diff --git a/CHANGELOG.md b/CHANGELOG.md
index 14d0d9a..9ae1206 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -233,3 +233,8 @@
     - update tags to a common format
     - add var.tags
     - detect if running in network account, and only add ec2_tags if not
+
+* 2.4.7 -- 2022-12-30
+  - nacls
+    - split out attachment subnets, if present
+    - create attachment nacl, add entries in all, out all
diff --git a/common/version.tf b/common/version.tf
index f08b881..1d918eb 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,5 +1,5 @@
 locals {
-  _module_version = "2.4.6"
+  _module_version = "2.4.7"
   _module_names = {
     "_main_" = "aws-vpc-setup"
 
diff --git a/nacls/README.md b/nacls/README.md
index 620629b..c35fb52 100644
--- a/nacls/README.md
+++ b/nacls/README.md
@@ -1,7 +1,8 @@
 # About aws-vpc-setup :: nacls
 
 This submodule creates network access control lists (nacls).  The submodule nacl-rules sets up the rules for
-each specific nacl. This creates both a public and a private NACL.
+each specific nacl. This creates both a public and a private NACL. This also creates an attachment NACL
+for just the attachment subnets, where it will also have full open access to/from.  This is needed for Transit Gateway.
 
 # Usage
 
@@ -12,13 +13,14 @@ module "nacls" {
   vpc_full_name        = var.vpc_full_name
   public_subnets_ids   = module.subnets.public_subnets_ids
   private_subnets_ids  = module.subnets.private_subnets_ids
-
-  # optional
-  public_subnet_ids    = [ for s in module.subnets.public_subnets_ids : s.id ]
-  private_subnet_ids   = [ for s in module.subnets.private_subnets_ids : s.id ]
   vpc_name             = var.vpc_name
   vpc_short_name       = var.vpc_short_name
 
