Home » How To » How to Manage AWS Transit Gateway and Attachments Using CLI

How to Manage AWS Transit Gateway and Attachments Using CLI

AWS Transit Gateway acts as a hub to connect multiple VPC and on-prem networks. Apart from attaching a VPC to transit hub and routing traffic, you can also attach a VPN connection or Direct Connect gateway to your transit gateway. You can also peer two transit gateways and route traffic between them.

In a multi-account environment, you can create Transit gateway in a central network account and share them with external accounts or with accounts within your organization.

This mytechmint tutorial explains How to manage AWS Transit gateway and attachments using CLI commands.

  • Transit Gateway: Examples 1 through 6 explains how to create, view and delete Transit Gateway using CLI commands.
  • Transit Gateway Attachments to a VPC: Examples 7 through 14 explains how to create, modify, view and delete Transit Gateway attachments to a VPC.
  • Transit Gateway Attachments to a VPN: Example 15 explains how Transit Gateway attachment to a VPN is done using create-vpn-connection CLI command.
  • Sharing a Transit Gateway: Examples 16 through 18 explains how to use Resource access manager to share transit gateway across accounts
  • Peer two Transit Gateways: Examples 19 through 22 explains how to peer two transit gateways and route traffic between them using CLI.
  • Add Routes: Example 23 and 24 explains how to add route to a VPC route table pointing to Transit Gateway and how to add a route to a transit gateway route table

1. Create Transit Gateway using All Default Values

Use aws ec2 create-transit-gateway as shown below to create a transit gateway. This creates the transit gateway using all the default options.

aws ec2 create-transit-gateway --description prodTGW

When you don’t specify any options the following default values will be used for the transit gateway options:

  • Amazon ASN: 64512
  • Auto accept shared attachments: disable
  • Default association route table: enable
  • Default propagation route table: enable
  • VPN ECMP support: enable
  • DNS support: enable

The following is the output of the above command:

{
  "TransitGateway": {
    "Description": "prodTGW",
    "TransitGatewayArn": "arn:aws:ec2:us-east-1:111111111111:transit-gateway/tgw-000aaabbbccdddeee",
    "CreationTime": "2020-06-13T00:31:03.000Z",
    "State": "pending",
    "TransitGatewayId": "tgw-000aaabbbccdddeee",
    "OwnerId": "111111111111",
    "Options": {
        "DefaultRouteTableAssociation": "enable",
        "DnsSupport": "enable",
        "AutoAcceptSharedAttachments": "disable",
        "AssociationDefaultRouteTableId": "tgw-rtb-000aaabbbcccdddee",
        "PropagationDefaultRouteTableId": "tgw-rtb-000aaabbbcccdddee",
        "AmazonSideAsn": 64512,
        "DefaultRouteTablePropagation": "enable",
        "VpnEcmpSupport": "enable"
    }
  }
}

If you are new to AWS CLI, refer to this: Manage Multiple Profiles for CLI Using AWS Configure Command

2. Create Transit Gateway with Custom Options – Change AmazonSideASN and AutoAcceptSharedAttachments

If you want to specify your own ASN for the amazon side of the transit gateway, use the –options as shown below. This examples also enables the AutoAcceptSharedAttachments options.

aws ec2 create-transit-gateway --description prodTGW \
  --options=AmazonSideAsn=64516,AutoAcceptSharedAttachments=enable

The following is the partial output of the above command.

