In this section you’ll be configuring resources in the
network-prod AWS account that you established earlier.
In later sections, you’ll be creating test and production VPCs in other AWS accounts and taking steps to attach those VPCs to the transit gateway that you’re establishing in the
network-prod AWS account.
The resources you’ll be configuring in the
network-prod AWS account include:
Once you create test and production workloads AWS accounts and VPCs, you’ll also attach those VPCs to your transit gateway and update the network services route table accordingly.
The overall configuration in this guide is patterned after the example Isolated VPCs with shared services.
The following diagram represents a transit gateway and related resources that enable defined connectivity between VPCs and your on-premises network. Based on the configuration of the transit gateway routing tables, you have control over which VPCs have connectivity to each other and with your on-premises network.
The transit gateway and routing configuration shown in the diagram above supports the following connectivity scenarios:
|Source||On-Premises via Site-to-Site VPN||Infrastructure Shared Services VPC||Team Development VPC||Test VPC||Production VPC|
|On-Premises via Site-to-Site VPN||NA||Y||Y||Y||Y|
|Infrastructure Shared Services VPC||Y||NA||Y||Y||Y|
|Team Development VPC||Y||Y||NA||N||N|
By adjusting the configuration of your transit gateway route tables, you can modify the allowed connectivity.
Role of VPC security groups and network access control lists (NACLs): In addition to controlling connectivity between VPCs and between VPCs and your on-premises network via use of transit gateway route tables, you would likely use security groups and NACLs in your VPCs to provide another layer of control.
The subsequent sections in this guide lead you through the detailed set up steps to establish this configuration.
Detailed traffic flow examples: If you’d like to walk through detailed traffic flow examples when using AWS Transit Gateway, see Field Notes: Working with Route Tables in AWS Transit Gateway.
Routing internet egress traffic to your on-premises network: An optional step is to remove the public subnets and NAT gateways from the development VPC and route all Internet egress traffic from the development VPC to your on-premises network. You might choose this option as a short-term solution to direct the egress traffic through your existing network security filtering services in your on-premises environment. Longer term, you would likely host those filtering services in your AWS environment.