Skip to main content

Adding a route to connect to a TGW

This document is a description of the current Cloud Platform & TGW setup. It also explain how to modify the relevant route table

The scope of this guide is limited on purpose, it only covers the Cloud Platform responsibilities

Quick introduction

AWS Transit Gateways allows VPCs, from different accounts or regions, to be connected securely. Transit Gateways have their own route-table. Transit Gateways (TGW) also support connecting to VPNs, AWS Direct Connect and other Transit Gateway

An important limitation: a TGW can only work with VPCs in the same region it is in. However, TGW from different regions can be peered.

The MoJ current Transit Gateway infrastructure is managed here : github repository

Transit Gateway

The Cloud Platform VPC is attached to the eu-west-2 TGW located in the moj-transit-gateway account. However, the attachment alone doesn’t allow traffic to flow: A new route need to be added to VPC’s route-table for each target VPC.

Example: The Analytical Platform(AP) wants to access the Cloud Platform (CP) VPC. - Both are attached the the TGW - The CP route-table should contain a route with the CP VPC’s CIDR block as a destination, but with the TGW ID as a target. - The same needs to be done on the AP VPC, to route back to CP.

Making the change

Everything is managed in the github repository, in the route.tf file of the cloud-platform folder Only an admin of the cloud-platform (moj-cp) is able to run that code.

Here is the snippet to add to the route.tf : ruby resource "aws_route" "my-new-route" { count = length(local.route_tables) route_table_id = local.route_tables[count.index] destination_cidr_block = "100.X.X.X/22" transit_gateway_id = "my-eu-west-2-TGW" }

The TGW gateway ID can be found in the Readme of the repo.

Note: Something similar need to be done on the ‘other side’, terraform or not.

This page was last reviewed on 28 June 2021. It needs to be reviewed again on 28 December 2021 by the page owner #cloud-platform .
This page was set to be reviewed before 28 December 2021 by the page owner #cloud-platform. This might mean the content is out of date.