# Architecture details
This section describes the components and AWS services that make up this solution and the architecture details on how these components work together.
# Automated approval
By default, the solution approves network requests from spoke accounts automatically. This section provides detail about this workflow.
**Architecture diagram of AWS resources deployed to approve network requests automatically.**
![\[automated approval architecture\]](http://docs.aws.amazon.com/solutions/latest/network-orchestration-aws-transit-gateway/images/automated-approval-architecture.png)
1. Depending on the event, the state machine can perform the following actions:
+ Create, update, or delete transit gateway attachments to the VPC
+ Create or update transit gateway route table associations
+ Enable or disable transit gateway route table propagations
1. The state machine creates routes in the VPC route tables associated with the subnets that you tagged, with the following exceptions (see [Step 5. Add tags](step-5-add-tags.md) for more information):
+ If there is no explicit route table associated with the subnet, the solution updates the main route table instead.
+ If you tag a second subnet in the same Availability Zone, you must use the `route-to-tgw` tag key to only add the route and skip adding the subnet in the attachment.
1. The state machine then adds a new status tag to the VPC or the subnet with the status of the request.
1. The state machine updates the DynamoDB table to activate the network administrator to audit the network change history. The changes in DynamoDB are automatically reflected in the web UI dashboard. Administrators and users can sign in to the web UI to review the history of all changes that occurred in the network.
# Manual approval
You can choose to manually approve network requests from spoke accounts, instead of automated approval. This section provides detail about this workflow.
**Important**
If you don’t deploy the UI, you can’t approve or reject a network change. All the network changes will be auto-approved. You can use the compliance rules to automatically approve and reject network changes.
**Architecture diagram of AWS resources deployed to support manual approval of network requests.**
![\[manual approval architecture\]](http://docs.aws.amazon.com/solutions/latest/network-orchestration-aws-transit-gateway/images/manual-approval-architecture.png)
1. If you set the **ApprovalRequired** tag key to `Yes` or `Conditional` in the **Transit gateway route table** parameter, the state machine skips changes depending on the rules set under the `Conditional` setting. To set up this flag, refer to [Transit Gateway route table tags](custom-compliance.md#add-tags-to-transit-gateway-route-table).
1. The administrator signs in to the web UI, and the Amazon Cognito [user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html) authenticates each user. CloudFront delivers the web UI content from an S3 bucket.
1. The S3 bucket hosts the web UI.
1. The web UI gets a token from Amazon Cognito and sends a request to AWS AppSync. AWS WAF protects the APIs from security events. This solution configures a set of rules called a web ACL. The web ACL allows, blocks, or counts web requests based on configurable, user-defined web security rules and conditions.
1. AWS AppSync provides the solution’s API layer using GraphQL.
1. Amazon Cognito authenticates the token in the header of the API requests.
1. An AWS AppSync [resolver](https://docs.aws.amazon.com/appsync/latest/devguide/system-overview-and-architecture.html#resolver) updates the DynamoDB table with the processing status.
1. An AWS AppSync resolver invokes a Lambda function that validates the event.
1. A Lambda function starts a new state machine execution.
1. The state machine workflow attaches a VPC to the transit gateway.
1. The state machine workflow updates the VPC route table associated with the tagged subnet.
1. The state machine workflow updates the transit gateway route table with association and propagation changes.
**Note**
This workflow only updates the transit gateway route table defined in the VPC tags.
1. (Optional) The state machine workflow updates the attachment name with the VPC name and the Organizational Unit (OU) name for the spoke account (retrieved from the Org Management account).
**Note**
This occurs only if you provide your Organizations ARN for the **Account List or AWS Organizations ARN** template parameter. For more information, see [Step 3: Launch the hub stack](step-3-launch-the-hub-stack.md).
1. The solution updates the DynamoDB with the information extracted from the event and resources created, updated, or deleted in the workflow. The changes in DynamoDB are automatically reflected in the web UI dashboard. Administrators and users can sign in to the web UI to review the history of all changes that occurred in the network.
# Transit Gateway inter-Region peering
You can use Transit Gateway peering to directly route traffic between two transit gateways in the same AWS Region or across Regions. This section provides information about how this solution supports peering.
**Architecture diagram of AWS resources deployed to support Transit Gateway inter-Region peering.**
![\[inter region architecture\]](http://docs.aws.amazon.com/solutions/latest/network-orchestration-aws-transit-gateway/images/inter-region-architecture.png)
1. When you [tag the transit gateway](tgw-peering-attachments.md#add-tags-to-transit-gateway), an EventBridge event initiates. The target for this event is the transit gateway peering attachment Lambda function in the hub account.
1. The `tgw-peering` Lambda function creates the peering attachment between the transit gateways based on the tag key and value. The peering attachment state transitions from `InitializingRequest` to `PendingAcceptance`.
1. The Lambda function accepts the peering attachment request in the remote Region.
1. The solution sets the peering attachment state to `Available`.
## AWS services in this solution
| AWS service | Description |
| --- | --- |
| [AWS Transit Gateway](https://aws.amazon.com/transit-gateway/) | **Core.** Deploys a transit gateway that connects VPCs through a central hub. |
| [AWS Lambda](https://aws.amazon.com/lambda/) | **Core.** Deploys multiple Lambda functions to support core microservices and create transit gateway attachments. |
| [AWS Step Functions](https://aws.amazon.com/step-functions/) | **Core.** Deploys a state machine to orchestrate the subnet and VPC tagging events and create transit gateway attachments. |
| [Amazon DynamoDB](https://aws.amazon.com/dynamodb/) | **Core.** Deploys a DynamoDB table for VPC and transit gateway attachments, and for transit gateway peering attachments. |
| [Amazon EventBridge](https://aws.amazon.com/eventbridge/) | **Core.** Deploys an event bus and event rules to connect components of the solution. |
| [AWS X-Ray](https://aws.amazon.com/xray/) | **Supporting.** Deploys traces for API Gateway and Step Functions, allowing you to investigate root causes of failures. |
| [Amazon SNS](https://aws.amazon.com/sns/) | **Optional.** Deploys a topic that sends an email notification with the optional web UI URL. |
| [Amazon Cognito](https://aws.amazon.com/cognito/) | **Optional.** Deploys a user pool that supports identity authentication for the optional web UI. |
| [AWS AppSync](https://aws.amazon.com/appsync/) | **Optional.** Deploys AWS AppSync schema and resolvers for the DynamoDB table and Lambda functions. Using resolvers, AWS AppSync translates GraphQL requests and fetches information from DynamoDB. |
| [Amazon S3](https://aws.amazon.com/s3/) | **Optional.** Deploys Amazon S3 buckets to host the web UI assets. |
| [AWS WAF](https://aws.amazon.com/waf/) | **Optional.** Deploys AWS WAF web access control list (ACL) to protect AWS AppSync from common security events, such as SQL injection and cross-site scripting (XSS). |
| [Amazon CloudFront](https://aws.amazon.com/cloudfront/) | **Optional.** Deploys CloudFront with an Amazon S3 bucket as the origin. This restricts access to the Amazon S3 bucket so that it’s not publicly accessible and prevents direct access from the bucket. |