How to share an AWS Virtual Private Gateway via Transit Gateway

Question

I have 2 AWS Accounts, A & B. Account A has a site-to-site vpn connection with an on-prem infrastructure and it is using Virtual Private Gateway and Customer Gateway as usual. I have configured all Subnets in Account "A" with a route to the on-prem CIDR (on-prem CIDR -> virtual private gateway). Now I would like to allow my AWS Account "B" subnets to have access to this on-prem network via my AWS Account "A". How to archive that?

I already tried updating the existing VPC Peering I have between AWS "A" and "B", I tried to enable "propagate: true" in AWS "A" routing tables. I have also tried to create a Transit Gateway in AWS "A" and share it with AWS "B" and then created static routes in Transit Gateway to route traffic to on-prem CIDR.

None of that is working, what is the best way to share a Virtual Private Gateway with other AWS Accounts?

Regards!

Answer 1

VPCs are non-transitive. If you'd like to share the VPN connection, I suggest terminating it on Transit Gateway.

1. Create Transit Gateway in any of the two accounts
2. Create a VPN attachment on Transit Gateway
3. Share the Transit Gateway with the second account
4. Attach VPCs in both accounts to Transit Gateway
5. Ensure that the routing table on the Transit Gateway has a route to on-premises CIDR via VPN attachment.
6. Ensure that VPCs in both accounts have the routes to on-premises CIDR via Transit Gateway attachment
7. Ensure Security Groups don't block your traffic
8. Enable Route propagation from VPC attachments to Transit Gateway