AWSTemplateFormatVersion: 2010-09-09 Description: The template creates the TGW resource to connect on-premises firewall with cloud (qs-1qp7e9toe) Parameters: PrivateSubnet1ARouteTable: Type: String Description: Public Subnet 1 Route Table ID PrivateSubnet2ARouteTable: Type: String Description: Public Subnet 2 Route Table ID PrivateSubnet3ARouteTable: Type: String Default: 'null' Description: Public Subnet 3 Route Table ID PrivateSubnet4ARouteTable: Type: String Default: 'null' Description: Public Subnet 4 Route Table ID OnPremFirewallPublicIP: Description: Specify the Public IP of the on-premises ASAv/router Type: String OnPremFirewallASN: Description: Specify the BGP ASN of the on-premisis ASAv/router Type: String PreSharedKeyForVPNAttachment: Description: Specify the PreSharedKey of vEdgeCloud1. Must be 15 characters in length and cannot start with zero (0). Type: String AmazonSideAsn: Description: A private Autonomous System Number (ASN) for the Amazon side of a BGP session. The range is 64512 to 65534 for 16-bit ASNs and 4200000000 to 4294967294 for 32-bit ASNs. Type: String VPNTunnelCIDRs: Description: Specify the Tunnel InsideCIDRs for the on-premises firewall. You can use the default pre-filled CIDRs as well. Type: CommaDelimitedList VPCID: Type: AWS::EC2::VPC::Id Description: Select VPC which for VPC Attachment TGWSubnet1CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Description: CIDR block for TGW subnet 1 located in Availability Zone 1 Type: String TGWSubnet2CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Description: CIDR block for TGW subnet 2 located in Availability Zone 1 Type: String TGWSubnet3CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Description: CIDR block for TGW subnet 3 located in Availability Zone 1 Type: String TGWSubnet4CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Description: CIDR block for TGW subnet 4 located in Availability Zone 1 Type: String VPNPoolCIDR1: Description: CIDR block for the VPN pool 1 Type: String VPNPoolCIDR2: Description: CIDR block for the VPN pool 2 Type: String VPNPoolCIDR3: Description: CIDR block for the VPN pool 3 Type: String VPNPoolCIDR4: Description: CIDR block for the VPN pool 4 Type: String OnPremCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Description: CIDR block for the On-prem network Type: String AvailabilityZones: Description: >- List of Availability Zones to use for the subnets in the VPC. Note: The logical order is preserved and only 2 AZs are used for this deployment. Type: 'List' NumberOfAZs: Description: >- Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter. Type: String NumberOfASAv: Description: >- Number of ASAv Instances to be initiated. Type: String NetworkInterfaceId1ASAv1: Type: String Default: 'null' Description: NetworkInterfaceId of ASAv1 for 1 ASAv deployment NetworkInterfaceId1ASAv2: Type: String Default: 'null' Description: NetworkInterfaceId of ASAv1 for 2 ASAv deployment NetworkInterfaceId2ASAv2: Type: String Default: 'null' Description: NetworkInterfaceId of ASAv2 for 2 ASAv deployment NetworkInterfaceId1ASAv3: Type: String Default: 'null' Description: NetworkInterfaceId of ASAv1 for 3 ASAv deployment NetworkInterfaceId2ASAv3: Type: String Default: 'null' Description: NetworkInterfaceId of ASAv2 for 3 ASAv deployment NetworkInterfaceId3ASAv3: Type: String Default: 'null' Description: NetworkInterfaceId of ASAv3 for 3 ASAv deployment