-
Under Description, enter a descriptive name for the resource share in the Name field.
-
Under Resources - optional, select Transit Gateways from the Select resource type menu and select the transit gateway resource to share.
The transit gateway ID appears in the Selected resources field.
-
Under Principals - optional, ensure that Allow external accounts is selected, enter the MuleSoft AWS account ID that appears on the Add Transit Gateway page in Anypoint Platform, and click Add.
The AWS account number appears in the Selected principals field.
-
Under Tags, add a tag if you want.
-
Click Create resource share.
-
Copy the ID and Owner values for the resource share you just created.
-
Click Next.
Creating Transit Gateway Attachments
When you attach a transit gateway to a private space, CloudHub 2.0 creates a transit gateway attachment to represent the connection on Amazon Web Services (AWS). You can attach the same transit gateway to on-premises VPCs in your own AWS account to enable communication between private spaces and VPCs. Multiple private spaces can connect to an internal VPC. You can reuse a transit gateway attachment by connecting another private space to it and accepting the attachment. You don’t need to create the resource share again.
Before You Begin
-
Before creating a transit gateway attachment, create the private network.
-
Ensure the private space belongs to the same region in which you are creating the transit gateway attachment. Inter-region peering is not supported. For example, you cannot attach transit gateway attachment from region A to a private space belonging to region B.
Update your infrastructure (such as firewalls, routes, and connections) before creating transit gateway attachments. When a transit gateway is pending acceptance, all infrastructure updates are delayed until you accept the attachment. |
Connect to a Transit Gateway
For information about limitations when attaching a VPC to a transit gateway, see Transit gateway attachments to a VPC in the AWS documentation.
To connect to a transit gateway:
-
From Anypoint Platform, select Runtime Manager > Private Spaces.
-
Click the name of the private space to manage.
-
On the Network tab, in the Connections section, Create Connection.
-
On the Create Connection page, select Transit Gateway.
If CloudHub 2.0 finds any existing transit gateways in the organization, you can select a transit gateway or click Add a new transit gateway and then enter the name in the Connection Name field.
Use the same name for your transit gateway in AWS. You can change this name later.
Connection names can contain up to 60 alphanumeric characters (a-z, A-Z, 0-9), spaces, and hyphens (-). Runtime Manager supports Unicode characters in connection names.
-
Click Next.
Depending on whether you selected an existing transit gateway or are adding a new one, the Add Transit Gateway page lists the steps to create a resource share in AWS:
-
Create a resource share. (new gateway only)
-
Verify the resource share. (new gateway only)
Configure Routes
In Static Routes, enter the IP prefixes of the external networks to connect through the transit gateway, and then click Next.
The routes should match VPC CIDR range so traffic can flow between the private VPC in AWS and the private space in CloudHub 2.0.
After you attach the transit gateway, the private space includes the routes you specify here.
To display the existing routes for the network, click Show Existing Routes for this Network.
You can add or remove routes later. For information, see Add or Remove a Route from the Route Table.
Create a Resource Share
-
In another browser window, sign in to your AWS corporate account.
-
In Anypoint Platform, click the Create Resource Share link on the Add Transit Gateway page.
The link opens the AWS RAM console to the page for creating a resource share in the region you specified for your private space.
-
Take the following actions on the AWS Create resource share page:
Verify the Resource Share
-
On the Anypoint Platform Add Transit Gateway page, paste the values you copied from AWS in the ID and Owner fields:
-
The resource share ID field contains alphanumeric characters (a-z, A-Z, 0-9) and hyphens (-).
-
The resource share Owner field contains only numbers.
-
-
Click Next.
CloudHub 2.0 uses the resource share owner and ID you provide to attach the associated transit gateway on AWS to the private space.
When the attachment succeeds, you see the Attachment Created
message and
you return to the Add Transit Gateway page.
Accept the Attachment
-
On the Add Transit Gateway page, click the Transit Gateway Attachments link.
The link opens the AWS RAM console to the page for accepting the transit gateway attachments in the region you specified.
-
On the Transit Gateway Attachments page, select the attachment that shows pending acceptance in the State column.
The attachment might take a few minutes to appear.
To verify that the attachment is correct, select the transit gateway attachment ID and, on the Details tab, ensure that the Resource owner account ID is the MuleSoft AWS account ID from the Add Transit Gateway page.
-
From the Actions menu, select Accept.
-
When the attachment state changes to available, return to the Add Transit Gateway page and click Done.
You return to the Network tab for the private space. The Connections section shows the transit gateway ID and owner from AWS and indicates that the transit gateway state is Available and the attachment state is Attached to Private Network:
If the VPC attachment state is Not Attached to VPC, the transit gateway is not attached. Click Accept the attachment link and follow the steps again.
-
Test the connection from your private space to the transit gateway.
Configure Transit Gateway Routing
CloudHub 2.0 supports static routing for transit gateways.
Configure the network routes (subnets) that you want to be accessible through the transit gateway:
-
On Anypoint Platform, configure routes for outbound traffic from the private space to an external destination.
-
On AWS, enable inbound traffic through your transit gateway.
Configure Routes for Outbound Traffic from the Private Space
After the Attached to Private Network message appears, the private spaces adds the routes that you specified so that apps deployed to the private space can access the transit gateway.
To add routes to the transit gateway route table, see Add or Remove a Route from the Route Table.
Test the Connection to Your Private Space
After you connect to a transit gateway, test the connectivity from CloudHub 2.0 to your networks. To test the connection, use the Network Tools application.
For download and usage information about the Network Tools application, see How To Use Network Tools Application (KB article).
Maintain the Transit Gateway
After you test the connection to your private space, periodically check the connection to your transit gateway.
If your private space loses access to the transit gateway, the state of the transit gateway changes to unknown
or deleted
. If the transit gateway remains in the unknown
or deleted
state for 14 days, Anypoint Platform might remove the private space attachments from the transit gateway. However, the transit gateway itself is not removed.
Your private space loses access to a transit gateway when:
-
The transit gateway is deleted from CloudHub 2.0.
-
The transit gateway is deleted from the AWS console.
-
A resource share is deleted.
-
The MuleSoft account principal is deleted from the resource share.
To remove or delete the transit gateway from CloudHub 2.0, complete the steps in [remove-tgw] or Delete a Transit Gateway before deleting the transit gateway, transit gateway attachment, or resource share from the AWS console. Removing connections from the AWS console without removing them from CloudHub 2.0 disrupts the connection but does not remove it.
Troubleshoot States for the Transit Gateway or Transit Gateway Attachment
When the transit gateway connection is disrupted, the state of the transit gateway or transit gateway attachment changes to unknown
, rejected
, or deleted
. Depending on the cause of the state change, you can fix the state of the transit gateway or transit gateway attachment by deleting and recreating or detaching and reattaching them.
Resolve Transit Gateway States
The unknown
state for a transit gateway state occurs when:
-
The transit gateway or resource share is deleted.
To fix this state, delete the transit gateway from CloudHub 2.0 using the steps in Delete a Transit Gateway.
-
The MuleSoft account principal is deleted.
To fix this state, add the principal in the resource share.
The deleted
state occurs when the transit gateway is deleted from the AWS console but not CloudHub 2.0. To fix this state, delete the transit gateway from CloudHub 2.0 using the steps in Delete a Transit Gateway, then create a new transit gateway.
Resolve Transit Gateway Attachment States
The deleted
state for a transit gateway attachment occurs when the transit gateway attachment is deleted from the AWS console but not CloudHub 2.0. To fix this state, detach the transit gateway attachment from the private space using the steps in Detach a Transit Gateway from the Private Space, then reattach the transit gateway attachment.
The rejected
state for a transit gateway attachment occurs when the transit gateway attachment is rejected. To fix this state, detach the transit gateway attachment from the private space using the steps in Detach a Transit Gateway from the Private Space, then reattach the transit gateway attachment.
Rename a Transit Gateway Attachment
You might want to rename a transit gateway attachment to match the attachment name in AWS.
To rename a transit gateway attachment:
-
From Anypoint Platform, select Runtime Manager > Private Spaces.
-
Click the name of the private space to manage.
-
On the Network tab, in the Connections section, click the transit gateway menu (…) and select Rename:
-
Enter the new name and click Save.
Detach a Transit Gateway from the Private Space
You might want to detach a transit gateway attachment for the following reasons:
-
If you reject an attachment in AWS, the transit gateway attachment appears as
Rejected
in Anypoint Platform. In this case, you must remove the attachment before trying to attach it again. -
If an attachment is deleted on AWS, you can remove the attachment from Anypoint Platform.
Removing a transit gateway attachment also deletes any associate routes. The resource share on AWS remains unaffected so you can readd the transit gateway without creating a new one. However, detaching a transit gateway from a private space also deletes the attachment in AWS.
The transit gateway appears under Add a transit gateway if you only detach it and do not delete it from your organization. Any apps deployed to the private space continue to run, but they are no longer connected to your Amazon VPCs and VPNs.
To detach the transit gateway:
-
From Anypoint Platform, select Runtime Manager > Private Spaces.
-
Click the name of the private space to manage.
-
On the Network tab, in the Connections section, click the transit gateway menu (…) and select Detach:
-
At the confirmation prompt, click Detach.
Detaching a transit gateway might take several minutes.
Delete a Transit Gateway
To completely remove the transit gateway from your Anypoint Platform organization,
use the delete transit gateway API call (DELETE <>/organizations/:orgId/transitgateways/:tgw-id
) and delete the resources share on AWS.
For information, see Deleting a resource share in the AWS documentation.