Hi everyone!
I'm managing a multi-account setup on AWS where we follow a distributed egress model. This means we don't have a default route (0.0.0.0/0) pointing to our Transit Gateway (TGW) in our VPCs. Whenever we attach a new VPC to the TGW, I have to manually go into all existing private subnets of our VPCs and add a route for the new VPC's CIDR, directing it to the local TGW attachment.
While it's manageable with only a few VPCs, it becomes a hassle as we scale up with more accounts and VPCs. I'm looking for a cleaner and more automated approach to handle this. Using Terraform seems ideal, but it poses challenges like cross-account access and can become quite complicated with many accounts involved.
Have any of you found a more elegant or automated solution for this issue? I'd love to hear your experiences!
Thanks a lot!
1 Answer
One possibility is setting a wide entry for your routes, like 10.0.0.0/8. This way, you could have a default route in each VPC going to the TGW, so you wouldn't need to update it every time a new VPC is attached. If it's feasible for you, this could simplify things significantly!
That works well if you have centralized ingress/egress for your infrastructure. We go with a similar approach and default route all traffic to the TGW. Just something to consider if it fits your setup!