Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
How do I create an Amazon VPC attachment in Transit Gateway for a transit gateway that's in another account?
I want to create an Amazon Virtual Private Cloud (Amazon VPC) attachment in AWS Transit Gateway for a transit gateway that's in another AWS account.
Short description
To attach a VPC to a transit gateway that's in another account, use AWS Resource Access Manager (AWS RAM) to share the transit gateway with the account that owns the VPC.
In the following resolution, the account that owns the transit gateway is the source account and the account that owns the VPC is the destination account. After the destination account accepts the resource share, create a VPC attachment to connect your VPC to the source account's shared transit gateway.
You can use either the AWS Management console or the AWS Command Line Interface (AWS CLI) to complete the following steps.
Note: If you receive errors when you run AWS CLI commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
Resolution
Prerequisite: Before you create a VPC attachment to a transit gateway, verify that the AWS Identity and Access Management (IAM) user or role in the destination account has permission to create service-linked roles. AWS automatically creates the AWSServiceRoleForVPCTransitGateway service-linked role during the creation of the VPC attachment. This role allows Transit Gateway to create and manage elastic network interfaces in your VPC subnets and configure the necessary routing for the attachment.
To verify that you have the required permissions, confirm that your IAM policy includes the following statement:
{ "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/transitgateway.amazonaws.com/AWSServiceRoleForTransitGateway*"
If the IAM user or role doesn't have permission to create a service-linked role, then you receive an "Access Denied" error.
Share the transit gateway with the destination account
AWS RAM console
Complete the following steps:
- In the source account, open the AWS RAM console.
- On the AWS Region dropdown list, select the Region of your transit gateway.
- Choose Create a resource share.
- Enter the following information:
For Name, provide a name for the resource share.
For Select resource type, choose Transit gateway, and then select your transit gateway ID. - Choose Next.
- Choose a managed permission to associate with the transit gateway.
- Choose Next.
- Choose Grant access to principals, and then enter the following information:
For Principals, enter the account ID of the destination account or an organization ID for an account that's in AWS Organizations.
If the account isn't in an organization, then choose Allow sharing with anyone.
If the account is in an organization, then choose Allow sharing only within your organization.
Note: To use the organization ID as the principal type, turn on trusted access. To update the principals after you create the resource share, select the resource share, and then choose Modify. - Choose Create resource share.
AWS CLI
Note: In the following commands, replace the example parameters with the following values:
- For TGWSHARE, provide a name for the resource share.
- For 222222222222, replace with the account ID of the destination account.
- For resource-arns, provide the Amazon Resource Name (ARN) of the source account's transit gateway.
- For principals organizations, provide the ARN of the organization.
- For resource-share-arn, provide the ARN of the existing resource share that you want to modify.
To create a resource share with accounts that aren't in an organization, run the following create-resource-share command:
aws ram create-resource-share \ --name TGWSHARE \ --resource-arns arn:aws:ec2:region:123456789012:transit-gateway/tgw-1234567890abcdef0 \ --principals 222222222222 \ --allow-external-principals
To create a resource share to allow access to only accounts in your organization, run the following create-resource-share command:
aws ram create-resource-share \ --name TGWSHARE \ --resource-arns arn:aws:ec2:region:123456789012:transit-gateway/tgw-1234567890abcdef0 \ --principals organizations::123456789012:organization/o-exampleorgid \ --no-allow-external-principals
To modify an existing resource share, run the following update-resource-share command:
aws ram update-resource-share \ --allow-external-principals \ --resource-share-arn arn:aws:ram:us-west-2:123456789012:resource-share/7ab63972-b505-7e2a-420d-6f5d3EXAMPLE
For more information, see Creating a resource share in AWS RAM.
Accept the transit gateway share in the destination account
AWS RAM console
For instructions, see Accept an AWS Transit Gateway resource share using the AWS Resource Access Manager console.
Use the Amazon VPC console to verify that the shared transit gateway appears in the destination account.
AWS CLI
Complete the following steps:
-
Run the following get-resource-share-invitations command to list pending resource share invitations:
aws ram get-resource-share-invitations -
Copy the resourceShareInvitationArn from the output.
-
Run the following accept-resource-share-invitation command to accept the invitation:
aws ram accept-resource-share-invitation \ --resource-share-invitation-arn arn:aws:ram:us-west-2:111111111111:resource-share-invitation/1e3477be-4a95-46b4-bbe0-c4001EXAMPLENote: Replace resource-share-invitation-arn with the ARN from the invitation.
Run the following describe-transit-gateways command to verify that the shared transit gateway appears in the destination account:
aws ec2 describe-transit-gateways
Create the VPC attachment in the destination account
Amazon VPC console
For instructions, see Create a VPC attachment in AWS Transit Gateway.
AWS CLI
Run the following create-transit-gateway-vpc-attachment:
aws ec2 create-transit-gateway-vpc-attachment \ --transit-gateway-id SHARED-TRANSIT-GATEWAY-ID \ --vpc-id DESTINATION-VPC-ID \ --subnet-ids SUBNET-A SUBNET-B \ --options DnsSupport=enable,Ipv6Support=disable
Note: Replace SHARED-TRANSIT-GATEWAY-ID with the shared transit gateway's ID and DESTINATION-VPC-ID with the ID of the destination VPC. Replace SUBNET-A and SUBNET-B with the subnet IDs. Specify only one subnet for each Availability Zone. For better availability, it's a best practice to specify a subnet in two Availability Zones. The transit gateway uses one IP address from each specified subnet.
After you create the VPC attachment, check the status. If you turned on Auto accept shared attachments, then the transit gateway automatically accepts the attachment. If you didn't turn on Auto accept shared attachments during the creation of the transit gateway, then the status shows Pending acceptance. To accept the VPC attachment from the source account, see the following section Accept the VPC attachment in the source account.
Accept the VPC attachment in the source account
Amazon VPC console
In the source account, accept a shared attachment.
AWS CLI
Or, run the following describe-transit-gateway-attachments AWS CLI command to list pendingAcceptance attachments:
aws ec2 describe-transit-gateway-attachments \ --filters Name=state,Values=pendingAcceptance
Then, run the following accept-transit-gateway-vpc-attachment command to accept the VPC attachment:
aws ec2 accept-transit-gateway-vpc-attachment \ --transit-gateway-attachment-ids TGW-ATTACH-1122
Note: Use the transit gateway attachment ID from the command's output. Then, replace TGW-ATTACH-1122 with the VPC attachment's ID.
Related information
Amazon VPC attachments in AWS Transit Gateway
- Language
- English
Relevant content
- AWS OFFICIALUpdated 4 years ago
