Skip to main content

Establish Connectivity with Transit Gateway

Deployment

Next, set up AWS Transit Gateway (TGW) to connect each desired AWS account to the private network by running the following command:

atmos workflow deploy/tgw -f network

This command will deploy the TGW hub and spokes to connect the network to the AWS accounts. The TGW hub is deployed in the core-network account, and the TGW spokes are deployed in each AWS account with a VPC.

Known Issues

NOTE:

At this time you will need to make sure that all EKS VPCs are commented out in the TGW catalog. This is because the components currently have a race condition requiring EKS clusters to exist before the TGW can be provisioned. This will be fixed in the future, but for now comment out the cluster variable until clusters are created.

It's worth noting that propagation can fail during provisioning of Transit Gateway spokes. You'll likely see an error like this:


│ Error: reading EC2 Transit Gateway Route Table Propagation (tgw-rtb-*_tgw-attach-*): empty result

│ with module.tgw_hub_routes.aws_ec2_transit_gateway_route_table_propagation.default["plat-sandbox"],
│ on .terraform/modules/tgw_hub_routes/main.tf line 71, in resource "aws_ec2_transit_gateway_route_table_propagation" "default":
│ 71: resource "aws_ec2_transit_gateway_route_table_propagation" "default" {

If this happens, you can safely wait a minute or two and then re-attempt the provisioning.

Redeploy tgw when Deploying a New EKS Cluster

The file stacks/catalog/tgw/hub.yaml and the separate tgw/spokes in each stacks/org/**/global-region/network.yaml potentially contain references to EKS Clusters using the eks_component_names variable. If you add an EKS Cluster, then you will want to look up the individual spoke and hub components that are affected. If you are using cross-region tgw/cross-region-hub-connector components, you will also want to update eks_component_names on the regional connections.

atmos workflow deploy/tgw -f network