Transit_gateway
Chapter 15: AWS Transit Gateway - Network Hub
Section titled “Chapter 15: AWS Transit Gateway - Network Hub”Centralized Network Connectivity
Section titled “Centralized Network Connectivity”15.1 Overview
Section titled “15.1 Overview”AWS Transit Gateway is a network transit hub that enables you to connect your VPCs and on-premises networks through a central hub.
Transit Gateway Overview+------------------------------------------------------------------+| || +------------------------+ || | Transit Gateway | || | (Hub) | || +------------------------+ || | || +--------+--------+--------+--------+--------+ || | | | | | | || v v v v v v || +------+ +------+ +------+ +------+ +------+ +------+ || | VPC | | VPC | | VPC | | VPN | | DX | | VPC | || | A | | B | | C | | | | | | D | || +------+ +------+ +------+ +------+ +------+ +------+ || || Benefits: || - Single point of connectivity || - Simplified network topology || - Transitive routing || - Cross-region connectivity || - Scalable (thousands of attachments) || |+------------------------------------------------------------------+15.2 Transit Gateway Architecture
Section titled “15.2 Transit Gateway Architecture”Core Components
Section titled “Core Components” Transit Gateway Components+------------------------------------------------------------------+| || 1. Transit Gateway || +----------------------------------------------------------+ || | | || | - Regional resource | || | - Acts as network hub | || | - Supports multiple attachments | || | - Can be peered across regions | || | | || +----------------------------------------------------------+ || || 2. Transit Gateway Attachment || +----------------------------------------------------------+ || | | || | Types: | || | - VPC Attachment | || | - VPN Attachment | || | - Direct Connect Gateway Attachment | || | - Transit Gateway Peering Attachment | || | - Connect Attachment (SD-WAN) | || | | || +----------------------------------------------------------+ || || 3. Transit Gateway Route Table || +----------------------------------------------------------+ || | | || | - Controls routing between attachments | || | - Multiple route tables for isolation | || | - Route propagation from attachments | || | - Static routes | || | | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Attachment Types
Section titled “Attachment Types” Transit Gateway Attachment Types+------------------------------------------------------------------+| || VPC Attachment || +----------------------------------------------------------+ || | | || | VPC Transit Gateway | || | +------------------+ +------------------+ | || | | | | | | || | | Subnet A | | Attachment | | || | | +------------+ | | +------------+ | | || | | | ENI | | | | | | | || | | | 10.0.1.5 | |---->| | | | | || | | +------------+ | | +------------+ | | || | | | | | | || | +------------------+ +------------------+ | || | | || | Requirements: | || | - Subnets in each AZ | || | - One ENI per AZ | || | - /28 subnet minimum | || | | || +----------------------------------------------------------+ || || VPN Attachment || +----------------------------------------------------------+ || | | || | On-Premises Transit Gateway | || | +------------------+ +------------------+ | || | | Customer Gateway | | VPN Attachment | | || | | +------------+ | | +------------+ | | || | | | Router | |---->| | | | | || | | +------------+ | | +------------+ | | || | +------------------+ +------------------+ | || | | || | Features: | || | - Two IPSec tunnels | || | - BGP or static routing | || | - Same as Site-to-Site VPN | || | | || +----------------------------------------------------------+ || || Direct Connect Gateway Attachment || +----------------------------------------------------------+ || | | || | On-Premises Transit Gateway | || | +------------------+ +------------------+ | || | | Direct Connect | | DX Attachment | | || | | +------------+ | | +------------+ | | || | | | Circuit | |---->| | | | | || | | +------------+ | | +------------+ | | || | +------------------+ +------------------+ | || | | || | Features: | || | - High bandwidth | || | - Low latency | || | - Via Direct Connect Gateway | || | | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+15.3 Transit Gateway Routing
Section titled “15.3 Transit Gateway Routing”Route Tables Architecture