NetworkInterfaceId1ASAv4: Type: String Default: 'null' Description: NetworkInterfaceId of ASAv1 for 4 ASAv deployment NetworkInterfaceId2ASAv4: Type: String Default: 'null' Description: NetworkInterfaceId of ASAv2 for 4 ASAv deployment NetworkInterfaceId3ASAv4: Type: String Default: 'null' Description: NetworkInterfaceId of ASAv3 for 4 ASAv deployment NetworkInterfaceId4ASAv4: Type: String Default: 'null' Description: NetworkInterfaceId of ASAv4 for 4 ASAv deployment QSS3BucketName: AllowedPattern: "^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$" ConstraintDescription: >- Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Description: >- S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Type: String QSS3KeyPrefix: AllowedPattern: "^[0-9a-zA-Z-/]*$" ConstraintDescription: >- Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Description: >- S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Type: String QSS3BucketRegion: Description: >- The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value. Type: String Conditions: UsingDefaultBucket: !Equals - !Ref QSS3BucketName - aws-quickstart 1AZCondition: !Equals - !Ref 'NumberOfAZs' - '1' 2AZCondition: !Equals - !Ref 'NumberOfAZs' - '2' 3AZCondition: !Equals - !Ref 'NumberOfAZs' - '3' 4AZCondition: !Equals - !Ref 'NumberOfAZs' - '4' #Subnet conditions to specifically handle TGW Subnet Resource constraints 1SubnetCondition: !Or - !Equals - !Ref 'NumberOfAZs' - '1' - !Condition 2SubnetCondition - !Condition 3SubnetCondition - !Condition 4SubnetCondition 2SubnetCondition: !Or - !Equals - !Ref 'NumberOfAZs' - '2' - !Condition 3SubnetCondition - !Condition 4SubnetCondition 3SubnetCondition: !Or - !Equals - !Ref 'NumberOfAZs' - '3' - !Condition 4SubnetCondition 4SubnetCondition: !Equals - !Ref 'NumberOfAZs' - '4' 1ASAvCondition: !Equals - !Ref 'NumberOfASAv' - '1' 2ASAvCondition: !Equals - !Ref 'NumberOfASAv' - '2' 3ASAvCondition: !Equals - !Ref 'NumberOfASAv' - '3' 4ASAvCondition: !Equals - !Ref 'NumberOfASAv' - '4' Resources: #------------------ TGW Subnets and Routes ------------------------------------------- TGWSubnet1: Type: AWS::EC2::Subnet Properties: VpcId: !Ref 'VPCID' CidrBlock: !Ref 'TGWSubnet1CIDR' AvailabilityZone: !Select - '0' - !Ref 'AvailabilityZones' Tags: - Key: Name Value: TGW subnet 1 TGWSubnet2: Condition: 2SubnetCondition Type: AWS::EC2::Subnet Properties: VpcId: !Ref 'VPCID' CidrBlock: !Ref 'TGWSubnet2CIDR' AvailabilityZone: !Select - '1' - !Ref 'AvailabilityZones' Tags: - Key: Name Value: TGW subnet 2 TGWSubnet3: Condition: 3SubnetCondition Type: AWS::EC2::Subnet Properties: VpcId: !Ref 'VPCID' CidrBlock: !Ref 'TGWSubnet3CIDR' AvailabilityZone: !Select - '2' - !Ref 'AvailabilityZones' Tags: - Key: Name Value: TGW subnet 3 TGWSubnet4: Condition: 4AZCondition Type: AWS::EC2::Subnet Properties: VpcId: !Ref 'VPCID' CidrBlock: !Ref 'TGWSubnet4CIDR' AvailabilityZone: !Select - '3' - !Ref 'AvailabilityZones' Tags: - Key: Name Value: TGW subnet 4 TGWSubnetRouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref 'VPCID' Tags: - Key: Name Value: TGW subnets route table TGWSubnet1Route: Condition: 1ASAvCondition Type: AWS::EC2::Route Properties: RouteTableId: !Ref 'TGWSubnetRouteTable' DestinationCidrBlock: !Ref VPNPoolCIDR1 NetworkInterfaceId: !Ref NetworkInterfaceId1ASAv1 TGWSubnet1Route2ASAv: Condition: 2ASAvCondition Type: AWS::EC2::Route Properties: RouteTableId: !Ref 