Traffic Flow and Configurations
Table of Contents
Traffic Flow and Configurations
The plugin deploys and manages the Security
VPC. The plugin updates the Security VPC route tables based on the
attachments discovered on the AWS Transit Gateway.
Inbound Traffic Flow
| Application | Traffic Type | |
|---|---|---|
| 1 | In Security Account | Inbound |
| 2 | In Application Account | Cross-Outbound |
Use Case: Inbound Traffic - Application is
in the Security Account
The plugin creates a VPC Service
Endpoint on the Security Account. The GWLB Endpoints must be associated
with the VPC Endpoint Service.
Use
Case: Inbound Traffic - Application is in other Application Account
When
the application is in a different account, on the AWS console in
the navigation pane, choose Endpoint Services and
select your Endpoint Service. Select to allow principals.
For example, arn:aws:iam::AccountNumber:root.
The GWLB Endpoints must be associated with the VPC Endpoint Service.
Outbound and East-West Traffic Flow
| Transit Gateway | Application | Traffic Type | |
|---|---|---|---|
| 1 | In Security Account | In Security Account | Outbound |
| 2 | In Security Account | In Application Account | Outbound |
| 3 | In Application Account | In Application Account | Cross-Outbound |
| 4 | In Application Account | In Security Account | Cross-Outbound |
Use Case: Outbound Traffic - Transit Gateway
and Application is in the Security Account
The plugin
scan for the attachments on the configured TGW. When the plugin
detects an existing or new attachment, it makes necessary route
table modifications on the Security VPC components.
Use
Case: Outbound Traffic - Transit Gateway is in Security Account
and Application is in the Application Account
When TGW
is in the Security Account, to protect the applications that are
not in the Security Account, the TGW is shared across these applications
using Resource Access Manager (RAM) in the AWS console. You can
choose the accounts with which you want to share the TGW from the
plugin user interface. Once the deployment is in Deploying state,
monitor the RAM on the Application Account for an invitation to
share resources.
Use
Case: Outbound Traffic - Transit Gateway and Application are in
the Application Account
When TGW is the Application Account,
it must be shared with the Security Account using the RAM. To create
a TGW attachment and route table, a RoleARN from this account must
be added to the IAM role used for the deployment. Use the CFT hyperlink
under to configure the Application Account
prerequisites.
| Transit Gateway | Application 1 | Application 2 | Traffic Type | |
|---|---|---|---|---|
| 1 | In Security Account | In Security Account | In Security Account | East-West |
| 2 (multi account application) | In Security Account | In Security Account | In Application Account | East-West |
| 3 | In Application Account | In Application Account | In Application Account | Cross East-West |
| 4 (multi account application) | In Application Account | In Application Account | In Security Account | Cross East-West |
Use Case: East-West Traffic - Transit Gateway
and Application1 are in the Security Account and Application2 is
in the Security Account
When TGW is in the Security Account,
to protect the applications that are not in the Security Account,
the TGW is shared across these applications using Resource Access
Manager (RAM) in the AWS console. You can choose the accounts with
which you want to share the TGW from the plugin user interface.
Once the deployment is in Deploying state,
monitor the RAM on the Application Account for an invitation to
share resources.
Use
Case: East-West Traffic - Transit Gateway and Application1 are in
the Application Account and Application2 is in the Security Account
When
TGW is the Application Account, it must be shared with the Security
Account using the RAM. To create a TGW attachment and route table,
a RoleARN from this account must be added to the IAM role used for
the deployment. Use the CFT hyperlink under to configure
the Application Account prerequisites.