Section titled “Route Tables Architecture” Transit Gateway Route Tables+------------------------------------------------------------------+| || Default Route Table || +----------------------------------------------------------+ || | | || | - Created automatically | || | - All attachments associated by default | || | - Can be disabled | || | | || | Routes: | || | +----------------------------------------------------+ | || | | Destination | Attachment | Type | | || | |----------------|-------------------|----------------| | || | | 10.0.0.0/16 | vpc-attachment-a | propagated | | || | | 10.1.0.0/16 | vpc-attachment-b | propagated | | || | | 192.168.0.0/16 | vpn-attachment | propagated | | || | +----------------------------------------------------+ | || | | || +----------------------------------------------------------+ || || Custom Route Tables || +----------------------------------------------------------+ || | | || | Production Route Table | || | +----------------------------------------------------+ | || | | Associated Attachments: | | || | | - VPC-A (Production) | | || | | - VPC-B (Production) | | || | | | | || | | Routes: | | || | | 10.0.0.0/16 -> VPC-A | | || | | 10.1.0.0/16 -> VPC-B | | || | | 0.0.0.0/0 -> VPN-Attachment | | || | +----------------------------------------------------+ | || | | || | Development Route Table | || | +----------------------------------------------------+ | || | | Associated Attachments: | | || | | - VPC-C (Development) | | || | | | | || | | Routes: | | || | | 10.2.0.0/16 -> VPC-C | | || | | 0.0.0.0/0 -> VPN-Attachment | | || | +----------------------------------------------------+ | || | | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Routing Patterns
Section titled “Routing Patterns” Common Routing Patterns+------------------------------------------------------------------+| || 1. Isolated VPCs (No East-West) || +----------------------------------------------------------+ || | | || | Shared Services RT Production RT Dev RT | || | +--------------+ +--------------+ +----------+ | || | | Routes: | | Routes: | | Routes: | | || | | All VPCs | | Shared Only | | Shared | | || | | On-Prem | | On-Prem | | On-Prem | | || | +--------------+ +--------------+ +----------+ | || | | | | | || | v v v | || | +----------+ +----------+ +----------+ | || | | Shared | | Prod VPC | | Dev VPC | | || | | Services | | | | | | || | +----------+ +----------+ +----------+ | || | | || | Result: Prod and Dev cannot communicate | || | Both can access Shared Services | || +----------------------------------------------------------+ || || 2. Hub-and-Spoke (Full Mesh) || +----------------------------------------------------------+ || | | || | Single Route Table | || | +----------------------------------------------------+ | || | | Routes: | | || | | All VPC routes propagated | | || | | On-prem routes propagated | | || | +----------------------------------------------------+ | || | | | || | +--------+--------+--------+ | || | | | | | | || | v v v v | || | +------+ +------+ +------+ +------+ | || | | VPC | | VPC | | VPC | | VPN | | || | | A | | B | | C | | | | || | +------+ +------+ +------+ +------+ | || | | || | Result: All VPCs can communicate with each other | || +----------------------------------------------------------+ || || 3. Centralized Egress (Internet/On-Prem) || +----------------------------------------------------------+ || | | || | Spoke Route Table | || | +----------------------------------------------------+ | || | | Routes: | | || | | 0.0.0.0/0 -> Egress VPC | | || | +----------------------------------------------------+ | || | | | || | v | || | +----------+ | || | | Egress | <-- Centralized internet/NAT | || | | VPC | Firewall/Proxy | || | +----------+ | || | | || | Result: All traffic goes through central egress | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+15.4 Cross-Region Connectivity
Section titled “15.4 Cross-Region Connectivity”Transit Gateway Peering
Section titled “Transit Gateway Peering” Transit Gateway Peering+------------------------------------------------------------------+| || Region A (US-East-1) Region B (EU-West-1) || +----------------------+ +----------------------+ || | | | | || | +----------------+ | | +----------------+ | || | | Transit | | | | Transit | | || | | Gateway A | | | | Gateway B | | || | +----------------+ | | +----------------+ | || | | | | | | || | | | | | | || | +------------+------+---------+ | || | | Peering | || | | Attachment | || | | | || | +----------------+ | | +----------------+ | || | | VPC US-East | | | | VPC EU-West | | || | | 10.0.0.0/16 | | | | 10.1.0.0/16 | | || | +----------------+ | | +----------------+ | || | | | | || +----------------------+ +----------------------+ || || Features: || - Connect TGWs across regions || - No single point of failure || - Automatic encryption || - No data transfer charges within same region || |+------------------------------------------------------------------+Global Network Architecture
Section titled “Global Network Architecture” Global Transit Gateway Architecture+------------------------------------------------------------------+| || AWS Global Network || +----------------------------------------------------------+ || | | || | US-East-1 EU-West-1 AP-South-1 | || | +----------+ +----------+ +----------+ | || | | TGW | | TGW | | TGW | | || | | US-East |<-------->| EU-West |<------>| AP-South | | || | +----------+ +----------+ +----------+ | || | | | | | || | v v v | || | +----------+ +----------+ +----------+ | || | | VPCs | | VPCs | | VPCs | | || | | (Prod) | | (Prod) | | (Prod) | | || | +----------+ +----------+ +----------+ | || | | || | On-Premises Connectivity: | || | - Direct Connect to nearest TGW | || | - VPN backup | || | - Routes propagated to all TGWs | || | | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+15.5 Transit Gateway Network Manager
