Networking & Content Delivery

How to use AWS Network Manager to visualize Transit Gateways across multiple accounts in the AWS Organization

When you migrate or build a new applications in AWS, you must connect multiple Amazon Virtual Private Clouds (Amazon VPCs) spread across different accounts and your on-premises systems with these VPCs. AWS Transit Gateway is one of the most popular and commonly used services in these scenarios. When you want communication/isolation between VPCs, and they also require communication between VPCs and on-premises systems (leveraging AWS Direct Connect and/or VPN connection), Transit Gateway acts as a centralized router.

Most enterprises today have resources that span across multiple geographies, and use multiple Transit Gateways across various AWS Regions and accounts. Hence, you need the ability to visualize and monitor Transit Gateway network to understand existing inventory. This visibility helps you make informed decisions related to changes in architecture, troubleshooting, and helping new team members ramp up the way that existing Transit Gateway network is setup. AWS Network Manager provides centralized network monitoring, global network visibility, and a unified interface to manage your global network across AWS and on-premises locations. Until May’22, you could use Network Manager to monitor and visualize your global network for a single AWS account. With the launch of multi-account support, Network Manager extends its management capabilities to work across multiple accounts.

In this post, you’ll learn how to use AWS Network Manager to monitor your Transit Gateways spread across multiple accounts within an AWS Organization. You can now register Transit Gateways from different accounts and define on-premises resources to have a global network visibility, as well as monitor the quality of your global network, both in AWS and on-premises from the AWS Network Manager dashboard.

You’ll learn how to configure AWS Network Manager, register your Transit Gateways across various accounts, and visualize them.

Solution overview

The following diagram shows a high-level overview of the Transit Gateway network spread across multiple accounts. You must register all of the Transit Gateways within an Organization to visualize them in Network Manager.

<img src="picture 1.png" alt="Multi Account Transit Gateway Topology">

Figure 1 – Multi Account Transit Gateway Topology

In this diagram, we have VPCs located across multiple Regions (ap-south-1 and ap-southeast-1). This is a multi-account setup with Organizations, where staging and Dev accounts are located in ap-sputheast-1 and the prod account is located in ap-south-1. All three accounts have a Transit Gateway with respective VPC attachments. Transit Gateways are also peered together to facilitate inter-Region connectivity between VPCs.

You must complete the following steps to integrate all of the Transit Gateways in Network Manager before you can visualize them:

  1. Create a global network
  2. Enable multi-account access
  3. Register your transit gateway
  4. View and monitor your global network

Prerequisites

Before you begin, make sure that you have a Transit Gateway with attachments in your account or in any account within your organization.

A. Create a global network

Create a global network as a container for your transit gateway.

To create a global network

  1. Open the Network Manager console here.
  2. In the left navigation pane, choose Global networks.
  3. Select Create global network.
  4. Enter a name and optional description for the global network, and choose Next
<img src="picture 2.png" alt="Creating Global Network">

Figure 2 – Creating Global Network

  1. In the next screen, deselect the “Add core network in your global network”, and choose Next.
  2. Finally, review and choose Create global network.
<img src="picture 3.png" alt="Creating Global Network">

Figure 3 – Creating Global Network

B. Enable multi-account access

Enable multi-account access to register Transit Gateways from multiple accounts. This lets you view and manage Transit Gateways and associated resources from those registered accounts in your global network. Onboarding to Organizations is a prerequisite for enabling multi-account access for Network Manager. You can enable multi-account access on the Network Manager console.

<img src="picture 4.png" alt="Enabling multi-account support">

Figure 4 – Enabling multi-account support

A delegated administrator account for the Network Manager service can leverage the service-linked role (SLR) in the member accounts that were deployed when trusted access was enabled. Furthermore, they can view Transit Gateways from other member accounts and can register them to their global network. This allows Transit Gateways and associated resources to appear in their global network topology.

For more information on enabling trusted access and registering delegated administrators, see Multi-account.

<img src="picture 5.png" alt="Registering delegated administrator">

Figure 5 – Registering delegated administrator

C. Register your Transit Gateway

Now, we’ll register a Transit Gateway in your global network. With multi-account enabled, you can register Transit Gateways from multiple accounts to your global network. For more information on registering Transit Gateways, see Transit Gateway registrations.

To register the Transit Gateway

  1. On the Global networks page, choose the global network ID (this is the same entity that you created in Step 1).
  2. In the left navigation pane, choose Transit gateways, and then choose Register transit gateway.
  3. From the Select account dropdown list, choose the account (from the list) from which you want to register the Transit Gateway.
  4. Select one or more Transit Gateways from the list, and then choose Register transit gateway. In our example, we’ve selected all of the Transit Gateways shown in the diagram.
<img src="picture 6.png" alt="Transit Gateway registration">

Figure 6 – Transit Gateway registration

D. View and monitor your global network

The Network Manager console provides a dashboard for you to view and monitor both of your Transit Gateway network objects in your global network.

To access the dashboard for your global network

  1. On the Global networks page, choose the global network ID.
  2. Choose the Overview tab to visualize your Transit Gateway on the world map.
<img src="picture 7.png" alt="Geographical View">

Figure 7 – Geographical View

  1. Choose the Topology graph to visualize your Transit Gateway network.
<img src="picture 8.png" alt="Topographical View">

Figure 8 – Topographical View

  1. Choose the Topology tree to visualize your Transit Gateway network. For more information about the pages in the dashboard, see Visualize transit gateway networks.
<img src="picture 9.png" alt="Topology Tree View">

Figure 9 – Topology Tree View

Conclusion

This post showed you how to configure AWS Network Manager to visualize all of the Transit Gateways in your Organization. This feature reduces the operational complexity of managing a large global network across AWS accounts over a single unified operational dashboard.

Additional reading

For more information about AWS Network Manager, see the following:

Anant Vaibhav

Anant is a Cloud Support Engineer II in AWS with a focus on networking. He is Accredited with SME in TGW and VPN services. Prior to AWS, Anant worked in Data and Wireless networking. He enjoys solving technical challenges in networking.

Ashutosh Pateriya

Ashutosh Pateriya is a Senior Solutions Architect with AWS. He is passionate about Cloud Networking, Security and helping customers leverage the power of AWS cloud.

Nishant Kumar

Nishant Kumar is a Senior Product Manager in the Amazon VPC team. He is interested in areas of network observability and network management. Outside work, he loves Formula 1 racing, cooking, and exploring wildlife.