Hey everyone,
I'm looking for some advice on managing routes in our AWS multi-account setup, specifically using a distributed egress model where we don't have a default route (0.0.0.0/0) leading to our Transit Gateway (TGW). Whenever we attach a new VPC to the TGW, we have to go into each existing VPC and manually add routes to the new VPC's CIDR. While this process is feasible with a small number of VPCs, it quickly becomes unmanageable and prone to errors as we scale up.
I want to find a clean and scalable automation solution for this task. I considered using Terraform, but I'm concerned about **cross-account access** and the associated complexity as we expand.
Have any of you developed a more elegant or automated approach for this? I'd love to hear your strategies for tackling routing updates at scale. Thanks in advance!
3 Answers
One option is to set up a broad CIDR entry like 10.0.0.0/8 that points to your TGW. This kind of centralized routing could simplify updates since it would minimize the need to individually adjust routes for each new VPC. Just keep in mind that this may not work if you're not using a centralized egress model, but it's a decent alternative if applicable.
Have you considered switching from TGW to VPC Lattice? Depending on your architecture, it might simplify route management and make it easier to maintain.
Consider setting up an EventBridge rule to capture TGW attachment events. Pair that with a Lambda function that:
- Assumes roles into each of your VPC-owning accounts,
- Updates the route tables in the private subnets to include the new VPC CIDR,
- And makes sure the routes point to the correct TGW attachment.
You could also store the mappings in SSM or DynamoDB for centralization, and if needed, break the Lambda function into a Step Functions workflow for scaling.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures