Solution components - Serverless Transit Network Orchestrator

Solution components

AWS Lambda

This solution deploys two AWS Lambda functions. One function starts the state machine execution after it is invoked by the Amazon CloudWatch event, and then processes the events from the Transit Network Management web interface during a manual approval workflow.

The other function performs all the AWS Transit Gateway related tasks, including transit network changes, Amazon DynamoDB updates, sending Amazon Simple Notification Service (Amazon SNS) notifications, tagging spoke resources, and accepting resource share (AWS Resource Access Manager(AWS RAM)) invitations from the spoke account.

AWS Step Functions

The Serverless Transit Network Orchestrator state machine contains AWS Step Functions that orchestrate the changes required to tether the network components. The state machine enables network administrators to analyze each event and troubleshoot any unexpected errors.

The Peering Attachment state machine contains AWS Step Functions that coordinate the changes required to peer inter-Region transit gateway connections.

Amazon DynamoDB

Amazon DynamoDB stores all tagging events made by users in the spoke accounts. It enables the administrator to retain and audit network changes made based on the tag changes.

By default, items expire after 90 days, but you can change the value by changing the Audit Trail Retention Period parameter in the hub template.

AWS Resource Access Manager

This solution uses AWS Resource Access Manager (AWS RAM) to create a resource share for transit gateway and managed prefix lists (if provided). Accounts that were identified during the hub template deployment, or within AWS Organizations, depending on your network environment, are shared through the transit gateway.

For accounts that use AWS Organizations, you must manually enable AWS RAM in the Organizations console and obtain the AWS Organizations master account ID and organization ID. AWS RAM allows you to share your resources through AWS Organizations. For steps to enable AWS RAM with AWS Organizations, refer to Appendix C.

Transit Network Management web interface

The Transit Network Management web interface is a ReactJS web application and is hosted in Amazon S3, delivered by CloudFront and authenticated by Amazon Cognito. The web interface leverages AWS AppSync to interact with DynamoDB and calls Lambda functions to initiate the Serverless Transit Network Orchestrator state machine in the manual approval workflow. The web interface provides a dashboard for administrators to resolve manual approval requests for network changes and allows other users to view network changes.

AWS Transit Gateway network manager

This solution deploys or uses an existing Global Network in the hub account. AWS Transit Gateway Network Manager provides a single global view of your private network. This solution also automatically registers the AWS Transit Gateway managed by the solution. This feature allows you to centrally monitor your network from the dashboard of the AWS Transit Gateway Network Manager.