# Architecture overview
This section provides a reference implementation architecture diagram for the components deployed with this solution. This solution includes:
+ A CloudFormation hub template (`aws-transit-network-orchestrator-hub.template`) that you deploy in the [hub account](concepts-and-definitions.md). This template launches all the components necessary to automatically connect your VPCs to Transit Gateway. The template also deploys a web UI. For recommendations on choosing a hub account, refer to [AWS accounts](aws-accounts-for-multi-account-environments.md).
+ A CloudFormation spoke template (`aws-transit-network-orchestrator-spoke.template`) to deploy in your spoke account(s).
+ A CloudFormation organization role template (`aws-transit-network-orchestrator-organization-role.template`) to optionally deploy in your Organizations management account.
# Architecture diagram
Deploying this solution with the default parameters deploys the following components in your AWS account.
**Architecture diagram of AWS resources deployed to automate managing Transit Gateway attachments.**
![\[network orchestration aws transit gateway architecture\]](http://docs.aws.amazon.com/solutions/latest/network-orchestration-aws-transit-gateway/images/network-orchestration-aws-transit-gateway-architecture.png)
**Note**
CloudFormation resources are created from AWS Cloud Development Kit (AWS CDK) constructs.
1. This template deploys an [Amazon EventBridge](https://aws.amazon.com/eventbridge/) rule that monitors specific VPC and subnet tag changes.
**Note**
To identify the VPCs (spoke accounts) for the solution to manage, [tag the VPCs](step-5-add-tags.md) and the selected subnets within those VPCs.
1. An EventBridge rule in the spoke account sends the tags to the EventBridge bus in the hub account.
1. The rules associated with the EventBridge bus invoke an [AWS Lambda function](https://aws.amazon.com/lambda/) to start the solution workflow. For more information about workflows, refer to [Architecture details](architecture-details.md).
**Note**
Wait for the hub stack launch to complete before you launch spoke templates. The spoke accounts depend on the EventBridge bus that’s created during the hub stack launch.
1. [AWS Step Functions](https://aws.amazon.com/step-functions/) (solution [state machine](concepts-and-definitions.md)) processes network requests from the spoke accounts.
1. The state machine workflow attaches a VPC to the transit gateway.
1. The state machine workflow updates the VPC route table associated with the tagged subnet.
1. The state machine workflow updates the transit gateway route table with association and propagation changes.
**Note**
This workflow only updates the transit gateway route table defined in the VPC tags.
1. (Optional) The state machine workflow updates the attachment name with the VPC name and the Organizational Unit (OU) name for the spoke account (retrieved from the Org Management account).
**Note**
This occurs only if you provide your Organizations ARN for the **Account List or AWS Organizations ARN** template parameter. For more information, see [Step 3: Launch the hub stack](step-3-launch-the-hub-stack.md).
1. The solution updates [Amazon DynamoDB](https://aws.amazon.com/dynamodb/) with the information extracted from the event and resources created, updated, or deleted in the workflow.
Users can view tagging event details and the history of network requests from different accounts, and monitor their status in the web UI. Administrators can accept or reject requests when manual approval is required.
# AWS Well-Architected design considerations
This solution uses the best practices from the [AWS Well-Architected Framework](https://aws.amazon.com/architecture/well-architected/) which helps customers design and operate reliable, secure, efficient, and cost-effective workloads in the cloud.
This section describes how the design principles and best practices of the Well-Architected Framework benefit this solution.
## Operational excellence
This section describes how the principles and best practices of the [operational excellence pillar](https://docs.aws.amazon.com/wellarchitected/latest/operational-excellence-pillar/welcome.html) benefit this solution.
+ The solution pushes metrics to CloudWatch to provide observability into the infrastructure, including Lambda functions, Step Functions, [Amazon API Gateway](https://aws.amazon.com/api-gateway/), [Amazon Simple Storage Service](https://aws.amazon.com/s3/) (Amazon S3) buckets, and the rest of the solution components.
+ AWS X-Ray traces are enabled for Step Functions and AWS AppSync. This helps you visualize the components of the state machine and analyze user requests as they travel through your AWS AppSync APIs to the underlying services, identify performance bottlenecks, and troubleshoot requests that resulted in an error.
## Security
This section describes how the principles and best practices of the [security pillar](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html) benefit this solution.
+ The web UI users are authenticated and authorized with [Amazon Cognito](https://aws.amazon.com/cognito/).
+ All inter-service communications use [AWS Identity and Access Management](https://aws.amazon.com/iam) (IAM) roles.
+ All multi-account communications use IAM roles.
+ All IAM roles used by the solution follow least-privilege access. In other words, they only contain minimum permissions required so that the service can function properly.
+ The access token obtained from Amazon Cognito is used to authorize application programming interface (API) calls.
+ All data storage, such as S3 buckets and DynamoDB tables, have encryption at rest.
+ AWS WAF protects the web UI and APIs from attacks using solution-configured web access control lists (ACLs).
The solution creates CloudFront distribution with the [Default CloudFront SSL Certificate](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesSSLCertificate) which allows TLS 1.1 and TLS 1.0. We recommend using Custom SSL Certificate with [TLSv1.2\$12021 security policy](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html) to disallow insecure protocols and cipher suites.
## Reliability
This section describes how the principles and best practices of the [reliability pillar](https://docs.aws.amazon.com/wellarchitected/latest/reliability-pillar/welcome.html) benefit this solution.
+ The solution uses serverless AWS services wherever possible (such as Lambda, [AWS AppSync](https://aws.amazon.com/appsync/), Amazon S3, and Step Functions) to ensure high availability and recovery from service failure.
+ AWS protects the solution against definition errors of state machines leveraged by Step Functions by running automated tests on the solution.
+ Data processing uses Lambda functions. The solution stores data in DynamoDB and Amazon S3, so it persists in multiple Availability Zones by default.
## Performance efficiency
This section describes how the principles and best practices of the [performance efficiency pillar](https://docs.aws.amazon.com/wellarchitected/latest/performance-efficiency-pillar/welcome.html) benefit this solution.
+ The solution uses serverless architecture. For additional details, refer to [Reliability](#reliability).
+ The solution uses `error handling` in Step Functions to run concurrent state machine executions that add or remove multiple subnets in the `VPC-TGW` attachment. This allows you to create VPC and related resources in parallel using CloudFormation stack.
+ You can launch the solution in any AWS Region that supports the AWS services used in this solution (such as Lambda, API Gateway, Amazon S3, Step Functions, Amazon Cognito, [Amazon CloudFront](https://aws.amazon.com/cloudfront/), and [AWS WAF](https://aws.amazon.com/waf/)). You can also choose not to deploy the web UI if CloudFront and Amazon Cognito aren’t supported in the Region. Refer to [Supported AWS Regions](plan-your-deployment.md#supported-aws-regions).
+ AWS automatically tests and deploys the solution daily. Our solution architects and subject matter experts review the solution for areas to experiment and improve.
## Cost optimization
This section describes how the principles and best practices of the [cost optimization pillar](https://docs.aws.amazon.com/wellarchitected/latest/cost-optimization-pillar/welcome.html) benefit this solution.
+ The solution uses serverless architecture (for example, Step Functions and DynamoDB) to minimize the cost of unused compute infrastructure, and customers pay only for what they use.
+ The compute layer defaults to Lambda, which uses a pay-per-use model.
## Sustainability
This section describes how the principles and best practices of the [sustainability pillar](https://docs.aws.amazon.com/wellarchitected/latest/sustainability-pillar/sustainability-pillar.html) benefit this solution.
+ The solution uses managed and serverless services to minimize the environmental impact of the backend services.
+ The solution’s serverless design is aimed at reducing carbon footprint compared to the footprint of continually operating on-premises servers.
+ The web UI allows users to select scan parameters to perform selective scans in specific AWS accounts, Regions, and services.