StackZone Feature: STNO

This article will cover how we can use StackZone to implement the Serverless Transit Network Orchestrator, a useful tool to help with Networking and helps automate the process of implementing and managing transit networks in your multi-account AWS Organization.

This feature has been setup to work cross-account and cross-region, with the "hub" being based in the Core Networking Account in your StackZone OU.

This solution from AWS creates a web user interface to help you control, audit and visualize your networking resources. To understand how to use this feature in greater detail, please visit the official Amazon Documentation for this Feature.

In order to enable the StackZone STNO solution, there are some things we need to enable in order for this to build properly. We can enable all of these are the same time in one deployment, if you don't have any of these features enabled currently.

Since this feature depends on the Global Network, you first need to check the region availability here, to check whether this is supported in your regions.

Then, we need to head to the Core Accounts > Networking page in the Provisioning Module. We need to ensure that we have the Global Network enabled, this can be enabled by toggling the Global Network card here:

Next, we need to head to the Serverless Transit Gateway card which is also in the Networking page in Core Accounts.

Below we have an example settings for configuration for the STNO in the StackZone Console.

For additional information about these fields:

• Approval Notifications: If "on" then you will need to manually approve all requests in the WebUI. If this is left "off" (default) then all changes will not need any approval, and they will be applied automatically
• Approval Notification Email Addresses: The Email Address to receive these notifications
  
• Cognito Domain: This is the Cognito domain you will need for the ability to use the below login email address, as the backend for the WebUI Solution uses Amazon Cognito. It is recommended to use your email domain as a name here, which matches the below email address. Eg.: if your domain is "stackzone.com" you can use "stackzone" in the filed.
  
• Console Login Email: This is the email address which the solution will send out login information once the stacks have been successfully deployed.
  
• Transit Network Spoke: This will need to be enabled if you want the "spoke" stacks deployed to all StackZone managed AWS Accounts and in all StackZone enabled regions. 
  
• Event Bridge Name: The name of the Event Bridge constructed. We can leave this to the default name of "STNO-EventBridge" or you can change this if so desired.
  

To ensure the solution makes the correct associations, you must tag your VPCs and subnets when creating or updating transit gateway attachments. This includes tagging either the VPC for attachments or the transit gateway for creating peering attachments. Modifying tag keys and values, if applicable, allows the identification of the transit gateway route tables to establish associations and enable propagations.

We suggest referring to the official AWS documentation provided here for a clearer understanding of the steps and to obtain the necessary key-value tags.

After the hub stack is successfully deployed, you receive two emails containing a link to the web UI and sign-in credentials. By default, the solution creates one Amazon Cognito adminuser (in the admin group) and one Amazon Cognito readonlyuser (in the read-only group).

Enter the provided user credentials to sign in. You must change the system-generated password the first time that you sign in.

Note: The temporary account expires if you don’t sign in within seven days. Your new password must be at least ten characters long.

You can use the web UI to access the dashboard to view network changes, access action items to view, approve or reject network requests when manual approval is required, and view the history of all changes made within the solution.

For more information on this WebUI refer to the official Amazon Documentation for this solution.

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here