# Transit gateway-attached firewalls in Network Firewall
The AWS Network Firewall integration with AWS Transit Gateway lets you create and centrally manage firewall protective coverage without needing to provision multiple firewall endpoints.
Firewall owners can attach a Network Firewall directly to a transit gateway as a transit gateway attachment either within their own account or shared from a different account. For more information, see [Create a transit gateway-attached firewall](create-tgw-firewall.md).
## Key concepts
Review the following concepts before you continue. Note that these definitions are in the context of the Network Firewall integration with AWS Transit Gateway.
**Transit Gateway**
A transit gateway works across AWS accounts, and you can use AWS RAM to share your transit gateway with other accounts. When a transit gateway is shared, recipients can use it to create a *transit gateway attachment*.
**Transit gateway-attached firewall**
A type of transit gateway attachment. When a Network Firewall account owner uses a shared transit gateway to provision a firewall, they bypass the networking configuration required by the standard firewall setup. The firewall a Network Firewall provisions using a shared transit gateway is a *transit gateway-attached firewall*.
**AWS RAM sharing account**
The sharing account contains the resource that is shared. In the context of the Network Firewall integration with AWS Transit Gateway, the AWS RAM sharing account that shares the transit gateway is referred to as the *transit gateway owner.*
**Ownership scenarios**
Similar to working with firewalls and firewall endpoints created in Network Firewall, different account ownership scenarios impact how you work with a transit gateway-attached firewall.
+ The transit gateway owner is the account that owns the transit gateway
+ The firewall owner is the account that creates and manages the transit gateway-attached firewall
**Note**
These roles can be in the same account or in different accounts.
**Topics**
+ [
## Key concepts
](#tgw-firewall-concepts)
+ [
# Considerations for transit gateway-attached firewalls
](tgw-firewall-considerations.md)
+ [
# Create a transit gateway-attached firewall from a shared transit gateway
](create-tgw-firewall.md)
+ [
# Working with transit gateway-attached firewalls
](working-with-tgw-firewalls.md)
# Considerations for transit gateway-attached firewalls
Before you create or use a transit gateway-attached firewall, consider the following points. For considerations that apply to all firewalls, see [Considerations for working with firewalls and firewall endpoints](firewall-and-firewall-endpoints-considerations.md).
+ A transit gateway-attached firewall involves multiple AWS services: AWS Network Firewall, AWS Transit Gateway, and AWS RAM.
+ If the Transit Gateway owner and Network Firewall owner are different AWS accounts:
+ The Network Firewall account owner depends on the Transit Gateway owner to share the transit gateway.
+ Either account can delete the transit gateway-attached firewall.
+ The Transit Gateway owner has limited visibility into firewall details.
+ The Transit Gateway owner cannot delete the shared transit gateway until they remove all transit gateways attachments, including related transit gateway-attached firewalls.
+ When you use stateful domain list rule groups or other stateful rule group types that reference `HOME_NET` or `EXTERNAL_NET`, you must configure these rule groups to use values for `HOME_NET` and `EXTERNAL_NET` that are different from the default values used in the firewall policy. For more information, see [Limitations and caveats for stateful rules in AWS Network FirewallLimitations and caveats](suricata-limitations-caveats.md).
+ A transit gateway-attached firewall must be configured in the same Availability Zone where the shared transit gateway is already enabled.
+ Traffic for transit gateway-attached firewalls must be routed through transit gateway route tables, not VPC route tables.
+ Appliance mode is always enabled on transit gateway-attached firewalls.
# Create a transit gateway-attached firewall from a shared transit gateway
The process to create a transit gateway-attached firewall involves multiple AWS services, including AWS Network Firewall, AWS Transit Gateway, and AWS RAM. In scenarios where the Transit Gateway owner and Network Firewall owner are different AWS accounts, the Network Firewall account owner depends on the Transit Gateway owner to share a transit gateway with them.
**Note**
*This* guide focuses on the Network Firewall portions of the larger cross-service process and assumes you are an AWS Network Firewall account owner who has a transit gateway shared with them. For information on creating a transit gateway-attached firewall without needing to share between different AWS accounts, see [Creating a firewall in AWS Network Firewall](creating-firewall.md).
