View a markdown version of this page

Manual approval - Network Orchestration for AWS Transit Gateway

Manual approval

You can choose to manually approve network requests from spoke accounts, instead of automated approval. This section provides detail about this workflow.

Important

If you don’t deploy the UI, you can’t approve or reject a network change. All the network changes will be auto-approved. You can use the compliance rules to automatically approve and reject network changes.

Architecture diagram of AWS resources deployed to support manual approval of network requests.

manual approval architecture

  1. If you set the ApprovalRequired tag key to Yes or Conditional in the Transit gateway route table parameter, the state machine skips changes depending on the rules set under the Conditional setting. To set up this flag, refer to Transit Gateway route table tags.

  2. The administrator signs in to the web UI, and the Amazon Cognito user pool authenticates each user. CloudFront delivers the web UI content from an S3 bucket.

  3. The S3 bucket hosts the web UI.

  4. The web UI gets a token from Amazon Cognito and sends a request to AWS AppSync. AWS WAF protects the APIs from security events. This solution configures a set of rules called a web ACL. The web ACL allows, blocks, or counts web requests based on configurable, user-defined web security rules and conditions.

  5. AWS AppSync provides the solution’s API layer using GraphQL.

  6. Amazon Cognito authenticates the token in the header of the API requests.

  7. An AWS AppSync resolver updates the DynamoDB table with the processing status.

  8. An AWS AppSync resolver invokes a Lambda function that validates the event.

  9. A Lambda function starts a new state machine execution.

  10. The state machine workflow attaches a VPC to the transit gateway.

  11. The state machine workflow updates the VPC route table associated with the tagged subnet.

  12. The state machine workflow updates the transit gateway route table with association and propagation changes.

    Note

    This workflow only updates the transit gateway route table defined in the VPC tags.

  13. (Optional) The state machine workflow updates the attachment name with the VPC name and the Organizational Unit (OU) name for the spoke account (retrieved from the Org Management account).

    Note

    This occurs only if you provide your Organizations ARN for the Account List or AWS Organizations ARN template parameter. For more information, see Step 3: Launch the hub stack.

  14. The solution updates the DynamoDB with the information extracted from the event and resources created, updated, or deleted in the workflow. The changes in DynamoDB are automatically reflected in the web UI dashboard. Administrators and users can sign in to the web UI to review the history of all changes that occurred in the network.