How to use Amazon Web Services Network Manager to visualize Transit Gateways across multiple accounts in the Amazon Web Services Organization

When you migrate or build a new applications in Amazon Web Services, you must connect multiple Amazon Virtual Private Clouds (Amazon VPCs) spread across different accounts and your on-premises systems with these VPCs. Amazon Web Services Transit Gateway is one of the most popular and commonly used services in these scenarios. When you want communication/isolation between VPCs, and they also require communication between VPCs and on-premises systems (leveraging Amazon Web Services Direct Connect and/or VPN connection), Transit Gateway acts as a centralized router.

Most enterprises today have resources that span across multiple geographies, and use multiple Transit Gateways across various Amazon Web Services Regions and accounts. Hence, you need the ability to visualize and monitor Transit Gateway network to understand existing inventory. This visibility helps you make informed decisions related to changes in architecture, troubleshooting, and helping new team members ramp up the way that existing Transit Gateway network is setup. Amazon Web Services Network Manager provides centralized network monitoring, global network visibility, and a unified interface to manage your global network across Amazon Web Services and on-premises locations. Until May’22, you could use Network Manager to monitor and visualize your global network for a single Amazon Web Services account. With the launch of multi-account support, Network Manager extends its management capabilities to work across multiple accounts.

In this post, you’ll learn how to use Amazon Web Services Network Manager to monitor your Transit Gateways spread across multiple accounts within an Amazon Web Services Organization . You can now register Transit Gateways from different accounts and define on-premises resources to have a global network visibility, as well as monitor the quality of your global network, both in Amazon Web Services and on-premises from the Amazon Web Services Network Manager dashboard.

You’ll learn how to configure Amazon Web Services Network Manager, register your Transit Gateways across various accounts, and visualize them.

Solution overview

The following diagram shows a high-level overview of the Transit Gateway network spread across multiple accounts. You must register all of the Transit Gateways within an Organization to visualize them in Network Manager.

Figure 1 – Multi Account Transit Gateway Topology

In this diagram, we have VPCs located across multiple Regions (ap-south-1 and ap-southeast-1). This is a multi-account setup with Organizations, where staging and Dev accounts are located in ap-sputheast-1 and the prod account is located in ap-south-1. All three accounts have a Transit Gateway with respective VPC attachments. Transit Gateways are also peered together to facilitate inter-Region connectivity between VPCs.

You must complete the following steps to integrate all of the Transit Gateways in Network Manager before you can visualize them:

1. Create a global network
2. Enable multi-account access
3. Register your transit gateway
4. View and monitor your global network

Prerequisites

Before you begin, make sure that you have a Transit Gateway with attachments in your account or in any account within your organization.

A. Create a global network

Create a global network as a container for your transit gateway.

To create a global network

1. Open the Network Manager console here .
2. In the left navigation pane, choose Global networks .
3. Select Create global network .
4. Enter a name and optional description for the global network, and choose Next

Figure 2 – Creating Global Network

5. In the next screen, deselect the “Add core network in your global network”, and choose Next.
6. Finally, review and choose Create global network .

Figure 3 – Creating Global Network

B. Enable multi-account access

Enable multi-account access to register Transit Gateways from multiple accounts. This let s you view and manage Transit Gateways and associated resources from those registered accounts in your global network. Onboarding to Organizations is a prerequisite for enabling multi-account access for Network Manager. You can enable multi-account access on the Network Manager console.

Figure 4 – Enabling multi-account support

A delegated administrator account for the Network Manager service can leverage the service-linked role (SLR) in the member accounts that were deployed when trusted access was enabled. Furthermore, they can view Transit Gateways from other member accounts and can register them to their global network. This allows Transit Gateways and associated resources to appear in their global network topology.

For more information on enabling trusted access and registering delegated administrators, see Multi-account .

Figure 5 – Registering delegated administrator

C. Register your Transit Gateway

Now, we’ll register a Transit Gateway in your global network. With multi-account enabled, you can register Transit Gateways from multiple accounts to your global network. For more information on registering Transit Gateways, see Transit Gateway registrations .

To register the Transit Gateway

1. On the Global networks page, choose the global network ID (this is the same entity that you created in Step 1).
2. In the left navigation pane, choose Transit gateways , and then choose Register transit gateway .
3. From the Select account dropdown list, choose the account (from the list) from which you want to register the Transit Gateway.
4. Select one or more Transit Gateways from the list, and then choose Register transit gateway . In our example, we’ve selected all of the Transit Gateways shown in the diagram.

Figure 6 – Transit Gateway registration

D. View and monitor your global network

The Network Manager console provides a dashboard for you to view and monitor both of your Transit Gateway network objects in your global network.

To access the dashboard for your global network

1. On the Global networks page, choose the global network ID.
2. Choose the Overview tab to visualize your Transit Gateway on the world map.

Figure 7 – Geographical View

3. Choose the Topology graph to visualize your Transit Gateway network.

Figure 8 – Topographical View

4. Choose the Topology tree to visualize your Transit Gateway network. For more information about the pages in the dashboard, see Visualize transit gateway networks .

Figure 9 – Topology Tree View

Conclusion

This post showed you how to configure Amazon Web Services Network Manager to visualize all of the Transit Gateways in your Organization. This feature reduces the operational complexity of managing a large global network across Amazon Web Services accounts over a single unified operational dashboard.

Additional reading

For more information about Amazon Web Services Network Manager, see the following:

• Build Global Networks and Centralize Monitoring Using Network Manager
• How Amazon Web Services Network Manager works