Section titled “15.5 Transit Gateway Network Manager” Network Manager Dashboard+------------------------------------------------------------------+| || Global Network View || +----------------------------------------------------------+ || | | || | Features: | || | - Visualize network topology | || | - Monitor health | || | - View events | || | - Route analysis | || | | || | Dashboard: | || | +----------------------------------------------------+ | || | | | | || | | [Map View] | | || | | - Global map with all locations | | || | | - Status indicators | | || | | | | || | | [Topology View] | | || | | - Transit Gateways | | || | | - Attachments | | || | | - Connections | | || | | | | || | | [Events] | | || | | - Connection status changes | | || | | - Route updates | | || | | - Configuration changes | | || | | | | || | +----------------------------------------------------+ | || | | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+15.6 Practical Configuration
Section titled “15.6 Practical Configuration”Transit Gateway with Terraform
Section titled “Transit Gateway with Terraform”# ============================================================# Transit Gateway# ============================================================
resource "aws_ec2_transit_gateway" "main" { description = "Main Transit Gateway"
# Default route table configuration default_route_table_association = "enable" default_route_table_propagation = "enable"
# DNS support dns_support = "enable"
# VPN ECMP support vpn_ecmp_support = "enable"
# Multicast support (optional) multicast_mode = "enable"
tags = { Name = "main-tgw" }}
# ============================================================# Transit Gateway VPC Attachment# ============================================================
# Create subnets for TGW attachmentresource "aws_subnet" "tgw" { count = 3 vpc_id = aws_vpc.main.id cidr_block = cidrsubnet(aws_vpc.main.cidr_block, 8, 200 + count.index) availability_zone = data.aws_availability_zones.available.names[count.index]
tags = { Name = "tgw-subnet-${count.index + 1}" }}
# VPC Attachmentresource "aws_ec2_transit_gateway_vpc_attachment" "main" { subnet_ids = aws_subnet.tgw[*].id transit_gateway_id = aws_ec2_transit_gateway.main.id vpc_id = aws_vpc.main.id
# DNS support dns_support = "enable"
# IPv6 support (optional) ipv6_support = "disable"
tags = { Name = "vpc-attachment" }}
# ============================================================# Transit Gateway Route Tables# ============================================================
# Production Route Tableresource "aws_ec2_transit_gateway_route_table" "production" { transit_gateway_id = aws_ec2_transit_gateway.main.id
tags = { Name = "production-rt" }}
# Development Route Tableresource "aws_ec2_transit_gateway_route_table" "development" { transit_gateway_id = aws_ec2_transit_gateway.main.id
tags = { Name = "development-rt" }}
# Shared Services Route Tableresource "aws_ec2_transit_gateway_route_table" "shared" { transit_gateway_id = aws_ec2_transit_gateway.main.id
tags = { Name = "shared-rt" }}
# ============================================================# Route Table Associations# ============================================================
# Associate Production VPC with Production RTresource "aws_ec2_transit_gateway_route_table_association" "production" { transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.production.id transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.production.id}
# Associate Development VPC with Development RTresource "aws_ec2_transit_gateway_route_table_association" "development" { transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.development.id transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.development.id}
# Associate Shared Services VPC with Shared RTresource "aws_ec2_transit_gateway_route_table_association" "shared" { transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.shared.id transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.shared.id}
# ============================================================# Route Table Propagations# ============================================================
# Production RT: Propagate from Shared and VPNresource "aws_ec2_transit_gateway_route_table_propagation" "production_shared" { transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.production.id transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.shared.id}
resource "aws_ec2_transit_gateway_route_table_propagation" "production_vpn" { transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.production.id transit_gateway_attachment_id = aws_ec2_transit_gateway_vpn_attachment.main.id}
# Development RT: Propagate from Shared and VPNresource "aws_ec2_transit_gateway_route_table_propagation" "development_shared" { transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.development.id transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.shared.id}
resource "aws_ec2_transit_gateway_route_table_propagation" "development_vpn" { transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.development.id transit_gateway_attachment_id = aws_ec2_transit_gateway_vpn_attachment.main.id}
