Multi-account central-egress vpc example

[fe-ax]

Hi,

I'm having trouble connecting a VPC in another account to the transit gateway in the networking account.

Do you know if an example is available to set up an egress VPC and route traffic from other accounts through the egress VPC?

I can't figure out how the module uses the "transit_gateway" subnets. I hope someone can push me in the right direction on how to get traffic from an EC2 instance in the sandbox account to the internet through the nat gateway in the egress VPC.

I've set up the following:

Networking account

module "transit_gateway" {
  source  = "terraform-aws-modules/transit-gateway/aws"
  version = "2.12.2"

  name            = "my-tgw"
  description     = "Centralized Transit Gateway for the organization"
  create_tgw      = true
  share_tgw       = true
  amazon_side_asn = "64512"

  enable_auto_accept_shared_attachments = true

  vpc_attachments = {}

  ram_principals = [data.aws_organizations_organization.this.arn]

  tags = {
    created-with = "terraform"
  }
}

module "vpc" {
  source  = "aws-ia/vpc/aws"
  version = ">= 4.2.0"

  name                    = "egress-vpc"
  vpc_ipv4_ipam_pool_id   = aws_vpc_ipam_pool.region_eu_central_1.id
  vpc_ipv4_netmask_length = 17
  az_count                = 3

  transit_gateway_id = module.transit_gateway.ec2_transit_gateway_id
  transit_gateway_routes = {
    public = "10.0.0.0/12"
  }

  subnets = {
    public = {
      netmask                   = 24
      nat_gateway_configuration = "all_azs"
    }
    transit_gateway = {
      netmask                                         = 28
      connect_to_public_natgw                         = true
      transit_gateway_default_route_table_association = true
      transit_gateway_default_route_table_propagation = true
      transit_gateway_dns_support                     = "enable"

      tags = {
        subnet_type = "tgw"
      }
    }
  }
}

Sandbox account

data "aws_ec2_transit_gateway" "my_tgw" {
  filter {
    name   = "options.amazon-side-asn"
    values = ["64512"]
  }
}

module "vpc" {
  source  = "aws-ia/vpc/aws"
  version = ">= 4.2.0"

  name                    = "${var.account_name}-vpc"
  vpc_ipv4_ipam_pool_id   = data.aws_vpc_ipam_pool.region_eu_central_1.id
  vpc_ipv4_netmask_length = 17
  az_count                = 3

  transit_gateway_id = data.aws_ec2_transit_gateway.my_tgw.id
  transit_gateway_routes = {
    private = "0.0.0.0/0"
  }

  subnets = {
    private = {
      netmask = 24

      tags = {
        subnet_type = "private"
      }
    },
    transit_gateway = {
      netmask                                         = 24
      connect_to_public_natgw                         = true
      transit_gateway_default_route_table_association = true
      transit_gateway_default_route_table_propagation = true
      transit_gateway_dns_support                     = "enable"

      tags = {
        subnet_type = "tgw"
      }
    },
  }
}

Added: I've created a route 0.0.0.0 to the egress-vpc, which seems to work right, but I'm not sure this is the right solution.

[pablo19sc]

Hi! Are you creating the corresponding routes in the TGW itself? This module only creates the VPC and the transit_gateway configuration provides the VPC attachment and VPC routing - but we do not create any TGW routing. You will need to create this TGW routing (route tables, static routes, associations/propagations)

We have a module that does these actions: https://registry.terraform.io/modules/aws-ia/network-hubandspoke/aws/latest. We use this module to create the central egress VPC and the corresponding TGW routing. For Spoke VPCs, you will need to use this module and attach the VPCs to the TGW

[fe-ax]

Hi @pablo19sc,

Thank you for responding so quickly. I didn't get the hub and spoke module working on the first attempts, but I put more effort into it since you recommended it. It's working great so far.