What does this AWS Solution do?
The Network Orchestration for AWS Transit Gateway solution automates the process of setting up and managing transit networks in distributed AWS environments. This solution allows customers to visualize and monitor their global network from a single dashboard rather than toggling between Regions from the AWS Console. It creates a web interface to help control, audit, and approve (transit) network changes.
Benefits
Cross-account and cross-Region automation
Tagging management
Tagging management
Web user interface
Tagging management
Flexible account support
Tagging management
Reference architecture
The diagram below presents the architecture you can automatically deploy using the solution's implementation guide and accompanying AWS CloudFormation templates.
Network Orchestration for AWS Transit Gateway
This solution includes an AWS CloudFormation template (aws-transit-network-orchestrator-hub) you deploy in the account you want to act as the hub in the solution’s hub-and-spoke model. This solution also includes a template (aws-transit-network-orchestrator-spoke) to deploy in spoke accounts.
1. An Amazon CloudWatch Events rule monitors Amazon Virtual Private Cloud (Amazon VPC) and subnet tags. To identify the VPCs (spoke accounts) for the solution to manage, tag the VPCs and the selected subnets within those VPCs.
2. This tag change is sent to the hub account through an Amazon EventBridge bus.
3. When the event is received in the hub account, an AWS Lambda function is initiated to start the Serverless Transit Network Orchestrator workflow.
4. AWS Step Functions (Serverless Transit Network Orchestrator state machine) and Lambda process network requests from the spoke accounts and event details are stored in Amazon DynamoDB. You can approve requests automatically or manually.
5. If you choose to approve requests automatically, the VPC attaches to AWS Transit Gateway. If you choose to approve requests manually, Amazon Simple Notification Service (Amazon SNS) sends an email to request approval. After the request is approved, the Serverless Transit Network Orchestrator state machine applies the network change.
6. If the request is rejected, DynamoDB and the spoke resources tag are updated with the rejected status. When a request is approved, the solution updates the route table associated with the subnet in the spoke account with a default route with AWS Transit Gateway as the target, which provides bi-directional connectivity. The solution workflow updates the subnet’s route table with the default route as defined in the hub template.
7. The transit gateway provisioned by the solution also gets registered with global network manager. Refer to AWS Transit Gateway Network Manager for more information.
Network Orchestration for AWS Transit Gateway
Version 3.2.1
Last updated: 01/2023
Author: AWS
Estimated deployment time: 25 min
Note: To subscribe to RSS updates, you must have an RSS plug-in enabled for the browser you are using.
"Australia Post is a self-funded postal service business with both commercial and community service obligations, serving 12.3 million delivery points across Australia. Our organization is made up of 35,000 employees so when we needed to expand our cloud technologies to scale our network across our growing cloud infrastructure with siloed VPCs and on-premises data centers, we experienced significant latency issues. The Serverless Transit Network Orchestrator (STNO) solution allowed us to automate our configuration and customize our network setup based on our needs with AWS Transit Gateway, reducing our network setup time from weeks to minutes, resulting on the final solution reaching 13X improved network traffic speeds between accounts."
Browse our library of AWS Solutions to get answers to common architectural problems.
Find AWS Partners to help you get started.
Find prescriptive architectural diagrams, sample code, and technical content for common use cases.