{
  "TransitGateway": {
    ..
    ..
    "Options": {
        "DefaultRouteTableAssociation": "enable",
        "DnsSupport": "enable",
        "AutoAcceptSharedAttachments": "enable",
        "AssociationDefaultRouteTableId": "tgw-rtb-000aaabbbcccdddee",
        "PropagationDefaultRouteTableId": "tgw-rtb-000aaabbbcccdddee",
        "AmazonSideAsn": 64516,
        "DefaultRouteTablePropagation": "enable",
        "VpnEcmpSupport": "enable"
    }
  }
}

3. Create Transit Gateway by Changing All Available Custom Options

The following command shows all the possible options that can be changed when creating a transit gateway

aws ec2 create-transit-gateway --description prodTGW \
    --options=AmazonSideAsn=64516,AutoAcceptSharedAttachments=enable,DefaultRouteTableAssociation=enable,DefaultRouteTablePropagation=enable,VpnEcmpSupport=enable,DnsSupport=enable

AmazonSideAsn option takes a numeric long value. The rest of the options can the value of either enable or disable. The above example uses the shorthand syntax format for the options by separating the options by commas. You can also use the following JSON syntax format for the options:

{
  "AmazonSideAsn": long,
  "AutoAcceptSharedAttachments": "enable"|"disable",
  "DefaultRouteTableAssociation": "enable"|"disable",
  "DefaultRouteTablePropagation": "enable"|"disable",
  "VpnEcmpSupport": "enable"|"disable",
  "DnsSupport": "enable"|"disable",
  "MulticastSupport": "enable"|"disable"
}

4. Create Transit Gateway with Name Tag and Description

You can also specify tags while creating the transit gateway. The following command creates the transit gateway with custom options and assigns Name tag with a value.

aws ec2 create-transit-gateway --description prodTGW \
  --tag-specifications "ResourceType=transit-gateway,Tags=[{Key=Name,Value=prodTGW}]" \
  --options=AmazonSideAsn=64516,AutoAcceptSharedAttachments=enable,DefaultRouteTableAssociation=enable,DefaultRouteTablePropagation=enable,VpnEcmpSupport=enable,DnsSupport=enable

The following is the output of the above command.:

{
  "TransitGateway": {
      "Description": "prodTGW",
      "TransitGatewayArn": "arn:aws:ec2:us-east-1:111111111111:transit-gateway/tgw-000aaabbbccdddeee",
      "Tags": [
          {
              "Value": "prodTGW",
              "Key": "Name"
          }
      ],
      "CreationTime": "2020-06-13T16:50:26.000Z",
      "State": "pending",
      "TransitGatewayId": "tgw-000aaabbbccdddeee",
      "OwnerId": "111111111111",
      "Options": {
          "DefaultRouteTableAssociation": "enable",
          "DnsSupport": "enable",
          "AutoAcceptSharedAttachments": "enable",
          "AssociationDefaultRouteTableId": "tgw-rtb-000aaabbbcccdddee",
          "PropagationDefaultRouteTableId": "tgw-rtb-000aaabbbcccdddee",
          "AmazonSideAsn": 64516,
          "DefaultRouteTablePropagation": "enable",
          "VpnEcmpSupport": "enable"
      }
  }
}

5. Display existing Transit Gateways

The following command will display all available transit gateways:

aws ec2 describe-transit-gateways

To view the details of only a specific transit gateway specify the transit-gateway-id as shown below.

TGW_ID=tgw-000aaabbbccdddeee

aws ec2 describe-transit-gateways --transit-gateway-ids ${TGW_ID}

6. Delete Transit Gateway

Use the delete-transit-gateway as shown below by providing the transit-gateway-id

TGW_ID=tgw-000aaabbbccdddeee

aws ec2 delete-transit-gateway --transit-gateway-id ${TGW_ID}

You cannot delete a transit gateway when it has attachment. You’ll get the following error message:

Related:  Essential AWS EC2 Command Line Interface Commands with Example

Note: An error occurred (IncorrectState) when calling the DeleteTransitGateway operation: tgw-000aaabbbccdddeee has non-deleted VPC Attachments: tgw-attach-000aaabbbcccdddee.

Note: If you have a route in the routable table of your subnet/vpc that is pointing to the deleted transit gateway, they’ll have the status of blackhole. So, make sure to delete the route after deleting transit gateway.