'TGWSubnetRouteTable' DestinationCidrBlock: !Ref VPNPoolCIDR1 NetworkInterfaceId: !Ref NetworkInterfaceId1ASAv2 TGWSubnet1Route3ASAv: Condition: 3ASAvCondition Type: AWS::EC2::Route Properties: RouteTableId: !Ref 'TGWSubnetRouteTable' DestinationCidrBlock: !Ref VPNPoolCIDR1 NetworkInterfaceId: !Ref NetworkInterfaceId1ASAv3 TGWSubnet1Route4ASAv: Condition: 4ASAvCondition Type: AWS::EC2::Route Properties: RouteTableId: !Ref 'TGWSubnetRouteTable' DestinationCidrBlock: !Ref VPNPoolCIDR1 NetworkInterfaceId: !Ref NetworkInterfaceId1ASAv4 TGWSubnet1AZRouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref 'TGWSubnet1' RouteTableId: !Ref 'TGWSubnetRouteTable' TGWSubnet2Route: Condition: 2ASAvCondition Type: AWS::EC2::Route Properties: RouteTableId: !Ref 'TGWSubnetRouteTable' DestinationCidrBlock: !Ref VPNPoolCIDR2 NetworkInterfaceId: !Ref NetworkInterfaceId2ASAv2 TGWSubnet2Route3ASAv: Condition: 3ASAvCondition Type: AWS::EC2::Route Properties: RouteTableId: !Ref 'TGWSubnetRouteTable' DestinationCidrBlock: !Ref VPNPoolCIDR2 NetworkInterfaceId: !Ref NetworkInterfaceId2ASAv3 TGWSubnet2Route4ASAv: Condition: 4ASAvCondition Type: AWS::EC2::Route Properties: RouteTableId: !Ref 'TGWSubnetRouteTable' DestinationCidrBlock: !Ref VPNPoolCIDR2 NetworkInterfaceId: !Ref NetworkInterfaceId2ASAv4 TGWSubnet2AZRouteTableAssociation: Condition: 2SubnetCondition Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref 'TGWSubnet2' RouteTableId: !Ref 'TGWSubnetRouteTable' TGWSubnet3Route: Condition: 3ASAvCondition Type: AWS::EC2::Route Properties: RouteTableId: !Ref 'TGWSubnetRouteTable' DestinationCidrBlock: !Ref VPNPoolCIDR3 NetworkInterfaceId: !Ref NetworkInterfaceId3ASAv3 TGWSubnet3Route4ASAv: Condition: 4ASAvCondition Type: AWS::EC2::Route Properties: RouteTableId: !Ref 'TGWSubnetRouteTable' DestinationCidrBlock: !Ref VPNPoolCIDR3 NetworkInterfaceId: !Ref NetworkInterfaceId3ASAv4 TGWSubnet3AZRouteTableAssociation: Condition: 3SubnetCondition Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref 'TGWSubnet3' RouteTableId: !Ref 'TGWSubnetRouteTable' TGWSubnet4Route: Condition: 4ASAvCondition Type: AWS::EC2::Route Properties: RouteTableId: !Ref 'TGWSubnetRouteTable' DestinationCidrBlock: !Ref VPNPoolCIDR4 NetworkInterfaceId: !Ref NetworkInterfaceId4ASAv4 TGWSubnet4AZRouteTableAssociation: Condition: 4SubnetCondition Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref 'TGWSubnet4' RouteTableId: !Ref 'TGWSubnetRouteTable' #------------------ Transit Gateway ------------------------------------------- TransitGateway: Type: "AWS::EC2::TransitGateway" Properties: AmazonSideAsn: !Ref AmazonSideAsn AutoAcceptSharedAttachments: enable DefaultRouteTableAssociation: disable DefaultRouteTablePropagation: disable Description: A transit gateway connect onpremsised with AWS Tags: - Key: Name Value: !Sub ${AWS::StackName}-TGW #------------------ Copy lambda stack into local S3 bucket ------------------------------------------------ CopyLambdaStack: Type: AWS::CloudFormation::Stack Properties: #TemplateURL: !Sub "https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}templates/copy-lambdas.yaml" TemplateURL: !Sub - >- https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/copy-lambdas.yaml - S3Region: !If - UsingDefaultBucket - !Ref 'AWS::Region' - !Ref QSS3BucketRegion S3Bucket: !If - UsingDefaultBucket - !Sub '${QSS3BucketName}-${AWS::Region}' - !Ref QSS3BucketName Parameters: QSS3BucketName: !Ref