AWS Amazon EC2 Transit Gateway
This page shows how to write Terraform and CloudFormation for Amazon EC2 Transit Gateway and write them securely.
aws_ec2_transit_gateway (Terraform)
The Transit Gateway in Amazon EC2 can be configured in Terraform with the resource name aws_ec2_transit_gateway
. The following sections describe 3 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_ec2_transit_gateway" "NW-TransitGtwy-USWest1" {
amazon_side_asn = 64512
description = "HSIS-TransitGtwy"
auto_accept_shared_attachments = "disable"
default_route_table_association = "disable"
default_route_table_propagation = "disable"
resource "aws_ec2_transit_gateway" "first" {
provider = aws.first
tags = {
Name = "terraform-example"
}
resource "aws_ec2_transit_gateway" "_" {
auto_accept_shared_attachments = "enable"
}
resource "aws_ram_resource_association" "_" {
resource_arn = aws_ec2_transit_gateway._.arn
Parameters
-
amazon_side_asn
optional - number -
arn
optional computed - string -
association_default_route_table_id
optional computed - string -
auto_accept_shared_attachments
optional - string -
default_route_table_association
optional - string -
default_route_table_propagation
optional - string -
description
optional - string -
dns_support
optional - string -
id
optional computed - string -
owner_id
optional computed - string -
propagation_default_route_table_id
optional computed - string -
tags
optional - map from string to string -
vpn_ecmp_support
optional - string
Explanation in Terraform Registry
Manages an EC2 Transit Gateway.
Tips: Best Practices for The Other AWS Amazon EC2 Resources
In addition to the aws_default_vpc, AWS Amazon EC2 has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_default_vpc
Ensure to avoid using default VPC
It is better to define the own VPC and use it.
aws_network_acl_rule
Ensure your network ACL rule blocks unwanted inbound traffic
It is better to block unwanted inbound traffic.
aws_ebs_volume
Ensure to use a customer-managed key for EBS volume encryption
It is better to use a customer-managed key for EBS volume encryption. It can be gain more control over the encryption by using customer-managed keys (CMK).
aws_instance
Ensure to avoid storing AWS access keys in user data
It is better to avoid storing AWS access keys in user data. `aws_iam_instance_profile` could be used instead.
aws_security_group
Ensure your security group blocks unwanted inbound traffic
It is better to block unwanted inbound traffic.
AWS::EC2::TransitGateway (CloudFormation)
The TransitGateway in EC2 can be configured in CloudFormation with the resource name AWS::EC2::TransitGateway
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::EC2::TransitGateway
Properties:
AutoAcceptSharedAttachments: enable
DefaultRouteTableAssociation: enable
DefaultRouteTablePropagation: enable
Type: "AWS::EC2::TransitGateway"
Properties:
AmazonSideAsn: 65000
Description: "TGW Route Integration Test"
AutoAcceptSharedAttachments: "disable"
DefaultRouteTableAssociation: "enable"
Type: AWS::EC2::TransitGateway
Type: AWS::EC2::TransitGateway
Type: AWS::EC2::TransitGateway
Properties:
AutoAcceptSharedAttachments: enable # Hoping this makes attaching VPCs easier
Outputs:
TransitGatewayId:
"Type": "AWS::EC2::TransitGateway",
"Properties": {
"Description": "TGW for LZ",
"AutoAcceptSharedAttachments": "enable",
"DefaultRouteTableAssociation": "disable",
"DefaultRouteTablePropagation": "disable",
"Type": "AWS::EC2::TransitGateway",
"Properties": {
"DefaultRouteTableAssociation": "disable",
"DefaultRouteTablePropagation": "disable",
"Tags": [
{
"AWS::EC2::TransitGateway": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-transitgateway.html",
"Properties": {
"DefaultRouteTablePropagation": {
"Required": false,
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-transitgateway.html#cfn-ec2-transitgateway-defaultroutetablepropagation",
"AWS::EC2::TransitGateway": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-transitgateway.html",
"Properties": {
"DefaultRouteTablePropagation": {
"Required": false,
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-transitgateway.html#cfn-ec2-transitgateway-defaultroutetablepropagation",
"AWS::EC2::TransitGateway": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-transitgateway.html",
"Properties": {
"DefaultRouteTablePropagation": {
"Required": false,
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-transitgateway.html#cfn-ec2-transitgateway-defaultroutetablepropagation",
Parameters
-
DefaultRouteTablePropagation
optional - String -
Description
optional - String -
AutoAcceptSharedAttachments
optional - String -
DefaultRouteTableAssociation
optional - String -
VpnEcmpSupport
optional - String -
DnsSupport
optional - String -
MulticastSupport
optional - String -
AmazonSideAsn
optional - Integer -
TransitGatewayCidrBlocks
optional - List -
Tags
optional - List of Tag -
AssociationDefaultRouteTableId
optional - String -
PropagationDefaultRouteTableId
optional - String
Explanation in CloudFormation Registry
Specifies a transit gateway.
You can use a transit gateway to interconnect your virtual private clouds (VPC) and on-premises networks. After the transit gateway enters the
available
state, you can attach your VPCs and VPN connections to the transit gateway.To attach your VPCs, use AWS::EC2::TransitGatewayAttachment.
To attach a VPN connection, use AWS::EC2::CustomerGateway to create a customer gateway and specify the ID of the customer gateway and the ID of the transit gateway in a call to AWS::EC2::VPNConnection.
When you create a transit gateway, we create a default transit gateway route table and use it as the default association route table and the default propagation route table. You can use AWS::EC2::TransitGatewayRouteTable to create additional transit gateway route tables. If you disable automatic route propagation, we do not create a default transit gateway route table. You can use AWS::EC2::TransitGatewayRouteTablePropagation to propagate routes from a resource attachment to a transit gateway route table. If you disable automatic associations, you can use AWS::EC2::TransitGatewayRouteTableAssociation to associate a resource attachment with a transit gateway route table.
Frequently asked questions
What is AWS Amazon EC2 Transit Gateway?
AWS Amazon EC2 Transit Gateway is a resource for Amazon EC2 of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Amazon EC2 Transit Gateway?
For Terraform, the lahiruperamune/terraform-aws-import, anmoltoppo/Terraform and foresighttech/terraform-vpc-module source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the Iman0510/Sandbox, j-crotty/CloudFormation and cue-sh/stax source code examples are useful. See the CloudFormation Example section for further details.