Lab: Designing Multi-Account Connectivity with AWS Transit Gateway
Design a routing strategy and connectivity architecture that include multiple AWS accounts, AWS Regions, and VPCs to support different connectivity patterns
Lab: Designing Multi-Account Connectivity with AWS Transit Gateway
In this lab, you will implement a hub-and-spoke networking architecture across multiple AWS accounts and regions. You will use AWS Transit Gateway (TGW) and AWS Resource Access Manager (RAM) to centralize connectivity and manage routing between disparate VPCs.
Prerequisites
- Two AWS Accounts: Referred to as
Account-A(Hub) andAccount-B(Spoke). - AWS CLI: Installed and configured with profiles for both accounts (
--profile account-aand--profile account-b). - IAM Permissions:
AdministratorAccessor a custom policy allowingec2:*TransitGateway*,ram:*, andec2:*Vpc*actions. - Network Planning:
- Hub VPC CIDR:
10.0.0.0/16(Region:us-east-1) - Spoke VPC CIDR:
10.1.0.0/16(Region:us-east-1)
- Hub VPC CIDR:
Learning Objectives
- Provision an AWS Transit Gateway in a central hub account.
- Share network resources across accounts using AWS Resource Access Manager (RAM).
- Configure Transit Gateway Attachments for cross-account VPCs.
- Implement a routing strategy that allows communication between spoke and hub networks.
Architecture Overview
This architecture uses a Transit Gateway as a virtual router to manage traffic between VPCs. By sharing the TGW via RAM, the Spoke account can attach its VPC without needing its own gateway, reducing management overhead.
Step-by-Step Instructions
Step 1: Create the Transit Gateway (Account A)
The Transit Gateway acts as the central hub. We will disable "Default Route Table Propagation" for this lab to learn manual routing, though in production, you might enable it for simplicity.
aws ec2 create-transit-gateway \
--description "Hub-TGW" \
--options AmazonSideAsn=64512,AutoAcceptSharedAttachments=enable \
--profile account-a[!TIP] Note the
TransitGatewayIdfrom the output; you will need it for all subsequent steps.
▶Console Alternative
Navigate to VPC Dashboard > Transit Gateways > Create Transit Gateway. Set Name to 'Hub-TGW' and ensure 'Auto accept shared attachments' is enabled.
Step 2: Share the TGW via AWS RAM (Account A)
To allow Account B to see the TGW, you must share it using Resource Access Manager.
# 1. Create the resource share
aws ram create-resource-share \
--name "Shared-TGW" \
--resource-arns arn:aws:ec2:us-east-1:<ACCOUNT_A_ID>:transit-gateway/tgw-<ID> \
--principals <ACCOUNT_B_ID> \
--profile account-aStep 3: Accept the Resource Share (Account B)
In Account B, you must accept the invitation to use the shared TGW.
# 1. List invitations
aws ram get-resource-share-invitations --profile account-b
# 2. Accept the invitation (using the ARN from list command)
aws ram accept-resource-share-invitation \
--resource-share-invitation-arn <INVITATION_ARN> \
--profile account-bStep 4: Create VPC Attachments
Now, attach both VPCs to the TGW. Note that the Hub attachment is done in Account A, and the Spoke attachment is done in Account B.
In Account A:
aws ec2 create-transit-gateway-vpc-attachment \
--transit-gateway-id tgw-<ID> \
--vpc-id vpc-hub-id \
--subnet-ids subnet-hub-1 subnet-hub-2 \
--profile account-aIn Account B:
aws ec2 create-transit-gateway-vpc-attachment \
--transit-gateway-id tgw-<ID> \
--vpc-id vpc-spoke-id \
--subnet-ids subnet-spoke-1 subnet-spoke-2 \
--profile account-bStep 5: Configure Routing Tables
You must update the VPC Route Tables (not just the TGW route table) to point traffic to the TGW.
In Account A (Hub VPC Route Table):
- Destination:
10.1.0.0/16(Spoke) - Target:
tgw-<ID>
In Account B (Spoke VPC Route Table):
- Destination:
10.0.0.0/16(Hub) - Target:
tgw-<ID>
Checkpoints
| Checkpoint | Action | Expected Result |
|---|---|---|
| RAM Status | Run aws ram get-resource-shares in Account B | Status should be ACTIVE |
| Attachment Status | View TGW Attachments in Account A Console | Both attachments should show available |
| Connectivity | Ping an EC2 instance in Spoke VPC from Hub VPC | Successful ICMP reply (ensure Security Groups allow ICMP) |
Teardown
[!WARNING] Fail to delete these resources will result in hourly charges for the Transit Gateway and its attachments.
- Delete TGW Attachments: Start with Account B, then Account A.
aws ec2 delete-transit-gateway-vpc-attachment --transit-gateway-attachment-id <ID>
- Delete Resource Share: In Account A RAM console/CLI.
- Delete Transit Gateway: In Account A.
aws ec2 delete-transit-gateway --transit-gateway-id <ID>
Troubleshooting
| Error | Cause | Fix |
|---|---|---|
TGW not found | Region mismatch | Ensure both accounts are operating in us-east-1 |
State: pending | Attachment is still provisioning | Wait 2-3 minutes for the ENIs to be created in the subnets |
Request timed out | Security Group or NACL | Ensure SGs allow the CIDR range of the peer VPC (10.x.x.x) |
Stretch Challenge
Task: Implement a "Security VPC" pattern. Create a third VPC (10.2.0.0/16) and configure the TGW Route Table so that all traffic between the Hub and Spoke must first pass through the Security VPC (using it as a Next Hop). This simulates an Inline Inspection pattern with a Firewall appliance.
Cost Estimate
- Transit Gateway: ~$0.05 per attachment per hour.
- Data Processing: ~$0.02 per GB processed by the TGW.
- Estimated Lab Cost: < $1.00 (if completed within 60 minutes).
Concept Review
Why use Transit Gateway over VPC Peering?
| Feature | VPC Peering | Transit Gateway |
|---|---|---|
| Topology | Mesh (1:1) | Hub-and-Spoke (1:Many) |
| Complexity | $N(N-1)/2 connections | Linear (N$ attachments) |
| Transitive Routing | No | Yes |
| Centralized Security | Difficult | Supported via Appliance VPCs |
Theoretical Routing Logic
\begin{tikzpicture}[node distance=2cm, every node/.style={rectangle, draw, minimum width=2.5cm, minimum height=1cm, align=center}] \node (start) {Packet Source$10.0.0.5)}; \node (vpcrt) [right=of start] {VPC Route Table$Match 10.1.0.0/16)}; \node (tgw) [right=of vpcrt] {Transit Gateway$Lookup Route Table)}; \node (dest) [right=of tgw] {Packet Destination$10.1.0.20)};
\draw[->] (start) -- (vpcrt); \draw[->] (vpcrt) -- node[above] {Target: TGW} (tgw); \draw[->] (tgw) -- node[above] {Attachment B} (dest); \end{tikzpicture}