Create a transit gateway-attached firewall from a shared transit gateway - Amazon Network Firewall
Accept a shared transit gateway to create a transit gateway-attached firewall
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Create a transit gateway-attached firewall from a shared transit gateway

The process to create a transit gateway-attached firewall involves multiple Amazon services, including Amazon Network Firewall, Amazon Transit Gateway, and Amazon RAM. In scenarios where the Transit Gateway owner and Network Firewall owner are different Amazon accounts, the Network Firewall account owner depends on the Transit Gateway owner to share a transit gateway with them.

Note

This guide focuses on the Network Firewall portions of the larger cross-service process and assumes you are an Amazon Network Firewall account owner who has a transit gateway shared with them. For information on creating a transit gateway-attached firewall without needing to share between different Amazon accounts, see Creating a firewall in Amazon Network Firewall.

The following procedure is an overview of all the service-specific processes needed to create transit gateway-attached firewall. For more detailed instructions specific to Transit Gateway and Amazon RAM, see the related service documentation linked in each respective step.

  1. The transit gateway owner shares their transit gateway through Amazon RAM with the firewall owner's account. For more information, see Shareable Amazon resources in the Amazon RAM User Guide.

  2. The firewall owner accepts the Amazon RAM share invitation for the transit gateway. For more information, see Access shared resources in the Amazon RAM User Guide.

  3. The firewall owner creates a firewall using the shared transit gateway, which creates a pending transit gateway attachment. For detailed steps, see Accept a shared transit gateway to create a transit gateway-attached firewall.

    Note

    This step in the process is covered in this guide.

  4. The transit gateway owner accepts the transit gateway attachment (unless auto-accept attachments is enabled on their transit gateway). For more information, see Accept a shared attachment using Amazon VPC Transit Gateways in the Amazon VPC Developer Guide.

Accept a shared transit gateway to create a transit gateway-attached firewall

Prerequisites

Verify that the Transit Gateway account owner has already created a transit gateway and shared it with your account using Amazon RAM.

For information on other things to consider before you create a transit gateway-attached firewall, see Considerations for transit gateway-attached firewalls

To accept a shared transit gateway in Network Firewall

  1. Sign in to the Amazon Web Services Management Console and open the Amazon VPC console at https://console.amazonaws.cn/vpc/.

  2. In the navigation pane, under Network Firewall, choose Firewalls.

  3. From the Actions menu, choose Accept the transit gateway attachment.

  4. Review the following details in the dialog box:

    • The firewall name

    • Status (whether it has been accepted by this account)

    • Account ID of the firewall owner

    • Transit Gateway ID

  5. Choose Accept.

  6. Review the firewall configuration details, then choose Create firewall.

After you accept a shared transit gateway attachment

The steps in this guide are only part of a larger process that involves Amazon Network Firewall, Amazon Transit Gateway, and Amazon RAM. When a you complete the previous steps within the Network Firewall console, the transit gateway-attached firewall enters a Pending state. You can proceed to Working with transit gateway-attached firewalls to begin configuring your transit gateway-attached firewall while you wait for the transit gateway owner to accept or reject it.