7. Create Transit Gateway VPC Attachment with Mandatory Fields

Once you have transit gateway, you can create the following three types of attachments:

  • Transit Gateway VPC Attachment
  • Transit Gateway VPN Attachment
  • Transit Gateway Peering Attachment to peer with another transit gateway

The following example shows how to create a transit gateway VPC attachment.

TGW_ID=tgw-000aaabbbccdddeee
VPC1=vpc-000111aaabbbcccdd
VPC1_PUBLIC_SUBNET1=subnet-111222333aaabbbcc
VPC1_PUBLIC_SUBNET2=subnet-000222aaabbbcccdd

aws ec2 create-transit-gateway-vpc-attachment \
    --transit-gateway-id ${TGW_ID} \
    --vpc-id ${VPC1} \
    --subnet-ids ${VPC1_PUBLIC_SUBNET1} ${VPC1_PUBLIC_SUBNET2}

While creating a vpc attachment, the mandatory options are vpc-id and the subnet-ids within that vpc. For example, you can create a transit gateway vpc attachment for all public subnets in that VPC across multiple AZs.

The following is the output of the above command:

{
  "TransitGatewayVpcAttachment": {
      "VpcId": "vpc-000111aaabbbcccdd",
      "VpcOwnerId": "111111111111",
      "SubnetIds": [
          "subnet-000222aaabbbcccdd",
          "subnet-111222333aaabbbcc"
      ],
      "TransitGatewayAttachmentId": "tgw-attach-000aaabbbcccdddee",
      "CreationTime": "2020-06-13T00:48:13.000Z",
      "State": "pending",
      "TransitGatewayId": "tgw-000aaabbbccdddeee",
      "Options": {
          "DnsSupport": "enable",
          "Ipv6Support": "disable"
      }
  }
}

8. Create Transit Gateway VPC Attachment with Name Tags

The following examples shows how to create a Transit Gateway VPC Attachment with Name Tags. You can also attach multiple tags to the attachment by adding another Key/Value pair to the Tags option.

TGW_ID=tgw-000aaabbbccdddeee
VPC1=vpc-000111aaabbbcccdd
VPC1_PUBLIC_SUBNET1=subnet-111222333aaabbbcc
VPC1_PUBLIC_SUBNET2=subnet-000222aaabbbcccdd

aws ec2 create-transit-gateway-vpc-attachment \
    --tag-specifications "ResourceType=transit-gateway-attachment,Tags=[{Key=Name,Value=appOnPremAccess}]" \
    --transit-gateway-id ${TGW_ID} \
    --vpc-id ${VPC1} \
    --subnet-ids ${VPC1_PUBLIC_SUBNET1} ${VPC1_PUBLIC_SUBNET2}

The following is partial output of the above command.

{
    "TransitGatewayVpcAttachment": {
        "Tags": [
            {
                "Value": "appOnPremAccess",
                "Key": "Name"
            }
        ],
        ..
        ..
    }
}

When you don’t specify any options, the attachments will be created with DNS support as enable and IPv6 support as disable.

Note: An error occurred (DuplicateTransitGatewayAttachment) when calling the CreateTransitGatewayVpcAttachment operation: tgw-000aaabbbccdddeee has non-deleted Transit Gateway Attachments with same VPC ID.

9. Create Transit Gateway VPC Attachment with IPV6 Support

By default the transit gateway is created without the IPv6 support. To enable support for IPv6, use the Ipv6Support option as shown below.

aws ec2 create-transit-gateway-vpc-attachment \
    --tag-specifications "ResourceType=transit-gateway-attachment,Tags=[{Key=Name,Value=appOnPremAccess}]" \
    --options "Ipv6Support=enable" \
    --transit-gateway-id ${TGW_ID} \
    --vpc-id ${VPC1} \
    --subnet-ids ${VPC1_PUBLIC_SUBNET1} ${VPC1_PUBLIC_SUBNET2}

If you don’t have IPv6 CIDR blocks associated with your subnets, you’ll get the following error message:

Note: An error occurred (InvalidParameterCombination) when calling the CreateTransitGatewayVpcAttachment operation: subnet-000222aaabbbcccdd has no IPv6 CidrBlocks associated

10. Create Transit Gateway VPC Attachment with All Available Custom Options

aws ec2 create-transit-gateway-vpc-attachment \
    --tag-specifications "ResourceType=transit-gateway-attachment,Tags=[{Key=Name,Value=appOnPremAccess}]" \
    --options "DnsSupport=disable,Ipv6Support=disable" \
    --transit-gateway-id ${TGW_ID} \
    --vpc-id ${VPC1} \
    --subnet-ids ${VPC1_PUBLIC_SUBNET1} ${VPC1_PUBLIC_SUBNET2}

The above example uses the shorthand syntax format for the options by separating the options by commas. You can also use the following JSON syntax format for the options:

{
  "DnsSupport": "enable"|"disable",
  "Ipv6Support": "enable"|"disable"
}

11. Modify Transit Gateway VPC Attachments – Add or Remove Subnets

After creating a transit gateway VPC attachment, you can add or remote subnets as shown below.

VPC1_TGW_ATTACHMENT_ID=tgw-attach-000aaabbbcccdddee

aws ec2 modify-transit-gateway-vpc-attachment \
    --transit-gateway-attachment-id ${VPC1_TGW_ATTACHMENT_ID} \
    --remove-subnet-ids subnet-111222333aaabbbcc \
    --add-subnet-ids subnet-222111000aaabbbcc

The following is the output of the above command:

{
  "TransitGatewayVpcAttachment": {
      "TransitGatewayAttachmentId": "tgw-attach-000aaabbbcccdddee",
      "TransitGatewayId": "tgw-000aaabbbccdddeee",
      "VpcId": "vpc-d4ef7eaf",
      "VpcOwnerId": "222222222222",
      "State": "modifying",
      "SubnetIds": [
          "subnet-222111000aaabbbcc",
          "subnet-111222333aaabbbcc",
          "subnet-000222aaabbbcccdd"
      ],
      "CreationTime": "2020-06-13T19:31:19+00:00",
      "Options": {
          "DnsSupport": "enable",
          "Ipv6Support": "disable"
      }
  }
}

As you see from the above output, while the status is in “modifying”, you’ll still see the subnet that is currently getting deleted. After few seconds when the state become “available”, you should see only 2 subnets for this transit gateway attachment.

An error occurred (InvalidSubnetID.NotFound) when calling the ModifyTransitGatewayVpcAttachment operation: The subnet ID ‘subnet-111222333aaabbbcc’ does not exist

12. Modify Transit Gateway VPC Attachments – Changing Options

You can also change the default options after the attachments was created. The following example shows how you can change the DNS support and IPv6 support option on the transit gateway attachment.

VPC1_TGW_ATTACHMENT_ID=tgw-attach-000aaabbbcccdddee

aws ec2 modify-transit-gateway-vpc-attachment \
    --transit-gateway-attachment-id ${VPC1_TGW_ATTACHMENT_ID} \
    --options DnsSupport=disable,Ipv6Support=disable

While modifying the attachment, you can also modify the options and add/remove subnets at the same time as shown below.

VPC1_TGW_ATTACHMENT_ID=tgw-attach-000aaabbbcccdddee

aws ec2 modify-transit-gateway-vpc-attachment \
    --transit-gateway-attachment-id ${VPC1_TGW_ATTACHMENT_ID} \
    --options DnsSupport=enable,Ipv6Support=disable \
    --remove-subnet-ids subnet-222111000aaabbbcc \
    --add-subnet-ids subnet-111222333aaabbbcc

13. Display existing Transit Gateway Attachments

The following example will display all available transit gateway attachments in your account:

aws ec2 describe-transit-gateway-attachments

You can also view the details of a specific attachment by specifying the transit-gateway-attachment-ids as shown below.

VPC1_TGW_ATTACHMENT_ID=tgw-attach-000aaabbbcccdddee

aws ec2 describe-transit-gateway-attachments --transit-gateway-attachment-ids ${VPC1_TGW_ATTACHMENT_ID}

The following the the output of the above command:

{
  "TransitGatewayAttachments": [
      {
          "ResourceOwnerId": "111111111111",
          "TransitGatewayAttachmentId": "tgw-attach-000aaabbbcccdddee",
          "ResourceType": "vpc",
          "ResourceId": "vpc-000111aaabbbcccdd",
          "Tags": [
              {
                  "Value": "appOnPremAccess",
                  "Key": "Name"
              }
          ],
          "CreationTime": "2020-06-13T01:10:17.000Z",
          "State": "available",
          "TransitGatewayId": "tgw-000aaabbbccdddeee",
          "TransitGatewayOwnerId": "111111111111",
          "Association": {
              "State": "associated",
              "TransitGatewayRouteTableId": "tgw-rtb-000aaabbbcccdddee"
          }
      }
  ]
}

14. Delete Transit Gateway VPC Attachment

The following example shows how to delete an existing transit gateway vpc attachment.

VPC1_TGW_ATTACHMENT_ID=tgw-attach-000aaabbbcccdddee

aws ec2 delete-transit-gateway-vpc-attachment \
  --transit-gateway-attachment-id ${VPC1_TGW_ATTACHMENT_ID}

The output of the above command will show that the attachment is currently in deleting state.

{
  "TransitGatewayVpcAttachment": {
      "VpcId": "vpc-000111aaabbbcccdd",
      "VpcOwnerId": "111111111111",
      "TransitGatewayAttachmentId": "tgw-attach-000aaabbbcccdddee",
      "CreationTime": "2020-06-13T00:58:31.000Z",
      "State": "deleting",
      "TransitGatewayId": "tgw-000aaabbbccdddeee"
  }
}

15. Create a Transit Gateway attachment to a VPN

Similar to creating a transit gateway attachment to a VPC, you can also create an attachment to a VPN.

Related:  AWS CloudFormation Using Command Line Interface (CLI)

For this, you’ll create the VPN connection by specifying transit-gateway-id along with customer-gateway-id as shown below.

CGW_ID=cgw-000111333aaabbbcc
TGW_ID=tgw-000aaabbbccdddeee

aws ec2 create-vpn-connection \
  --customer-gateway-id ${CGW_ID} \
  --type ipsec.1 \
  --transit-gateway-id ${TGW_ID}

Note: Don’t forget to specify the VPN type as ipsec.1

The following is the partial output of the above command.

{
"VpnConnection": {
    "CustomerGatewayConfiguration": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<vpn_connection id=\"vpn-
    ..
    ..
    </vpn_connection>",
    "CustomerGatewayId": "cgw-000111333aaabbbcc",
    "Category": "VPN",
    "State": "pending",
    "VpnConnectionId": "vpn-000111222333aaabb",
    "TransitGatewayId": "tgw-000aaabbbccdddeee",
    "Options": {
        "EnableAcceleration": false,
        "StaticRoutesOnly": false,
        "TunnelOptions": [
          ..
          ..

}

While creating the VPN connection, you can also specify various TunnelOptions in JSON format.

For example to use static route only with the VPN connection, set the option as shown below in the above command.

--options "{\"StaticRoutesOnly\":true}"

Once you create a VPN transit gateway attachment, you’ll see the ResourceType in the describe command output as “vpn”.

The following example shows that there are two attachments. One is vpc and another one is vpn.

$ aws ec2 describe-transit-gateway-attachments

{
"TransitGatewayAttachments": [
  {
    "TransitGatewayAttachmentId": "tgw-attach-000aaabbbcccdddee",
    "ResourceType": "vpc",
    ..
    ..
  },
  {
    "TransitGatewayAttachmentId": "tgw-attach-03210321aaabbbccc",
    "ResourceType": "vpn",
    ..
    ..
  },
...