QSS3BucketName QSS3KeyPrefix: !Ref QSS3KeyPrefix ##------------------ Custom Resource lambda to get the various TGW properties needed ------------------------------------------- LambdaBasicExecutionRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole Condition: {} Path: / Policies: - PolicyName: !Sub ${AWS::StackName}-tgwDescribe PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Resource: !Sub arn:${AWS::Partition}:logs:*:*:* - Effect: Allow Action: - ec2:DescribeVpnConnections - ec2:DescribeTransitGatewayRouteTables - ec2:DescribeTransitGatewayAttachments Resource: "*" TransitGatewayProperties: Type: Custom::TransitGatewayProperty Properties: ServiceToken: !GetAtt 'TransitGatewayLambda.Arn' vpn_id: !Ref VPNAttachment stackName: !Ref "AWS::StackName" TransitGatewayLambda: Type: AWS::Lambda::Function Properties: Handler: getTgwProperties/lambda_function.lambda_handler Timeout: 60 Role: !GetAtt 'LambdaBasicExecutionRole.Arn' Runtime: python3.6 Code: S3Bucket: !GetAtt 'CopyLambdaStack.Outputs.LambdaZipsBucket' S3Key: !Sub "${QSS3KeyPrefix}functions/packages/lambda.zip" MemorySize: 3008 #------------------ TGW Route Tables and Routes ------------------------------------------- TransitGatewaySecurityRouteTable: Type: "AWS::EC2::TransitGatewayRouteTable" Properties: Tags: - Key: Name Value: !Sub ${AWS::StackName}-Securityrtb TransitGatewayId: !Ref TransitGateway TransitGatewayVPNRoute: Type: AWS::EC2::TransitGatewayRoute Properties: DestinationCidrBlock: !Ref OnPremCIDR TransitGatewayAttachmentId: !GetAtt TransitGatewayProperties.vpn1_tgw_attachment_id TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable TransitGatewayVPNPoolRoute1: Condition: 1ASAvCondition Type: AWS::EC2::TransitGatewayRoute Properties: DestinationCidrBlock: !Ref VPNPoolCIDR1 TransitGatewayAttachmentId: !Ref VPCAttachment1AZ TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable TransitGatewayVPNPoolRoute2a: Condition: 2ASAvCondition Type: AWS::EC2::TransitGatewayRoute Properties: DestinationCidrBlock: !Ref VPNPoolCIDR1 TransitGatewayAttachmentId: !Ref VPCAttachment2AZ TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable TransitGatewayVPNPoolRoute2b: Condition: 2ASAvCondition Type: AWS::EC2::TransitGatewayRoute Properties: DestinationCidrBlock: !Ref VPNPoolCIDR2 TransitGatewayAttachmentId: !Ref VPCAttachment2AZ TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable TransitGatewayVPNPoolRoute3a: Condition: 3ASAvCondition Type: AWS::EC2::TransitGatewayRoute Properties: DestinationCidrBlock: !Ref VPNPoolCIDR1 TransitGatewayAttachmentId: !Ref VPCAttachment3AZ TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable TransitGatewayVPNPoolRoute3b: Condition: 3ASAvCondition Type: AWS::EC2::TransitGatewayRoute Properties: DestinationCidrBlock: !Ref VPNPoolCIDR2 TransitGatewayAttachmentId: !Ref VPCAttachment3AZ TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable TransitGatewayVPNPoolRoute3c: Condition: 3ASAvCondition Type: AWS::EC2::TransitGatewayRoute Properties: DestinationCidrBlock: !Ref VPNPoolCIDR3 TransitGatewayAttachmentId: !Ref VPCAttachment3AZ TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable TransitGatewayVPNPoolRoute4a: Condition: 4ASAvCondition Type: AWS::EC2::TransitGatewayRoute Properties: DestinationCidrBlock: !Ref VPNPoolCIDR1 TransitGatewayAttachmentId: !Ref VPCAttachment4AZ TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable