Traffic Flow and Configurations

The plugin deploys and manages the Security VPC. The plugin updates the Security VPC route tables based on the attachments discovered on the AWS Transit Gateway.

Inbound Traffic Flow

Inbound traffic flow combinations
Application
Traffic Type
1
In Security Account
Inbound
2
In Application Account
Cross-Outbound
Use Case: Inbound Traffic - Application is in the Security Account
The plugin creates a VPC Service Endpoint on the Security Account. The GWLB Endpoints must be associated with the VPC Endpoint Service.
Use Case: Inbound Traffic - Application is in other Application Account
When the application is in a different account, on the AWS console in the navigation pane, choose
Endpoint Services
and select your Endpoint Service. Select
Actions
Add Principal
to allow principals. For example,
arn:aws:iam::AccountNumber:root
. The GWLB Endpoints must be associated with the VPC Endpoint Service.

Outbound and East-West Traffic Flow

Outbound traffic flow combinations
Transit Gateway
Application
Traffic Type
1
In Security Account
In Security Account
Outbound
2
In Security Account
In Application Account
Outbound
3
In Application Account
In Application Account
Cross-Outbound
4
In Application Account
In Security Account
Cross-Outbound
Use Case: Outbound Traffic - Transit Gateway and Application is in the Security Account
The plugin scan for the attachments on the configured TGW. When the plugin detects an existing or new attachment, it makes necessary route table modifications on the Security VPC components.
Use Case: Outbound Traffic - Transit Gateway is in Security Account and Application is in the Application Account
When TGW is in the Security Account, to protect the applications that are not in the Security Account, the TGW is shared across these applications using Resource Access Manager (RAM) in the AWS console. You can choose the accounts with which you want to share the TGW from the plugin user interface. Once the deployment is in
Deploying
state, monitor the RAM on the Application Account for an invitation to share resources.
Use Case: Outbound Traffic - Transit Gateway and Application are in the Application Account
When TGW is the Application Account, it must be shared with the Security Account using the RAM. To create a TGW attachment and route table, a RoleARN from this account must be added to the IAM role used for the deployment. Use the CFT hyperlink under
Setup
Application Account
to configure the Application Account prerequisites.
East-West traffic flow combinations
Transit Gateway
Application 1
Application 2
Traffic Type
1
In Security Account
In Security Account
In Security Account
East-West
2 (multi account application)
In Security Account
In Security Account
In Application Account
East-West
3
In Application Account
In Application Account
In Application Account
Cross East-West
4 (multi account application)
In Application Account
In Application Account
In Security Account
Cross East-West
Use Case: East-West Traffic - Transit Gateway and Application1 are in the Security Account and Application2 is in the Security Account
When TGW is in the Security Account, to protect the applications that are not in the Security Account, the TGW is shared across these applications using Resource Access Manager (RAM) in the AWS console. You can choose the accounts with which you want to share the TGW from the plugin user interface. Once the deployment is in
Deploying
state, monitor the RAM on the Application Account for an invitation to share resources.
Use Case: East-West Traffic - Transit Gateway and Application1 are in the Application Account and Application2 is in the Security Account
When TGW is the Application Account, it must be shared with the Security Account using the RAM. To create a TGW attachment and route table, a RoleARN from this account must be added to the IAM role used for the deployment. Use the CFT hyperlink under
Setup
Application Account
to configure the Application Account prerequisites.

Recommended For You