16. Create Resource Access Share for Transit Gateway in 1st Account

To share transit gateway across accounts use the AWS Resource Access Manager.

The following example shows how to create a resource share and associate transit gateway to it.

In this example the transit gateway was created in 111111111111 account. From this account, we are creating a resource share and sharing it with 222222222222 account.

aws ram create-resource-share \
  --name tgwDevShares \
  --resource-arns arn:aws:ec2:us-east-1:111111111111:transit-gateway/tgw-000aaabbbccdddeee \
  --principals 222222222222 \
  --tags "key=Name,value=devShare"

Here is the output for the above command.

{
  "resourceShare": {
      "status": "ACTIVE",
      "owningAccountId": "111111111111",
      "allowExternalPrincipals": true,
      "name": "tgwDevShares",
      "tags": [
          {
              "value": "devShare",
              "key": "Name"
          }
      ],
      "creationTime": 1641722024.078,
      "resourceShareArn": "arn:aws:ram:us-east-1:111111111111:resource-share/11111111-2222-aaaa-bbbb-cccccccccccc",
      "lastUpdatedTime": 1522722024.064
  }
}

17. Accept the Transit Gateway Resource Share from 2nd Account

Make sure the AWS CLI is now connected to the 2nd account 222222222222.

Execute the following command to view all the resource share invitations on the 2nd account.

aws ram get-resource-share-invitations

The output indicates that this invitation is still in pending status.

{
  "resourceShareInvitations": [
    {
      "resourceShareInvitationArn": "arn:aws:ram:us-east-1:111111111111:resource-share-invitation/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
      "resourceShareName": "tgwDevShares",
      "resourceShareArn": "arn:aws:ram:us-east-1:111111111111:resource-share/11111111-2222-aaaa-bbbb-cccccccccccc",
      "senderAccountId": "111111111111",
      "receiverAccountId": "222222222222",
      "invitationTimestamp": "2020-06-13T10:00:24.249000-07:00",
      "status": "PENDING"
    }
  ]
}

Get the resourceShareInvitationArn from the above output.

Note: The ARN for the resource share invitation is different than the resource share ARN.

Using the resourceShareInvitationArn accept the invitation as shown below:

aws ram accept-resource-share-invitation \
--resource-share-invitation-arn arn:aws:ram:us-east-1:111111111111:resource-share-invitation/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee

Once the invitation is accepted, the status of this resource share invitation will change to accepted as shown below.

{
  "resourceShareInvitation": {
    "resourceShareInvitationArn": "arn:aws:ram:us-east-1:111111111111:resource-share-invitation/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
    "resourceShareName": "tgwDevShares",
    "resourceShareArn": "arn:aws:ram:us-east-1:111111111111:resource-share/11111111-2222-aaaa-bbbb-cccccccccccc",
    "senderAccountId": "111111111111",
    "receiverAccountId": "222222222222",
    "invitationTimestamp": "2020-06-13T10:57:03.509000-07:00",
    "status": "ACCEPTED"
  }
}

18. From 1st Account Accept Transit Gateway Attachments Created in 2nd Account

Now that transit gateway is shared from 1st account to 2nd account, you can create transit gateway attachments on the 2nd account.

After that, if the AutoAcceptSharedAttachments is disabled on the transit gateway, you should manually accept the attachments from the 1st account.

First, execute the following command to see if any attachments needs to accepted.

aws ec2 describe-transit-gateway-vpc-attachments

As shown below, if the attachment is still not accepted the State will be shown as pendingAcceptance.

{
  "TransitGatewayVpcAttachments": [
    {
      "TransitGatewayAttachmentId": "tgw-attach-000aaabbbcccdddee",
      ..
      ..
      "State": "pendingAcceptance",
    }
  ]
}

Get the TransitGatewayAttachmentId from the above output and accept the attachment as shown below:

aws ec2 accept-transit-gateway-vpc-attachment \
  --transit-gateway-attachment-id tgw-attach-000aaabbbcccdddee

The status will change from pending acceptance to pending to available.

