Update the security VCP route tables.
Inbound Traffic Flow
Inbound traffic flow combinations
| Application | Traffic Type |
|---|
| 1 | In Security Account | Inbound |
| 2 | In Application Account | Cross-Outbound |
Use Case: Inbound Traffic - Application is in the Security Account.
The plugin creates a VPC Service endpoint on the Security Account. The GWLB endpoints must be
associated with the VPC Endpoint Service.
Use Case: Inbound Traffic - Application is in other Application Account.
When the application is in a different account, on the AWS console in the navigation pane, choose
Endpoint Services and select your Endpoint Service.
Select to allow principals. For example,
arn:aws:iam::AccountNumber:root. The GWLB endpoints must
be associated with the VPC Endpoint Service.
Outbound and East-West Traffic Flow
Outbound traffic
flow combinations
| Transit Gateway | Application | Traffic Type |
|---|
| 1 | In Security Account | In Security Account | Outbound |
| 2 | In Security Account | In Application Account | Outbound |
| 3 | In Application Account | In Application Account | Cross-Outbound |
| 4 | In Application Account | In Security Account | Cross-Outbound |
Use Case: Outbound Traffic - Transit Gateway and Application is in the Security
Account.
The plugin
scan for the attachments on the configured TGW. When the plugin
detects an existing or new attachment, it makes necessary route
table modifications on the Security VPC components.
Use
Case: Outbound Traffic - Transit Gateway is in Security Account
and Application is in the Application Account
When TGW
is in the Security Account, to protect the applications that are
not in the Security Account, the TGW is shared across these applications
using Resource Access Manager (RAM) in the AWS console. You can
choose the accounts with which you want to share the TGW from the
plugin user interface. Once the deployment is in Deploying state,
monitor the RAM on the Application Account for an invitation to
share resources.
Use
Case: Outbound Traffic - Transit Gateway and Application are in
the Application Account
When TGW is the Application Account,
it must be shared with the Security Account using the RAM. To create
a TGW attachment and route table, a RoleARN from this account must
be added to the IAM role used for the deployment. Use the CFT hyperlink
under to configure the Application Account
prerequisites.
East-West traffic
flow combinations
| Transit Gateway | Application 1 | Application 2 | Traffic Type |
|---|
| 1 | In Security Account | In Security Account | In Security Account | East-West |
| 2 (multi account application) | In Security Account | In Security Account | In Application Account | East-West |
| 3 | In Application Account | In Application Account | In Application Account | Cross East-West |
| 4 (multi account application) | In Application Account | In Application Account | In Security Account | Cross East-West |
Use Case: East-West Traffic - Transit Gateway
and Application1 are in the Security Account and Application2 is
in the Security Account
When TGW is in the Security Account,
to protect the applications that are not in the Security Account,
the TGW is shared across these applications using Resource Access
Manager (RAM) in the AWS console. You can choose the accounts with
which you want to share the TGW from the plugin user interface.
Once the deployment is in Deploying state,
monitor the RAM on the Application Account for an invitation to
share resources.
Use
Case: East-West Traffic - Transit Gateway and Application1 are in
the Application Account and Application2 is in the Security Account
When
TGW is the Application Account, it must be shared with the Security
Account using the RAM. To create a TGW attachment and route table,
a RoleARN from this account must be added to the IAM role used for
the deployment. Use the CFT hyperlink under to configure
the Application Account prerequisites.
