Hi, this is Charu from Classmethod. In my recent work I came across a problem where my lambda was not able to access the EC2 instance in another VPC in-spite of the fact that all the services were in the same region. After doing some research I got to know that the safest and most secure way is to use 'Transit Gateway'. And here I am, writing this blog, to tell you about the whole process.
What is Transit Gateway?
AWS Transit Gateway is a network transit hub that can be used to interconnect your Virtual Private Clouds (VPCs) and on-premises networks. Using Transit Gateway, you can simplify network architecture, reduce operational overhead, and manage VPC connections centrally.
A transit gateway works across AWS accounts, and you can use AWS Resource Access Manager (RAM) to share your transit gateway with other accounts. After you share a transit gateway with another AWS account, the account owner can attach their VPCs to your transit gateway. A user from either account can delete the attachment at any time.
Let's get started-
Step 1: Assign a VPC to your Lambda function:
1. Go to the AWS Lambda console and open the configuration page for your Lambda function.
2. Scroll down to the section named "VPC" and click on 'Edit'.
3. Select the VPC you want to use from the "VPC" dropdown.
4. Now, select the subnets and security group. Ensure that you add your Lambda function to the private subnets so that it can communicate with your EC2 instances. Also, add a security group that allows the necessary traffic.
Step 2: Create Transit Gateway:
1. Go to the VPC Dashboard and select Transit Gateways.
2. Click on 'Create Transit Gateway' and fill out the required information.
3. For Name tag, optionally enter a name for the transit gateway for easier identification among a list of gateways. When you add a Name tag, a tag is created with a key of Name and with a value equal to the value you enter.
4. For Description, optionally enter a description for the transit gateway.
5. When setting up the transit gateway, you have the choice to use the default Amazon side Autonomous System Number (ASN) or specify a private ASN. The ASN is used for the AWS side of the Border Gateway Protocol (BGP) session. The range for 16-bit ASNs is between 64512 and 65534, while the range for 32-bit ASNs is between 4200000000 and 4294967294. It is recommended to use a unique ASN for each transit gateway in a multi-Region deployment.
6. For DNS support, select this option if you need the VPC to resolve public IPv4 DNS host names to private IPv4 addresses when queried from instances in another VPC attached to the transit gateway.
7. For VPN ECMP support, select this option if you need Equal Cost Multi-path (ECMP) routing support between VPN tunnels. If connections advertise the same CIDRs, the traffic is distributed equally between them.
8. You also have the option to associate transit gateway attachments with the default route table and automatically propagate attachments to the default route table for the transit gateway by selecting the corresponding options for Default route table association and Default route table propagation.
9. If multicast traffic routing is needed, you can enable Multicast support.
10. To automatically accept cross-account attachments, you can choose the Auto accept shared attachments option.
11. Optionally, you can specify one or more IPv4 or IPv6 CIDR blocks for your transit gateway using the Transit gateway CIDR blocks setting. The specified CIDR blocks must be larger than /24 for IPv4 or /64 for IPv6, and they should not overlap with the addresses used in your VPC attachments and on-premises networks.
12. Finally, after configuring the desired settings, you can proceed to create the transit gateway by selecting the Create transit gateway button.
Step 3: Create Transit Gateway Attachments:
1. Once the Transit Gateway is created, create an attachment for each VPC that you want to connect.
2. Select the created Transit Gateway and click 'Create Transit Gateway Attachment'.
3. Select the VPC in your account (where the Lambda function resides), and then select the subnets through which you want to route traffic.
Step 4: Share the Transit Gateway with the other account:
1. This can be done using AWS Resource Access Manager (RAM). From the RAM console, create a new resource share.
2. Name the resource share and select the Transit Gateway to be shared.
3. Specify the account with which you want to share the Transit Gateway.
Step 5: Accept the resource share and create an attachment in the other account:
1. The owner of the other AWS account (where EC2 resides) needs to accept the shared resource from the RAM console.
2. After the resource is shared, they need to create a Transit Gateway attachment for their VPC.
Step 6: Update Route Tables:
1. The final step is to update the route tables of each VPC to direct traffic to the Transit Gateway.
2. Go to 'Route Tables' in the VPC Dashboard. For each route table associated with the subnets, add a route that points to the Transit Gateway for the CIDR range of the other VPC.
Once these steps are completed, your Lambda function should be able to reach the EC2 instance over the Transit Gateway using the EC2 instance's private IP address.
Remember, this process requires both AWS accounts to participate. If you don't have access to the other account, you'll need to coordinate these steps with the owner of that account.
Here we learned that how AWS Transit Gateway simplifies network management by providing a scalable and centralised solution for connecting multiple VPCs, AWS accounts, and on-premises networks. With AWS Transit Gateway, you can simplify network management, improve scalability, and enhance security across your AWS infrastructure.