Related:  AWS Launches its Bottlerocket Container Operating System into General Availability

19. Create Transit Gateway Attachment for TGW Peering from 1st Account

When you have two transit gateways you can peer those and route traffic between those. You can peer transit gateway from another region and even from another account.

For this you should first create a transit gateway peering attachment from the 1st account where your 1st TGW exist.

From the 1st account, execute the following command to create the peering attachment:

TGW_ID=tgw-000aaabbbccdddeee
PEER_TGW_ID=tgw-222333444aaabbbcc
PEER_ACCOUNT_ID=222222222222
PEER_REGION=us-east-2

aws ec2 create-transit-gateway-peering-attachment \
  --transit-gateway-id ${TGW_ID} \
  --peer-transit-gateway-id ${PEER_TGW_ID} \
  --peer-account-id ${PEER_ACCOUNT_ID} \
  --peer-region ${PEER_REGION}

In the above:
TGW_ID – This is the 1st transit gateway that is in your account (1st account)
PEER_TGW_ID – This is the 2nd transit gateway that is in another account (2nd account) that is referred by PEER_ACCOUNT_ID
PEER_REGION The region in which the PEER_TGW_ID exists

The following is the output of the above command.

{
  "TransitGatewayPeeringAttachment": {
    "TransitGatewayAttachmentId": "tgw-attach-111222333aaabbbcc",
    "RequesterTgwInfo": {
        "TransitGatewayId": "tgw-000aaabbbccdddeee",
        "OwnerId": "111111111111",
        "Region": "us-east-1"
    },
    "AccepterTgwInfo": {
        "TransitGatewayId": "tgw-222333444aaabbbcc",
        "OwnerId": "111111111111",
        "Region": "us-east-2"
    },
    "State": "initiatingRequest",
    "CreationTime": "2020-06-13T22:15:54+00:00"
  }
}

Initially the status will be in initiating request and then change to pending acceptance

20. Accept Transit Gateway Peering Attachment Request from 2nd Account

Now login to the 2nd account that is referred by PEER_ACCOUNT_ID in the above command and accept the peering attachment request.

PEER_TGW_ATTACHMENT_ID=tgw-attach-111222333aaabbbcc
PEER_REGION=us-east-2

aws ec2 accept-transit-gateway-peering-attachment \
  --transit-gateway-attachment-id ${PEER_TGW_ATTACHMENT_ID} \
  --region ${PEER_REGION}

The following is the output of the above command:

{
  "TransitGatewayPeeringAttachment": {
    "TransitGatewayAttachmentId": "tgw-attach-111222333aaabbbcc",
    "RequesterTgwInfo": {
        "TransitGatewayId": "tgw-000aaabbbccdddeee",
        "OwnerId": "111111111111",
        "Region": "us-east-1"
    },
    "AccepterTgwInfo": {
        "TransitGatewayId": "tgw-222333444aaabbbcc",
        "OwnerId": "222222222222",
        "Region": "us-east-2"
    },
    "State": "pending",
    "CreationTime": "2020-06-13T22:16:17+00:00"
  }
}

Once the peering attachment is created, modify the transit gateway route table and add a static route to point to this peering attachment.

21. List all Transit gateway Peering Attachments

Execute the following command to view the details of your existing transit gateway peering attachment.

aws ec2 describe-transit-gateway-peering-attachments
{
  "TransitGatewayPeeringAttachments": [
    {
      "TransitGatewayAttachmentId": "tgw-attach-111222333aaabbbcc",
      "RequesterTgwInfo": {
          "TransitGatewayId": "tgw-000aaabbbccdddeee",
          "OwnerId": "111111111111",
          "Region": "us-east-1"
      },
      "AccepterTgwInfo": {
          "TransitGatewayId": "tgw-222333444aaabbbcc",
          "OwnerId": "111111111111",
          "Region": "us-east-2"
      },
      "Status": {
          "Code": "available",
          "Message": "Available"
      },
      "State": "available",
      "CreationTime": "2020-06-13T22:15:54+00:00",
      "Tags": []
    }
  ]
}

22. Delete Transit Gateway Peering Attachment

Use the following delete-transit-gateway-peering-attachment to delete the peering attachment.

