateway connections.

Amazon DynamoDB

Amazon DynamoDB stores all tagging events made by users in the spoke accounts. It activates the administrator to retain and audit network changes made based on the tag changes.

By default, items expire after 90 days, but you can change the value by changing the Audit Trail Retention Period parameter in the hub template.

AWS Resource Access Manager

This solution uses AWS Resource Access Manager (AWS RAM) to create a resource share for transit gateway and managed prefix lists (if provided). Accounts that were identified during the hub template deployment, or within AWS Organizations, depending on your network environment, are shared through the transit gateway.

For accounts that use AWS Organizations, you must manually activate AWS RAM in the Organizations console and obtain the AWS Organizations management account ID and organization ID. AWS RAM allows you to share your resources through AWS Organizations. For steps to activate AWS RAM with AWS Organizations, refer to Activate AWS RAM for AWS Organizations Accounts.

Transit Network Management web interface

The Transit Network Management web interface includes a ReactJS web application and is hosted in Amazon S3, delivered by CloudFront. The CloudFront distribution is utilizing a CloudFront Function to add security-related HTTP headers. Users authenticate for the web application through Amazon Cognito. The web interface leverages AWS AppSync to interact with DynamoDB and calls Lambda functions to initiate the Network Orchestration for AWS Transit Gateway state machine in the manual approval workflow. The web interface provides a dashboard for administrators to resolve manual approval requests for network changes and allows other users to view network changes.

AWS Transit Gateway Network Manager

This solution deploys or uses an existing Global Network in the hub account. AWS Transit Gateway Network Manager provides a single global view of your private network. This solution also automatically registers the AWS Transit Gateway managed by the solution. This feature allows you to centrally monitor your network from the dashboard of the AWS Transit Gateway Network Manager.