Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

managed prefix list not supported by transit gateway route table entry. #525

Open
3 of 6 tasks
yaolu-dtp opened this issue Aug 6, 2024 · 0 comments
Open
3 of 6 tasks

managed prefix list not supported by transit gateway route table entry. #525

yaolu-dtp opened this issue Aug 6, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@yaolu-dtp
Copy link

Describe the bug
I am reporting this as a bug since it is kind of unexpected not to support the AWS-managed prefix list.

The transit gateway in AWS supports prefix list reference for the AWS-managed prefixes. As shown in the following screenshot.
Screenshot 2024-08-07 at 8 23 07 AM

This is necessary to support centralized endpoint VPC as far as I understand, as shown in the example

landing-zone-accelerator-on-aws/reference/sample-configurations/lza-sample-config/network-config.yaml

Line 60 in 76117a9

- name: Network-Endpoints

In this example, the route table attached to the TGW is empty though.

However, it is not supported by LZA as far as I can tell. I can't find any reference in
https://awslabs.github.io/landing-zone-accelerator-on-aws/latest/typedocs/v1.6.0/classes/_aws_accelerator_config.TransitGatewayConfig.html

I don't see managed profix list supported in snapshot test either - https://github.com/awslabs/landing-zone-accelerator-on-aws/blob/76117a978937ea8c7a5d1e58e2c3e2b2584ec0ba/source/packages/%40aws-accelerator/constructs/test/aws-ec2/__snapshots__/transit-gateway-prefix-list-reference.test.ts.snap

To Reproduce
Steps to reproduce the behavior.

Code tested

transitGateways:
  - name: Network-Main
    account: SharedNetworkService
    region: *HOME_REGION
    shareTargets:
      organizationalUnits:
        - Infrastructure
    asn: xxxxxxxx
    vpnEcmpSupport: enable
    defaultRouteTableAssociation: disable
    defaultRouteTablePropagation: disable
    autoAcceptSharingAttachments: enable
    routeTables: # Refer to https://aws.amazon.com/blogs/networking-and-content-delivery/deploy-centralized-traffic-filtering-using-aws-network-firewall/
      - name: Network-Main-Core
        routes: # Add other VPCs as well.
        - destinationCidrBlock: 0.0.0.0/0
          attachment:
            vpcName: Network-Centralized-Egress
            account: SharedNetworkService
        - destinationPrefixList: com.amazonaws.ap-southeast-2.s3
          attachment:
            vpcName: Network-Endpoints
            account: SharedNetworkService
        - destinationPrefixList: com.amazonaws.ap-southeast-2.dynamodb
          attachment:
            vpcName: Network-Endpoints
            account: SharedNetworkService
      - name: Network-Main-Inspection
        routes:
        - destinationCidrBlock: 0.0.0.0/0
          attachment:
            vpcName: Network-Inspection
            account: SharedNetworkService
      - name: Network-Main-Segregated
        routes: []
      - name: Network-Main-Shared
        routes: []
      - name: Network-Main-Standalone
        routes: []

Error I got

2024-08-07 08:34:04.539 | warn | config-validator | Config file validation failed !!!
2024-08-07 08:34:04.542 | warn | config-validator | network-config.yaml has 6 issues:
[Transit gateway Network-Main route table Network-Main-Core]: prefix list "com.amazonaws.ap-southeast-2.s3" not found
[Transit gateway Network-Main route table Network-Main-Core]: prefix list "com.amazonaws.ap-southeast-2.s3" is not deployed to the same account as the TGW
[Transit gateway Network-Main route table Network-Main-Core]: prefix list "com.amazonaws.ap-southeast-2.s3" is not deployed to the same region as the TGW
[Transit gateway Network-Main route table Network-Main-Core]: prefix list "com.amazonaws.ap-southeast-2.dynamodb" not found
[Transit gateway Network-Main route table Network-Main-Core]: prefix list "com.amazonaws.ap-southeast-2.dynamodb" is not deployed to the same account as the TGW
[Transit gateway Network-Main route table Network-Main-Core]: prefix list "com.amazonaws.ap-southeast-2.dynamodb" is not deployed to the same region as the TGW
error Command failed with exit code 1.

Expected behavior
A clear and concise description of what you expected to happen.

AWS managed prefix lists supported by TGW in LZA.

Please complete the following information about the solution:

  • Version: [v1.8.1]

To get the version of the solution, you can look at the description of the created AWS CloudFormation stack used to install the LZA (AWSAccelerator-InstallerStack). For example, "(SO0199) Landing Zone Accelerator on AWS. Version 1.5.1.". If the description does not contain the version information, you can look at the Parameters of the stack for the RepositoryBranchName as that should contain the version number.

  • Region: [ap-southeast-2]
  • Was the solution modified from the version published on this repository? - No
  • If the answer to the previous question was yes, are the changes available on GitHub?
  • Have you checked your service quotas for the services this solution uses?
  • Were there any errors in the CloudWatch Logs?

Screenshots
If applicable, add screenshots to help explain your problem (please DO NOT include sensitive information).

Additional context
Add any other context about the problem here.
@yaolu-dtp yaolu-dtp added the bug Something isn't working label Aug 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@yaolu-dtp