+  # optional
+  ## public_subnet_ids    = [ for s in module.subnets.public_subnets_ids : s.id ]
+  ## private_subnet_ids   = [ for s in module.subnets.private_subnets_ids : s.id ]
+  ## attachment_subnet_ids   = [ for s in module.subnets.private_subnets_ids : s.id if lookup(s.tags, "boc:vpc:route-table", null) == "attachment"]
+
   tags = {}
 }
 ```
@@ -30,6 +32,7 @@ module "nacls" {
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.66.0 |
 | <a name="requirement_ldap"></a> [ldap](#requirement\_ldap) | >= 0.5.4 |
+| <a name="requirement_local"></a> [local](#requirement\_local) | >= 1.0.0 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.0 |
 | <a name="requirement_template"></a> [template](#requirement\_template) | >= 2.0 |
@@ -48,18 +51,22 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [aws_network_acl.attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) | resource |
 | [aws_network_acl.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) | resource |
 | [aws_network_acl.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) | resource |
+| [aws_network_acl_rule.attachment_in](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
+| [aws_network_acl_rule.attachment_out](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_account_alias.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
-| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias (default: will pull from current account\_alias) | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
 | <a name="input_private_subnet_ids"></a> [private\_subnet\_ids](#input\_private\_subnet\_ids) | List of private subnet IDs (not objects) | `list(string)` | `[]` | no |
 | <a name="input_private_subnets_ids"></a> [private\_subnets\_ids](#input\_private\_subnets\_ids) | List of private subnet objects including: subnet, label, availability\_zone, id | <pre>list(object({<br>    subnet            = string<br>    label             = string<br>    availability_zone = string<br>    id                = string<br>  }))</pre> | `[]` | no |
@@ -77,5 +84,6 @@ No modules.
 
 | Name | Description |
 |------|-------------|
+| <a name="output_attachment_network_acl_id"></a> [attachment\_network\_acl\_id](#output\_attachment\_network\_acl\_id) | attachment network ACL ID |
 | <a name="output_private_network_acl_id"></a> [private\_network\_acl\_id](#output\_private\_network\_acl\_id) | private network ACL ID |
 | <a name="output_public_network_acl_id"></a> [public\_network\_acl\_id](#output\_public\_network\_acl\_id) | public network ACL ID |
diff --git a/nacls/main.tf b/nacls/main.tf
index 4605ee1..e399673 100644
--- a/nacls/main.tf
+++ b/nacls/main.tf
@@ -2,7 +2,8 @@
 * # About aws-vpc-setup :: nacls
 * 
 * This submodule creates network access control lists (nacls).  The submodule nacl-rules sets up the rules for
-* each specific nacl. This creates both a public and a private NACL.
+* each specific nacl. This creates both a public and a private NACL. This also creates an attachment NACL
+* for just the attachment subnets, where it will also have full open access to/from.  This is needed for Transit Gateway.
 * 
 * # Usage
 * 
@@ -13,12 +14,13 @@
 *   vpc_full_name        = var.vpc_full_name
 *   public_subnets_ids   = module.subnets.public_subnets_ids
 *   private_subnets_ids  = module.subnets.private_subnets_ids
-*
-*   # optional
-*   public_subnet_ids    = [ for s in module.subnets.public_subnets_ids : s.id ]
-*   private_subnet_ids   = [ for s in module.subnets.private_subnets_ids : s.id ]
 *   vpc_name             = var.vpc_name
 *   vpc_short_name       = var.vpc_short_name
+*
+*   # optional
+*   ## public_subnet_ids    = [ for s in module.subnets.public_subnets_ids : s.id ]
+*   ## private_subnet_ids   = [ for s in module.subnets.private_subnets_ids : s.id ]
+*   ## attachment_subnet_ids   = [ for s in module.subnets.private_subnets_ids : s.id if lookup(s.tags, "boc:vpc:route-table", null) == "attachment"]
 * 
 *   tags = {}
 * }
@@ -34,8 +36,9 @@ locals {
     "boc:created_by"        = "terraform"
   }
 
-  public_ids  = length(var.public_subnet_ids) > 0 ? var.public_subnet_ids : [for subnet in var.public_subnets_ids : subnet.id]
-  private_ids = length(var.private_subnet_ids) > 0 ? var.private_subnet_ids : [for subnet in var.private_subnets_ids : subnet.id]
+  public_ids     = length(var.public_subnet_ids) > 0 ? var.public_subnet_ids : [for subnet in var.public_subnets_ids : subnet.id if lookup(subnet.tags, "boc:vpc:route-table", null) != "attachment"]
+  private_ids    = length(var.private_subnet_ids) > 0 ? var.private_subnet_ids : [for subnet in var.private_subnets_ids : subnet.id]
+  attachment_ids = length(var.attachment_subnet_ids) > 0 ? var.attachment_subnet_ids : [for subnet in var.private_subnets_ids : subnet.id if lookup(subnet.tags, "boc:vpc:route-table", null) == "attachment"]
 }
 
 #---
@@ -65,3 +68,46 @@ resource "aws_network_acl" "public" {
     { "Name" = format("%v%v-%v", local._prefixes["network-acl"], var.vpc_full_name, "public") },
   )
 }
+
+#---
+# nacl: attachment. This also makes it inbound=0/0, outbound=0/0
+#---
+resource "aws_network_acl" "attachment" {
+  count      = length(local.attachment_ids) > 0 ? 1 : 0
+  vpc_id     = var.vpc_id
+  subnet_ids = local.attachment_ids
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+    {
+      "Name"                = format("%v%v-%v", local._prefixes["network-acl"], var.vpc_full_name, "attachment")
+      "boc:vpc:route-table" = "attachment"
+    },
+  )
+}
+
+resource "aws_network_acl_rule" "attachment_in" {
+  count          = length(local.attachment_ids) > 0 ? 1 : 0
+  network_acl_id = try(aws_network_acl.attachment[0].id, null)
+  rule_number    = 100
+  egress         = false
+  cidr_block     = "0.0.0.0/0"
+  rule_action    = "allow"
+  to_port        = 0
+  from_port      = 0
+  protocol       = "-1"
+}
+
+resource "aws_network_acl_rule" "attachment_out" {
+  count          = length(local.attachment_ids) > 0 ? 1 : 0
+  network_acl_id = try(aws_network_acl.attachment[0].id, null)
+  rule_number    = 100
+  egress         = true
+  cidr_block     = "0.0.0.0/0"
+  rule_action    = "allow"
+  to_port        = 0
+  from_port      = 0
+  protocol       = "-1"
+}
+
diff --git a/nacls/outputs.tf b/nacls/outputs.tf
index d9411fd..e9c8fac 100644
--- a/nacls/outputs.tf
+++ b/nacls/outputs.tf
@@ -8,3 +8,8 @@ output "private_network_acl_id" {
   value       = aws_network_acl.private.id
 }
 
+output "attachment_network_acl_id" {
+  description = "attachment network ACL ID"
+  value       = try(aws_network_acl.attachment[0].id, null)
+}
+