TransitGatewayVPNPoolRoute4b: Condition: 4ASAvCondition Type: AWS::EC2::TransitGatewayRoute Properties: DestinationCidrBlock: !Ref VPNPoolCIDR2 TransitGatewayAttachmentId: !Ref VPCAttachment4AZ TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable TransitGatewayVPNPoolRoute4c: Condition: 4ASAvCondition Type: AWS::EC2::TransitGatewayRoute Properties: DestinationCidrBlock: !Ref VPNPoolCIDR3 TransitGatewayAttachmentId: !Ref VPCAttachment4AZ TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable TransitGatewayVPNPoolRoute4d: Condition: 4ASAvCondition Type: AWS::EC2::TransitGatewayRoute Properties: DestinationCidrBlock: !Ref VPNPoolCIDR4 TransitGatewayAttachmentId: !Ref VPCAttachment4AZ TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable TransitGatewaySpokeRouteTable: Type: "AWS::EC2::TransitGatewayRouteTable" Properties: Tags: - Key: Name Value: !Sub ${AWS::StackName}-Spokertb TransitGatewayId: !Ref TransitGateway #------------------ TGW VPN attachment ------------------------------------------- CustomerGateway: Type: AWS::EC2::CustomerGateway Properties: Type: ipsec.1 BgpAsn: !Ref OnPremFirewallASN IpAddress: !Ref OnPremFirewallPublicIP Tags: - Key: Name Value: !Sub "${AWS::StackName}-On-Premgateway" VPNAttachment: Type: AWS::EC2::VPNConnection Properties: CustomerGatewayId: !Ref CustomerGateway TransitGatewayId: !Ref TransitGateway Type: ipsec.1 VpnTunnelOptionsSpecifications: - PreSharedKey: !Ref PreSharedKeyForVPNAttachment TunnelInsideCidr: !Select [0, !Ref VPNTunnelCIDRs] - PreSharedKey: !Ref PreSharedKeyForVPNAttachment TunnelInsideCidr: !Select [1, !Ref VPNTunnelCIDRs] Tags: - Key: Name Value: !Sub "${AWS::StackName}-VPNAttachment" #------------------ TGW VPC attachments ------------------------------------------- VPCAttachment1AZ: Condition: 1AZCondition Type: AWS::EC2::TransitGatewayAttachment Properties: SubnetIds: - !Ref TGWSubnet1 Tags: - Key: Name Value: !Sub "${AWS::StackName}-VPCAttachment" TransitGatewayId: !Ref TransitGateway VpcId: !Ref VPCID VPCAttachment2AZ: Condition: 2AZCondition Type: AWS::EC2::TransitGatewayAttachment Properties: SubnetIds: - !Ref TGWSubnet1 - !Ref TGWSubnet2 Tags: - Key: Name Value: !Sub "${AWS::StackName}-VPCAttachment" TransitGatewayId: !Ref TransitGateway VpcId: !Ref VPCID VPCAttachment3AZ: Condition: 3AZCondition Type: AWS::EC2::TransitGatewayAttachment Properties: SubnetIds: - !Ref TGWSubnet1 - !Ref TGWSubnet2 - !Ref TGWSubnet3 Tags: - Key: Name Value: !Sub "${AWS::StackName}-VPCAttachment" TransitGatewayId: !Ref TransitGateway VpcId: !Ref VPCID VPCAttachment4AZ: Condition: 4AZCondition Type: AWS::EC2::TransitGatewayAttachment Properties: SubnetIds: - !Ref TGWSubnet1 - !Ref TGWSubnet2 - !Ref TGWSubnet3 - !Ref TGWSubnet4 Tags: - Key: Name Value: !Sub "${AWS::StackName}-VPCAttachment" TransitGatewayId: !Ref TransitGateway VpcId: !Ref VPCID #------------------ TGW route table associations ------------------------------------------- CustomerGatewayTransitGatewayAssociation: Type: "AWS::EC2::TransitGatewayRouteTableAssociation" Properties: TransitGatewayAttachmentId: !GetAtt TransitGatewayProperties.vpn1_tgw_attachment_id TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable #The VPC association works VPCTransitGatewayAssociation1AZ: Condition: 1AZCondition Type: "AWS::EC2::TransitGatewayRouteTableAssociation" Properties: TransitGatewayAttachmentId: !Ref VPCAttachment1AZ TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable