1

I have 2 aws accounts, where A is connected to On-Prem via transit gateway, and B is connected to A via peering connection. All works fine, thus I have connectivity from A to On-Prem, and from A to B. The challenge is to have connectivity from B to On-Prem without creating yet another transit gateway. Is it possible?

  +---------+
  |         |
  | On-Prem |
  |         |
  +---------+
    |    ^
    v    |
  +--------------------------+
  |          | AWS Account A |
  | AWS TGW  +---------------+
  |          | Peering Conn  |
  +--------------------------+
                     ^      |
                     |      v
             +---------------+
             | Peering Conn  |
             +---------------+
             | AWS Account B |
             +---------------+

It seems I have the routing, SGs, ACLs - all correct but it still doesn't work. Since I cannot see any packet flows on AWS infra it's very difficult to debug. Also I cannot find any documentation which would clearly state whether it's in general possible or not.

Chris Williams
  • 32,215
  • 4
  • 30
  • 68
NarūnasK
  • 4,564
  • 8
  • 50
  • 76

1 Answers1

2

There is only one way to connect cross account using transit gateway and this is by sharing the transit gateway via resource access manager. A prerequisite is that both accounts are under the umbrella of an AWS organisation account.

If you are not able to do this then you either need to create a secondary transit gateway in the other account or create a virtual private gateway in account B and associate it to your AWS Account B VPC.

From here you'd then create your secondary VPN connection.

AWS does not support transitive networking via peering connections. It is a requirement that a traffic packet that reaches the VPC must be terminated in the VPC.

Other solutions people use are:

  • Creating a proxy instance in account A that proxies to instance(s) in account B
  • Creating a Transit VPC (More work and risk that the transit gateway)
Chris Williams
  • 32,215
  • 4
  • 30
  • 68