How can I create a TGW static blackhole route through LZA?

To create a Transit Gateway (TGW) static blackhole route through the Landing Zone Accelerator (LZA) on AWS, you'll need to modify the network configuration file (typically named network-config.yaml) in your LZA setup.

Here's how you can add a static blackhole route:

1. Locate the transitGateways section in your network-config.yaml file.

2. Under the specific Transit Gateway configuration, find or add a routeTables section.

3. Within the routeTables section, add a new entry for your blackhole route table.

4. In this route table, you can define a static route with a blackhole as the target.

The configuration would look something like this:

transitGateways:
  - name: Main-TGW
    account: Network
    region: us-east-1
    routeTables:
      - name: Blackhole
        routes:
          - destinationCidrBlock: 10.0.0.0/16
            blackhole: true

In this example, we're creating a route table named "Blackhole" with a static route that sends traffic destined for 10.0.0.0/16 to a blackhole.

After making these changes, commit and push your updated configuration files to your LZA configuration repository. The LZA pipeline will detect the changes and update your Transit Gateway configuration to include this static blackhole route.

Remember to test this configuration in a non-production environment first to ensure it doesn't interfere with your legitimate traffic flows.
Sources
How can I use Network Firewall managed rule groups in the LZA? | AWS re:Post
Using Terraform with Landing Zone Accelerator on AWS | AWS Cloud Operations Blog