I have 2 aws accounts, where A is connected to On-Prem via transit gateway, and B is connected to A via peering connection. All works fine, thus I have connectivity from A to On-Prem, and from A to B. The challenge is to have connectivity from B to On-Prem without creating yet another transit gateway. Is it possible?
+---------+
| |
| On-Prem |
| |
+---------+
| ^
v |
+--------------------------+
| | AWS Account A |
| AWS TGW +---------------+
| | Peering Conn |
+--------------------------+
^ |
| v
+---------------+
| Peering Conn |
+---------------+
| AWS Account B |
+---------------+
It seems I have the routing, SGs, ACLs - all correct but it still doesn't work. Since I cannot see any packet flows on AWS infra it's very difficult to debug. Also I cannot find any documentation which would clearly state whether it's in general possible or not.
There is only one way to connect cross account using transit gateway and this is by sharing the transit gateway via resource access manager. A prerequisite is that both accounts are under the umbrella of an AWS organisation account.
If you are not able to do this then you either need to create a secondary transit gateway in the other account or create a virtual private gateway in account B and associate it to your AWS Account B VPC.
From here you'd then create your secondary VPN connection.
AWS does not support transitive networking via peering connections. It is a requirement that a traffic packet that reaches the VPC must be terminated in the VPC.
Other solutions people use are: