2x Transit VPCs in the same account?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

2x Transit VPCs in the same account?

L0 Member

I have built a Lab Transit VPC + Sub config and am planning to add Non-Lab Transit VPC + Subs config. I'd like to use the same account for both Transit VPCs. Has anyone tried this? I would prefer not to break the existing Transit-Lab by standing up another, hoping that someone has tried this before.

 

Cross posted on Git.

3 REPLIES 3

L0 Member

Ran it, created a subscriber VPC, am getting this error in the createNewPaGroup CloudWatch log. The step function shows there should be a "check stack" lambda executing immediately after but it does not get created nor does it run. The process just dies here.

 

An error occurred (AlreadyExistsException) when calling the CreateStack operation: Stack [PaGroup58] already exists: AlreadyExistsException
Traceback (most recent call last):
File "/var/task/createNewPaGroupLambda.py", line 48, in lambda_handler
response = pan_vpn_generic.createNewPaGroup(region, result['PaGroupName'],config['PaGroupTemplateUrl'],result['PaGroupName'],config['SshKeyName'],config['TransitVpcMgmtAz1SubnetId'],config['TransitVpcMgmtAz2SubnetId'],config['TransitVpcDmzAz1SubnetId'],config['TransitVpcDmzAz2SubnetId'],config['TransitVpcTrustedSecurityGroupId'],config['TransitVpcUntrustedSecurityGroupId'],config['PaGroupInstanceProfileName'],config['PaBootstrapBucketName'], str(result['N1Asn']), str(result['N2Asn']), config['TransitVpcDmzAz1SubnetGateway'], config['TransitVpcDmzAz2SubnetGateway'])
File "/var/task/pan_vpn_generic.py", line 552, in createNewPaGroup
OnFailure = 'ROLLBACK'
File "/var/runtime/botocore/client.py", line 314, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/var/runtime/botocore/client.py", line 612, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.errorfactory.AlreadyExistsException: An error occurred (AlreadyExistsException) when calling the CreateStack operation: Stack [PaGroup58] already exists

Because the Transit VPC is based on the "account number" You will have conflicts in trying to deploy 2 transit VPC solutions. Cloudtrail and cloud trail lamba performs alot of action base on account number and I can see the PA-Groups and spokes causing a conflict. That being said Transit VPC wasn't designed for this use case. 

We try to shed light over certain things in the Git Hub repo. For this particular question you asked when you go to to the Transit VPC Solution Overview link below in GitHub

 

https://github.com/PaloAltoNetworks/aws-transit-vpc/blob/master/documentation/solution_overview.md

 

Then search by the word "account" you will see

TransitVPC.PNG

When a solution is community supported as the support policy on GitHub states it's more of an initial run. it doesn't mean it will never be officially TAC supported and as the demand grows and the feedback on functionality increases it allows us to take that information into consideration when there is an official release. That being said we will definitely take the option to have 2 Transit VPC's deployed within the same account into consideration moving forward. Thanks for the use case

 

  • 2822 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!