Automate VPN connection and its TGW attachment

If you use the CloudFormation resource AWS::EC2::VPNConnection to create the VPN connection and attach it to the Transit Gateway (TGW), you may notice that it does not return the TGW attachment ID. So it is a bit annoying if you would like to tag the attachment and associate the attachment to a non-default TGW route table.

I am currently working on a project that needs to:

• Create two VPN Site-to-Site VPN connections, and attach them to the TGW. One for primary PoP, the other is for the failover PoP.
• Automate the failover between these two PoP.

For this post, I will share how I automate the VPN connection creation and TGW attachment (with proper tag and route table association). Later on I will create another post to share how I automate the failover.

The idea is quite simple:

1. Create customer gateway.
2. Create VPN connection and TGW attachment.
3. Send the above VPN connection ID to a Lambda function (custom resource) to get its TGW attachment ID and also tag it.
4. Use above TGW attachment ID to create TGW route table association.

If you are interested, here are the source codes vpn-tgw-attachment.