Virginia Tech uses AWS Transit Gateway (TGW) for connectivity between VPCs on AWS and Virginia Tech campus. You can read more about AWS Transit Gateway. Network Engineering and Operations (NEO) manages this service. TGW is a regional service. NEO currently has a TGW in us-east-1.
Workflow
In order to connect to the TGW, NEO must first share the TGW created in vtnis-ss account with the customers. Customers must then accept the resource share. At this point customers can create TGW VPC attachments to the TGW and add campus routes in the route table pointing to TGW VPC attachment.
NEO has streamlined this process to reduce the workloads on customers having to manage the TGW Resource sharing, TGW VPC attachments and the route tables. Instead customers have to provide NEO with limited access to their accounts using an IAM role and tag resources appropriately, so automation manifests can recognize the resources. Below flowchart depicts this workflow:
Customer Requirements
Below are the customer requirements stated in the workflow above:
- Have a VPC in the same region as NEO's Transit Gateway. At this time
us-east-1is the only region NEO supports. - Have a VPC CIDR assigned by hostmaster at Virginia Tech.
- Must allow NEO to access their account using an IAM role.
- Create the role
neo-network-accessfrom aws-transitgw-role-creator - This role grants limited permissions to:
- Access customers account using STS by role
neo-customer-network-accessinvtnis-ssaccount. - List and Accept Resource Share invitations
- Describe VPC, subnets, route tables
- Create Transit Gateway VPC attachments
- Create campus routes in route tables pointing to TGW VPC attachment
- Access customers account using STS by role
- Create the role
- Must tag resources accordingly with below
keyandvaluepairs:
- VPC:
- key:
tgw-vpc - value:
true
- key:
- Subnets
- key:
tgw-access - value:
true
- key:
- Route Tables
- Public Routes Tables
- key:
tgw-route-table - value:
public
- key:
- Private Route Tables
- key:
tgw-route-table - value:
private
- key:
- Public Routes Tables
- VPC:
Tagging is very important for this workflow and will result in failures or errors if the resources are tagged with wrong keys and values.
Requesting for Connectivity
Once the customer creates all the above requirements, they must a SN ticket with NIS-Platform. This request collects the following details:
- AWS Account number
- CIDR of the VPC
- ResponsibleParty- This must be the manager of the team
- ResponsibleTeam - Team name
- Environment - Prod/Dvlp/Test
- Region - Name of AWS region
Once the request is received NEO will acknowledge the request and will reach out to the customer for more information if needed. If you have any queries related to AWS Transit Gateway or AWS VPC connectivity to VT campus please submit a 4help incident.