I'm working with a distributed egress model in AWS, where there's no default route going to the Transit Gateway (TGW) in my VPCs. Every time I attach a new VPC to the TGW, I have to manually add a route to the new VPC's CIDR in the private subnets of all existing VPCs. This... works for a few VPCs, but as we expand, it's becoming a serious pain and error-prone. I'm eager to find a cleaner, automated solution for this. Terraform could be a potential answer, but it quickly becomes complicated with the need for cross-account access and an assume-role setup across multiple accounts. Have any of you tackled this issue in a more elegant way?
3 Answers
We found a way around similar complexities by creating an opinionated Terraform module that standardizes VPC setups in our organization. It works wonders for keeping routing rules in check without the need for constant hands-on changes. It's worth looking into if you're a smaller team looking to streamline this process.
Consider setting up an EventBridge rule to listen for TGW attachment events. Pair that with a Lambda function to automatically update the route tables in private subnets with the new VPC CIDR. You could also use SSM or DynamoDB for mapping VPC CIDR to ensure everything stays organized. If it gets too big, Step Functions could help manage it all.
Interesting approach! Think it could handle scaling well?
Instead of constantly updating routes, why not set a wide entry like 10.0.0.0/8? If all your VPCs route to the TGW from a central point, you won't need to make constant updates. Sure, if central egres isn't your model, it might not fit perfectly, but even using RFC1918 addressing could simplify things while keeping flexibility for specific routes within individual VPCs.
That does make sense! A centralized system can definitely cut down on the maintenance. But I understand it might not work for everyone's setup.
Totally! Using such modules can really help enforce best practices and minimize errors.