- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-22-2018 05:52 AM
I have built a Lab Transit VPC + Sub config and am planning to add Non-Lab Transit VPC + Subs config. I'd like to use the same account for both Transit VPCs. Has anyone tried this? I would prefer not to break the existing Transit-Lab by standing up another, hoping that someone has tried this before.
Cross posted on Git.
08-22-2018 01:35 PM
Ran it, created a subscriber VPC, am getting this error in the createNewPaGroup CloudWatch log. The step function shows there should be a "check stack" lambda executing immediately after but it does not get created nor does it run. The process just dies here.
An error occurred (AlreadyExistsException) when calling the CreateStack operation: Stack [PaGroup58] already exists: AlreadyExistsException
Traceback (most recent call last):
File "/var/task/createNewPaGroupLambda.py", line 48, in lambda_handler
response = pan_vpn_generic.createNewPaGroup(region, result['PaGroupName'],config['PaGroupTemplateUrl'],result['PaGroupName'],config['SshKeyName'],config['TransitVpcMgmtAz1SubnetId'],config['TransitVpcMgmtAz2SubnetId'],config['TransitVpcDmzAz1SubnetId'],config['TransitVpcDmzAz2SubnetId'],config['TransitVpcTrustedSecurityGroupId'],config['TransitVpcUntrustedSecurityGroupId'],config['PaGroupInstanceProfileName'],config['PaBootstrapBucketName'], str(result['N1Asn']), str(result['N2Asn']), config['TransitVpcDmzAz1SubnetGateway'], config['TransitVpcDmzAz2SubnetGateway'])
File "/var/task/pan_vpn_generic.py", line 552, in createNewPaGroup
OnFailure = 'ROLLBACK'
File "/var/runtime/botocore/client.py", line 314, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/var/runtime/botocore/client.py", line 612, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.errorfactory.AlreadyExistsException: An error occurred (AlreadyExistsException) when calling the CreateStack operation: Stack [PaGroup58] already exists
08-24-2018 09:29 AM
Because the Transit VPC is based on the "account number" You will have conflicts in trying to deploy 2 transit VPC solutions. Cloudtrail and cloud trail lamba performs alot of action base on account number and I can see the PA-Groups and spokes causing a conflict. That being said Transit VPC wasn't designed for this use case.
08-24-2018 09:39 AM - edited 08-24-2018 10:14 AM
We try to shed light over certain things in the Git Hub repo. For this particular question you asked when you go to to the Transit VPC Solution Overview link below in GitHub
https://github.com/PaloAltoNetworks/aws-transit-vpc/blob/master/documentation/solution_overview.md
Then search by the word "account" you will see
When a solution is community supported as the support policy on GitHub states it's more of an initial run. it doesn't mean it will never be officially TAC supported and as the demand grows and the feedback on functionality increases it allows us to take that information into consideration when there is an official release. That being said we will definitely take the option to have 2 Transit VPC's deployed within the same account into consideration moving forward. Thanks for the use case
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!