View a markdown version of this page

Use the solution - Network Orchestration for AWS Transit Gateway
Use the web UI

Use the solution

This section provides a user guide for the solution’s web UI and instructions to using and customizing route tables.

Use the web UI

Important

If you don’t deploy the UI, you can’t approve or reject a network change. All the network changes will be auto-approved. You can use the compliance rules to auto-approve and auto-reject network changes.

Sign in to the web UI

After the hub stack is successfully deployed, you receive two emails containing a link to the web UI and sign-in credentials. By default, the solution creates one Amazon Cognito adminuser (in the admin group) and one Amazon Cognito readonlyuser (in the read-only group). For more information, refer to Managing and searching for user accounts in the Amazon Cognito Developer Guide.

Note

If you configured an external SAML-based identity provider in step 3 (SAML Provider Name parameter), instead of signing in with sign-in credentials, you can choose the button that redirects to your identity provider’s sign in page. On the first sign in, the solution automatically adds every user to the ReadOnlyUserGroup and thereby grants them read access to the web UI. After a user signs in with read access, you can assign them to the AdminGroup with Amazon Cognito if needed. For more information, see Adding groups to a user pool in the Amazon Cognito Developer Guide.

Follow the step-by-step instructions in this section to sign in to the web UI.

  1. Choose the link to open the web UI.

  2. Enter the provided user credentials to sign in. You must change the system-generated password the first time that you sign in.

    Note

    The temporary account expires if you don’t sign in within seven days. Your new password must be at least ten characters long.

Manage network activities

You can use the web UI to access the dashboard to view network changes, access action items to view, approve or reject network requests when manual approval is required, and view the history of all changes made within the solution.

Note

Information and history for a VPC are set to expire based on the time you specify in the hub template at stack launch. The default time is 90 days. Expired requests are automatically deleted from DynamoDB within 48 hours and are not shown in the web UI after deletion.

Access the dashboard

The Dashboard tab displays fields containing information about network changes stored in DynamoDB such as VPC ID, VPC CIDR, Status, Association Route Table, Propagation Route Tables, Spoke Account, Subnet ID, Availability Zone, and other relevant information. You can sort by these fields. You can also view the Status of each network change, including whether it was approved, rejected, auto-approved, or auto-rejected.

Access action items

The Action Items tab displays the requests that require manual approval. If you chose to automatically approve requests, this tab will be empty. For manual approvals, each request contains the same fields as those in the Dashboard tab. Requests can have the following status: requested, processing, or failed. The reason for the failure displays in the comment column.

Approve or reject requests

When you enable manual approval for requests, the administrator approves or rejects the request using the web UI. Only users in the admin group can approve or reject requests. Users from the read only group can only view requests. When an administrator approves or rejects the request, the status is set to processing.

When a request is processing, users can’t take further action from the web UI. The web UI calls a Lambda function, which initiates the solution state machine to process the request. After the process completes, state machine updates the request status, and the web UI reflects the new status.

View history of a request

To view the history of a request, select the request from either the Dashboard or Action Items tab and then choose View History.