## Use multiple AWS services to create a transit gateway-attached firewall (overview)
The following procedure is an overview of all the service-specific processes needed to create transit gateway-attached firewall. For more detailed instructions specific to Transit Gateway and AWS RAM, see the related service documentation linked in each respective step.
1. The transit gateway owner shares their transit gateway through AWS RAM with the firewall owner's account. For more information, see [Shareable AWS resources](https://docs.aws.amazon.com/ram/latest/userguide/shareable.html#shareable-vpc) in the *AWS RAM User Guide*.
1. The firewall owner accepts the AWS RAM share invitation for the transit gateway. For more information, see [Access shared resources](https://docs.aws.amazon.com/ram/latest/userguide/getting-started-shared.html) in the *AWS RAM User Guide*.
1. The firewall owner creates a firewall using the shared transit gateway, which creates a pending transit gateway attachment. For detailed steps, see [Accept a shared transit gateway to create a transit gateway-attached firewall](#accept-shared-tgw-firewall).
**Note**
This step in the process is covered in this guide.
1. The transit gateway owner accepts the transit gateway attachment (unless auto-accept attachments is enabled on their transit gateway). For more information, see [Accept a shared attachment using Amazon VPC Transit Gateways](https://docs.aws.amazon.com/vpc/latest/tgw/acccept-tgw-attach.html) in the *Amazon VPC Developer Guide*.
## Accept a shared transit gateway to create a transit gateway-attached firewall
**Prerequisites**
Verify that the Transit Gateway account owner has already created a transit gateway and shared it with your account using AWS RAM.
For information on other things to consider before you create a transit gateway-attached firewall, see [Considerations for transit gateway-attached firewalls](tgw-firewall-considerations.md)
**To accept a shared transit gateway in Network Firewall**
1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **Network Firewall**, choose **Firewalls**.
1. From the **Actions** menu, choose **Accept the transit gateway attachment**.
1. Review the following details in the dialog box:
+ The firewall name
+ Status (whether it has been accepted by this account)
+ Account ID of the firewall owner
+ Transit Gateway ID
1. Choose **Accept**.
1. Review the firewall configuration details, then choose **Create firewall**.
**After you accept a shared transit gateway attachment**
The steps in this guide are only part of a larger process that involves AWS Network Firewall, AWS Transit Gateway, and AWS RAM. When a you complete the previous steps within the Network Firewall console, the transit gateway-attached firewall enters a `Pending` state. You can proceed to [Working with transit gateway-attached firewalls](working-with-tgw-firewalls.md) to begin configuring your transit gateway-attached firewall while you wait for the transit gateway owner to accept or reject it.
# Working with transit gateway-attached firewalls
After you accept a shared transit gateway attachment, the firewall you create appears in the **Firewalls** page of the Network Firewall console with one of the following statuses, depending on what state it is in:
+ `Pending` — the process to create a transit gateway-attached firewall has been initiated. The transit gateway owner must next accept the firewall from the transit gateway console. For more information, see [Accept a shared attachment using Amazon VPC Transit Gateways](https://docs.aws.amazon.com/vpc/latest/tgw/acccept-tgw-attach.html) in the *Amazon VPC Developer Guide*.
The transit gateway-attached firewall cannot monitor network traffic while pending, but the firewall owner can adjust the firewall's configuration using the steps in but [Updating a firewall in AWS Network Firewall](firewall-updating.md).
+ `Rejected` — the transit gateway owner has rejected the transit gateway-attached firewall. For more information, see [Accept a shared attachment using Amazon VPC Transit Gateways](https://docs.aws.amazon.com/vpc/latest/tgw/acccept-tgw-attach.html) in the *Amazon VPC Developer Guide*.
+ `Ready` — the transit gateway-attached firewall has finished provisioning and has begun monitoring traffic according to the network configuration set in transit gateway.
As the transit gateway-attached firewall owner, you maintain control of the firewall configuration, while the transit gateway owner controls the routing of your traffic through the firewall through the networking configuration managed in the AWS Transit Gateway console and CLI.