: Traffic Flow and Configurations
Focus
Focus

Traffic Flow and Configurations

Table of Contents
End-of-Life (EoL)

Traffic Flow and Configurations

The plugin deploys and manages the Security VPC. The plugin updates the Security VPC route tables based on the attachments discovered on the AWS Transit Gateway.

Inbound Traffic Flow

Inbound traffic flow combinations
ApplicationTraffic Type
1In Security AccountInbound
2In Application AccountCross-Outbound
Use Case: Inbound Traffic - Application is in the Security Account
The plugin creates a VPC Service Endpoint on the Security Account. The GWLB Endpoints must be associated with the VPC Endpoint Service.
Use Case: Inbound Traffic - Application is in other Application Account
When the application is in a different account, on the AWS console in the navigation pane, choose Endpoint Services and select your Endpoint Service. Select ActionsAdd Principal to allow principals. For example, arn:aws:iam::AccountNumber:root. The GWLB Endpoints must be associated with the VPC Endpoint Service.

Outbound and East-West Traffic Flow

Outbound traffic flow combinations
Transit GatewayApplicationTraffic Type
1In Security AccountIn Security AccountOutbound
2In Security AccountIn Application Account Outbound
3In Application Account In Application Account Cross-Outbound
4In Application Account In Security AccountCross-Outbound
Use Case: Outbound Traffic - Transit Gateway and Application is in the Security Account
The plugin scan for the attachments on the configured TGW. When the plugin detects an existing or new attachment, it makes necessary route table modifications on the Security VPC components.
Use Case: Outbound Traffic - Transit Gateway is in Security Account and Application is in the Application Account
When TGW is in the Security Account, to protect the applications that are not in the Security Account, the TGW is shared across these applications using Resource Access Manager (RAM) in the AWS console. You can choose the accounts with which you want to share the TGW from the plugin user interface. Once the deployment is in Deploying state, monitor the RAM on the Application Account for an invitation to share resources.
Use Case: Outbound Traffic - Transit Gateway and Application are in the Application Account
When TGW is the Application Account, it must be shared with the Security Account using the RAM. To create a TGW attachment and route table, a RoleARN from this account must be added to the IAM role used for the deployment. Use the CFT hyperlink under SetupApplication Account to configure the Application Account prerequisites.
East-West traffic flow combinations
Transit GatewayApplication 1Application 2Traffic Type
1In Security AccountIn Security AccountIn Security AccountEast-West
2 (multi account application)In Security AccountIn Security AccountIn Application Account East-West
3In Application Account In Application Account In Application Account Cross East-West
4 (multi account application)In Application Account In Application Account In Security AccountCross East-West
Use Case: East-West Traffic - Transit Gateway and Application1 are in the Security Account and Application2 is in the Security Account
When TGW is in the Security Account, to protect the applications that are not in the Security Account, the TGW is shared across these applications using Resource Access Manager (RAM) in the AWS console. You can choose the accounts with which you want to share the TGW from the plugin user interface. Once the deployment is in Deploying state, monitor the RAM on the Application Account for an invitation to share resources.
Use Case: East-West Traffic - Transit Gateway and Application1 are in the Application Account and Application2 is in the Security Account
When TGW is the Application Account, it must be shared with the Security Account using the RAM. To create a TGW attachment and route table, a RoleARN from this account must be added to the IAM role used for the deployment. Use the CFT hyperlink under SetupApplication Account to configure the Application Account prerequisites.