search

awslabs / landing-zone-accelerator-on-aws

Deploy a multi-account cloud foundation to support highly-regulated workloads and complex compliance requirements.
https://aws.amazon.com/solutions/implementations/landing-zone-accelerator-on-aws/
Apache License 2.0
565 stars 452 forks source link

feat: Support for transit gateway peering to external/non-LZA transit gateways #568

Open edhull opened 2 months ago

edhull commented 2 months ago

It is not currently possible to use the syntax exposed in network-config.yaml to request/accept transit gateway peering to/from an external (created outside of the LZA) transit gateway. This is problematic where connectivity is required to 3rd parties who also reside in AWS and require routed traffic, but are not under the jurisdiction of the LZA.

The transitGatewayPeering configuration (example below) only supports peering between transit gateways which have themselves been created via the LZA. The transitGatewayName is a logical reference to a transit gateway created elsewhere in the networking configuration file. Similarly the account parameter is a logical reference to an account provisioned via accounts-config.yaml. 

transitGatewayPeering:
  - name: TGW-peer
    autoAccept: true
    requester:
      transitGatewayName: TGW-req-test
      account: Network
      region: *HOME_REGION
      routeTableAssociations: TGW-RT-req-test
    accepter:
      transitGatewayName: TGW-accept-test
      account: Network
      region: *HOME_REGION
      routeTableAssociations: TGW-RT-acc-test
      autoAccept: true
      applyTags: true

The only workaround is to either wrap this up in a customization or handle the management of the transit gateway (and routes) outside of the LZA.

Describe the feature you'd like A feature to support transit gateway peering (request/accept) to/from third-party transit gateways by providing string parameters as alternative to logical references. For example, something such as the following:

transitGatewayPeering:
  - name: Example-request-external-peer
    requester:
      transitGateway: TGW-RT-req-test
      account: Network
      targetAccount: 01234567890
      targetTransitGateway: tgw-a1b2c3d4e5f6
      region: *HOME_REGION
      routeTableAssociations: TGW-RT-req-test

  - name: Example-accept-external-peer
    accepter:
      transitGateway: TGW-RT-req-test
      account: Network
      transitGatewayAttachmentId: tgw-attach-0a1b2c3d4e5f6
      region: *HOME_REGION
      routeTableAssociations: TGW-RT-acc-test

Additional context I believe all the context is covered but happy to answer any clarification questions

richardkeit commented 2 months ago

Hey @edhull , Related issue: