How do I share my transit gateway with another account or within an AWS Organization?

Short description

When sharing a transit gateway with another account, note:

• Transit Gateway is a Regional service. Make sure you perform all steps in the same Region as the transit gateway. You can’t share a transit gateway across regions.
• AWS Resource Access Manager (AWS RAM) is a Regional service. The principals that you share with can access resource shares in only the AWS Regions that they were created in.
• When a transit gateway is shared with Organizations and the account with the Transit Gateway attachment leaves the Organization, then the transit gateway attachment remains functional. The transit gateway owner and the shared account owner have permission to delete the transit gateway attachment.

Resolution

Share your Transit Gateway with AWS RAM

1. Open the AWS RAM console.
2. Enable resource sharing within AWS Organizations). (Required if the transit gateway is shared within AWS Organizations)
3. Choose Create a resource share.
4. Enter a Name for your resource share.
5. For Select resource type, choose Transit Gateways. Then, select the transit gateway that you want to share.
6. (Optional) Under Tags, enter a tag key and tag value pair for each tag. These tags are applied to the resource share but not to the transit gateway.
7. Choose Next.
8. For Transit gateway resource share, only one permission is available. Review the actions that principals are allowed to perform on the shared transit gateway. Then, choose Next.
9. To share this transit gateway with accounts outside of your Organization, choose Allow sharing with anyone.
   -or-
   If the transit gateway can be shared only within your Organization, choose Allow sharing only within your organization.
10. Select the principals, and then enter the account ID or Organization ID you want to share the transit gateway with.
11. Choose Add to add the principals. Then, choose Next.
12. Review the information, and then choose Create resource share.

Accept the Transit Gateway resource share with AWS RAM

Perform the following steps in the account that you shared your transit gateway with:

1. Open the AWS RAM console.
2. On the navigation pane, choose Shared with me. Then, choose Resource shares.
3. Select the shared resources that you shared in the previous section.
4. Choose Accept resource share.
5. To view the shared transit gateway, open the Transit Gateways page in the Amazon Virtual Private Cloud (Amazon VPC) console.

Create a Transit Gateway attachment in the account you're sharing with

Create a Transit Gateway attachment in the Transit Gateway account that you want to share your transit gateway with. The type of attachment you create depends on your use-case.

After creation, confirm that the Transit Gateway attachment is in a Pending Acceptance state.

Accept the attachment in the Transit Gateway owner account

Perform the following steps in your Transit Gateway owner account to accept the attachment that you created in the previous section. If you don’t have auto accept shared attachments turned on, use these steps to manually accept the attachment. To turn on auto accepting, see the Automatically accept shared attachment section.

1. Open the Amazon VPC console.
2. On the navigation pane, choose Transit Gateway Attachments.
3. Select the transit gateway attachment that is pending acceptance and that you created in the previous section.
4. Choose Actions. Then, choose Accept transit gateway attachment.

(Optional) Automatically accept the shared attachment

To accept the shared attachment without manually accepting it, turn on automatic acceptance in your Transit Gateway owner account:

1. Open the Amazon VPC console.
2. On the navigation pane, choose Transit Gateways.
3. Choose the transit gateway to modify.
4. Choose Actions. Then, choose Modify transit gateway.
5. Under Configure cross-account sharing options, select Auto accept shared attachments.