# Shared RT: Propagate from allresource "aws_ec2_transit_gateway_route_table_propagation" "shared_production" { transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.shared.id transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.production.id}
resource "aws_ec2_transit_gateway_route_table_propagation" "shared_development" { transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.shared.id transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.development.id}
# ============================================================# Static Routes# ============================================================
# Default route to VPN for Productionresource "aws_ec2_transit_gateway_route" "production_default" { destination_cidr_block = "0.0.0.0/0" transit_gateway_attachment_id = aws_ec2_transit_gateway_vpn_attachment.main.id transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.production.id}
# ============================================================# VPN Attachment# ============================================================
resource "aws_customer_gateway" "main" { bgp_asn = 65000 ip_address = "203.0.113.1" type = "ipsec.1"
tags = { Name = "customer-gateway" }}
resource "aws_ec2_transit_gateway_vpn_attachment" "main" { transit_gateway_id = aws_ec2_transit_gateway.main.id customer_gateway_id = aws_customer_gateway.main.id type = "ipsec.1"
tags = { Name = "vpn-attachment" }}
# ============================================================# Transit Gateway Peering (Cross-Region)# ============================================================
# Peering Connectionresource "aws_ec2_transit_gateway_peering_attachment" "main" { peer_region = "eu-west-1" peer_transit_gateway_id = aws_ec2_transit_gateway.peer.id transit_gateway_id = aws_ec2_transit_gateway.main.id
tags = { Name = "tgw-peering-us-eu" }}
# Accept Peering (in peer region)resource "aws_ec2_transit_gateway_peering_attachment_accepter" "main" { transit_gateway_attachment_id = aws_ec2_transit_gateway_peering_attachment.main.id
tags = { Name = "tgw-peering-accept" }}
# ============================================================# VPC Route to Transit Gateway# ============================================================
resource "aws_route" "tgw" { route_table_id = aws_route_table.private.id destination_cidr_block = "10.0.0.0/8" transit_gateway_id = aws_ec2_transit_gateway.main.id}
# ============================================================# Transit Gateway Flow Logs# ============================================================
resource "aws_ec2_transit_gateway_vpc_attachment" "main" { # ... other config ...
# Enable flow logs appliance_mode_support = "enable"}
# CloudWatch Log Group for Flow Logsresource "aws_cloudwatch_log_group" "tgw_flow" { name = "/aws/tgw/flow-logs" retention_in_days = 30}15.7 Best Practices
Section titled “15.7 Best Practices” Transit Gateway Best Practices+------------------------------------------------------------------+| || 1. Subnet Sizing || +----------------------------------------------------------+ || | - Use /28 or larger for TGW subnets | || | - One subnet per AZ | || | - Separate from application subnets | || +----------------------------------------------------------+ || || 2. Route Table Design || +----------------------------------------------------------+ || | - Use separate route tables for isolation | || | - Plan propagation vs static routes | || | - Document routing decisions | || +----------------------------------------------------------+ || || 3. High Availability || +----------------------------------------------------------+ || | - Attachments in multiple AZs | || | - Multiple VPN tunnels | || | - Transit Gateway peering for DR | || +----------------------------------------------------------+ || || 4. Security || +----------------------------------------------------------+ || | - Use security groups on VPC resources | || | - Consider Network Firewall for inspection | || | - Enable VPC Flow Logs | || +----------------------------------------------------------+ || || 5. Monitoring || +----------------------------------------------------------+ || | - Use Network Manager dashboard | || | - CloudWatch metrics | || | - Set up alerts for attachment status | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+15.8 Exam Tips
Section titled “15.8 Exam Tips”
- Transit Gateway: Regional resource, acts as network hub
- Attachments: VPC, VPN, Direct Connect, Peering
- Route Tables: Control routing between attachments
- Association: Which attachments use which route table
- Propagation: Which routes are automatically added
- Isolation: Use separate route tables for network segmentation
- Peering: Connect TGWs across regions
- ECMP: Equal-cost multi-path routing for VPN
- Appliance Mode: For network appliances (firewalls)
- Network Manager: Visualize and monitor global network
Next Chapter
Section titled “Next Chapter”Chapter 16: Amazon S3 - Simple Storage Service
Last Updated: February 2026