Adding a route to connect to a TGW
This document is a description of the current Cloud Platform & TGW setup. It also explain how to modify the relevant route table
The scope of this guide is limited on purpose, it only covers the Cloud Platform responsibilities. The techops/cloud-ops team is able to share the Transit Gateways with other AWS accounts.
Quick introduction
AWS Transit Gateways allows VPCs, from different accounts or regions, to be connected securely. Transit Gateways have their own route-table. Transit Gateways (TGW) also support connecting to VPNs, AWS Direct Connect and other Transit Gateway
An important limitation: a TGW can only work with VPCs in the same region it is in. However, TGW from different regions can be peered.
The MoJ current Transit Gateway infrastructure is managed here : github repository
Transit Gateway
The Cloud Platform VPC is attached to the eu-west-2 TGW located in the moj-transit-gateway
account.
However, the attachment alone doesn’t allow traffic to flow: A new route need to be added to VPC’s route-table for each target VPC.
Example: The Analytical Platform(AP) wants to access the Cloud Platform (CP) VPC. - Both are attached the the TGW - The CP route-table should contain a route with the CP VPC’s CIDR block as a destination, but with the TGW ID as a target. - The same needs to be done on the AP VPC, to route back to CP.
Making the change
Everything is managed in the github repository, in the route.tf file of the cloud-platform folder
Only an admin of the cloud-platform (moj-cp
) is able to run that code.
Here is the snippet to add to the route.tf :
resource "aws_route" "my-new-route" {
count = length(local.route_tables)
route_table_id = local.route_tables[count.index]
destination_cidr_block = "100.X.X.X/22"
transit_gateway_id = "my-eu-west-2-TGW"
}
The TGW gateway ID can be found in the Readme of the repo.
Note: Something similar need to be done on the ‘other side’, terraform or not.