VPCTransitGatewayAssociation2AZ: Condition: 2AZCondition Type: "AWS::EC2::TransitGatewayRouteTableAssociation" Properties: TransitGatewayAttachmentId: !Ref VPCAttachment2AZ TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable VPCTransitGatewayAssociation3AZ: Condition: 3AZCondition Type: "AWS::EC2::TransitGatewayRouteTableAssociation" Properties: TransitGatewayAttachmentId: !Ref VPCAttachment3AZ TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable VPCTransitGatewayAssociation4AZ: Condition: 4AZCondition Type: "AWS::EC2::TransitGatewayRouteTableAssociation" Properties: TransitGatewayAttachmentId: !Ref VPCAttachment4AZ TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable #------------------ TGW route table propagations ------------------------------------------- EdgeRouteTablePropagation1AZ: Condition: 1AZCondition Type: "AWS::EC2::TransitGatewayRouteTablePropagation" Properties: TransitGatewayAttachmentId: !Ref VPCAttachment1AZ TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable EdgeRouteTablePropagation2AZ: Condition: 2AZCondition Type: "AWS::EC2::TransitGatewayRouteTablePropagation" Properties: TransitGatewayAttachmentId: !Ref VPCAttachment2AZ TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable EdgeRouteTablePropagation3AZ: Condition: 3AZCondition Type: "AWS::EC2::TransitGatewayRouteTablePropagation" Properties: TransitGatewayAttachmentId: !Ref VPCAttachment3AZ TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable EdgeRouteTablePropagation4AZ: Condition: 4AZCondition Type: "AWS::EC2::TransitGatewayRouteTablePropagation" Properties: TransitGatewayAttachmentId: !Ref VPCAttachment4AZ TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable RouteTableEntryPrivate1: Type: AWS::EC2::Route DependsOn: TransitGatewayVPNRoute Properties: DestinationCidrBlock: !Ref OnPremCIDR RouteTableId: !Ref PrivateSubnet1ARouteTable TransitGatewayId: !Ref TransitGateway RouteTableEntryPrivate2: Condition: 2SubnetCondition Type: AWS::EC2::Route DependsOn: TransitGatewayVPNRoute #DependsOn: VPCAttachment2AZ Properties: DestinationCidrBlock: !Ref OnPremCIDR RouteTableId: !Ref PrivateSubnet2ARouteTable TransitGatewayId: !Ref TransitGateway RouteTableEntryPrivate3: Condition: 3SubnetCondition DependsOn: TransitGatewayVPNRoute #DependsOn: VPCAttachment3AZ Type: AWS::EC2::Route Properties: DestinationCidrBlock: !Ref OnPremCIDR RouteTableId: !Ref PrivateSubnet3ARouteTable TransitGatewayId: !Ref TransitGateway RouteTableEntryPrivate4: Condition: 4SubnetCondition Type: AWS::EC2::Route DependsOn: TransitGatewayVPNRoute #DependsOn: VPCAttachment4AZ Properties: DestinationCidrBlock: !Ref OnPremCIDR RouteTableId: !Ref PrivateSubnet4ARouteTable TransitGatewayId: !Ref TransitGateway Outputs: TransitGateway: Value: !Ref TransitGateway Export: Name: !Sub ${AWS::StackName}-TransitGateway AmazonSideAsn: Description: "Amazon side ASN for the BGP session" Value: !Ref AmazonSideAsn VPNTunnelInsideCIDRs: Description: "VPN Tunnel CIDRs" Value: !Join - ',' - !Ref VPNTunnelCIDRs Export: Name: !Sub ${AWS::StackName}-VPNTunnelInsideCIDRs VPNTunnelOutsideIPs: Description: "VPN Tunnel Outside IP" Value: !Join - ',' - !GetAtt TransitGatewayProperties.vpn0OutsideIps Export: Name: !Sub ${AWS::StackName}-VPNTunnelOutsideIPs VPNPreSharedKey: Description: "VPN IPsec PreSharedKey" Value: !Ref PreSharedKeyForVPNAttachment Export: Name: !Sub ${AWS::StackName}-PreSharedKey