PEER_TGW_ATTACHMENT_ID=tgw-attach-111222333aaabbbcc

aws ec2 delete-transit-gateway-peering-attachment \
  --transit-gateway-attachment-id ${PEER_TGW_ATTACHMENT_ID}

Here is the output of the above command:

{
  "TransitGatewayPeeringAttachment": {
    "TransitGatewayAttachmentId": "tgw-attach-111222333aaabbbcc",
    "RequesterTgwInfo": {
        "TransitGatewayId": "tgw-000aaabbbccdddeee",
        "OwnerId": "111111111111",
        "Region": "us-east-1"
    },
    "AccepterTgwInfo": {
        "TransitGatewayId": "tgw-222333444aaabbbcc",
        "OwnerId": "111111111111",
        "Region": "us-east-2"
    },
    "State": "deleting",
    "CreationTime": "2020-06-13T22:15:54+00:00"
  }
}

Please note that you cannot use vpc-attachment command to delete it. You’ll get an error as shown below.

$ aws ec2 delete-transit-gateway-vpc-attachment \
  --transit-gateway-attachment-id ${PEER_TGW_ATTACHMENT_ID}

An error occurred (InvalidTransitGatewayAttachmentID.NotFound) when calling the DeleteTransitGatewayVpcAttachment operation: Transit Gateway Attachment tgw-attach-111222333aaabbbcc was deleted or does not exist.

23. Add Route to VPC Route Table with Entries pointing to Transit Gateway

Once you have the transit gateway created, you can add a route to your subnet routetable pointing it to the transit gateway as shown below.

VPC1_PUBLIC_SUBNET_ROUTETABLE=rtb-111222333444555

aws ec2 create-route \
  --route-table-id ${VPC1_PUBLIC_SUBNET_ROUTETABLE} \
  --destination-cidr-block 10.0.0.0/8 \
  --transit-gateway-id ${TGW_ID}

If the route was added properly, you’ll get the following message:

{
    "Return": true
}

Note: An error occurred (MissingParameter) when calling the CreateRoute operation: The request must contain exactly one of gatewayId, natGatewayId, networkInterfaceId, vpcPeeringConnectionId, egressOnlyInternetGatewayId, transitGatewayId, localGatewayId or instanceId

24. Add a route to the transit gateway route table

If you want to add a route directly to the transit gateway route table, use the create-transit-gateway-route option as shown below.

In this example, the given static route is added to the TGW_ROUTE_TABLE_ID route table. In this route, any traffic going to CIDR will use TGW_ATTACHMENT_ID.

CIDR=10.10.10.0/32
TGW_ROUTE_TABLE_ID=tgw-rtb-555444333222aaabb
TGW_ATTACHMENT_ID=tgw-attach-03210321aaabbbccc

aws ec2 create-transit-gateway-route \
  --destination-cidr-block ${CIDR} \
  --transit-gateway-route-table-id ${TGW_ROUTE_TABLE_ID} \
  --transit-gateway-attachment-id ${TGW_ATTACHMENT_ID}

The following is the output of the above command. This indicates that the static route was added successfully and it’s active.

{
  "Route": {
    "DestinationCidrBlock": "10.10.10.0/32",
    "TransitGatewayAttachments": [
        {
            "ResourceId": "vpn-000aaacccddd66655",
            "TransitGatewayAttachmentId": "tgw-attach-03210321aaabbbccc",
            "ResourceType": "vpn"
        }
    ],
    "Type": "static",
    "State": "active"
  }
}

 

Leave a Comment