AWS Transit Gateway & Network Architecture
Chapter 15: AWS Transit Gateway - Network Hub
Section titled “Chapter 15: AWS Transit Gateway - Network Hub”Centralized Network Connectivity
Section titled “Centralized Network Connectivity”15.1 Overview
Section titled “15.1 Overview”AWS Transit Gateway is a network transit hub that enables you to connect your VPCs and on-premises networks through a central hub.
Transit Gateway Overview+------------------------------------------------------------------+| || +------------------------+ || | Transit Gateway | || | (Hub) | || +------------------------+ || | || +--------+--------+--------+--------+--------+ || | | | | | | || v v v v v v || +------+ +------+ +------+ +------+ +------+ +------+ || | VPC | | VPC | | VPC | | VPN | | DX | | VPC | || | A | | B | | C | | | | | | D | || +------+ +------+ +------+ +------+ +------+ +------+ || || Benefits: || - Single point of connectivity || - Simplified network topology || - Transitive routing || - Cross-region connectivity || - Scalable (thousands of attachments) || |+------------------------------------------------------------------+15.2 Transit Gateway Architecture
Section titled “15.2 Transit Gateway Architecture”Core Components
Section titled “Core Components” Transit Gateway Components+------------------------------------------------------------------+| || 1. Transit Gateway || +----------------------------------------------------------+ || | | || | - Regional resource | || | - Acts as network hub | || | - Supports multiple attachments | || | - Can be peered across regions | || | | || +----------------------------------------------------------+ || || 2. Transit Gateway Attachment || +----------------------------------------------------------+ || | | || | Types: | || | - VPC Attachment | || | - VPN Attachment | || | - Direct Connect Gateway Attachment | || | - Transit Gateway Peering Attachment | || | - Connect Attachment (SD-WAN) | || | | || +----------------------------------------------------------+ || || 3. Transit Gateway Route Table || +----------------------------------------------------------+ || | | || | - Controls routing between attachments | || | - Multiple route tables for isolation | || | - Route propagation from attachments | || | - Static routes | || | | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Attachment Types
Section titled “Attachment Types” Transit Gateway Attachment Types+------------------------------------------------------------------+| || VPC Attachment || +----------------------------------------------------------+ || | | || | VPC Transit Gateway | || | +------------------+ +------------------+ | || | | | | | | || | | Subnet A | | Attachment | | || | | +------------+ | | +------------+ | | || | | | ENI | | | | | | | || | | | 10.0.1.5 | |---->| | | | | || | | +------------+ | | +------------+ | | || | | | | | | || | +------------------+ +------------------+ | || | | || | Requirements: | || | - Subnets in each AZ | || | - One ENI per AZ | || | - /28 subnet minimum | || | | || +----------------------------------------------------------+ || || VPN Attachment || +----------------------------------------------------------+ || | | || | On-Premises Transit Gateway | || | +------------------+ +------------------+ | || | | Customer Gateway | | VPN Attachment | | || | | +------------+ | | +------------+ | | || | | | Router | |---->| | | | | || | | +------------+ | | +------------+ | | || | +------------------+ +------------------+ | || | | || | Features: | || | - Two IPSec tunnels | || | - BGP or static routing | || | - Same as Site-to-Site VPN | || | | || +----------------------------------------------------------+ || || Direct Connect Gateway Attachment || +----------------------------------------------------------+ || | | || | On-Premises Transit Gateway | || | +------------------+ +------------------+ | || | | Direct Connect | | DX Attachment | | || | | +------------+ | | +------------+ | | || | | | Circuit | |---->| | | | | || | | +------------+ | | +------------+ | | || | +------------------+ +------------------+ | || | | || | Features: | || | - High bandwidth | || | - Low latency | || | - Via Direct Connect Gateway | || | | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+15.3 Transit Gateway Routing
Section titled “15.3 Transit Gateway Routing”Route Tables Architecture
Section titled “Route Tables Architecture” Transit Gateway Route Tables+------------------------------------------------------------------+| || Default Route Table || +----------------------------------------------------------+ || | | || | - Created automatically | || | - All attachments associated by default | || | - Can be disabled | || | | || | Routes: | || | +----------------------------------------------------+ | || | | Destination | Attachment | Type | | || | |----------------|-------------------|----------------| | || | | 10.0.0.0/16 | vpc-attachment-a | propagated | | || | | 10.1.0.0/16 | vpc-attachment-b | propagated | | || | | 192.168.0.0/16 | vpn-attachment | propagated | | || | +----------------------------------------------------+ | || | | || +----------------------------------------------------------+ || || Custom Route Tables || +----------------------------------------------------------+ || | | || | Production Route Table | || | +----------------------------------------------------+ | || | | Associated Attachments: | | || | | - VPC-A (Production) | | || | | - VPC-B (Production) | | || | | | | || | | Routes: | | || | | 10.0.0.0/16 -> VPC-A | | || | | 10.1.0.0/16 -> VPC-B | | || | | 0.0.0.0/0 -> VPN-Attachment | | || | +----------------------------------------------------+ | || | | || | Development Route Table | || | +----------------------------------------------------+ | || | | Associated Attachments: | | || | | - VPC-C (Development) | | || | | | | || | | Routes: | | || | | 10.2.0.0/16 -> VPC-C | | || | | 0.0.0.0/0 -> VPN-Attachment | | || | +----------------------------------------------------+ | || | | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Routing Patterns
Section titled “Routing Patterns” Common Routing Patterns+------------------------------------------------------------------+| || 1. Isolated VPCs (No East-West) || +----------------------------------------------------------+ || | | || | Shared Services RT Production RT Dev RT | || | +--------------+ +--------------+ +----------+ | || | | Routes: | | Routes: | | Routes: | | || | | All VPCs | | Shared Only | | Shared | | || | | On-Prem | | On-Prem | | On-Prem | | || | +--------------+ +--------------+ +----------+ | || | | | | | || | v v v | || | +----------+ +----------+ +----------+ | || | | Shared | | Prod VPC | | Dev VPC | | || | | Services | | | | | | || | +----------+ +----------+ +----------+ | || | | || | Result: Prod and Dev cannot communicate | || | Both can access Shared Services | || +----------------------------------------------------------+ || || 2. Hub-and-Spoke (Full Mesh) || +----------------------------------------------------------+ || | | || | Single Route Table | || | +----------------------------------------------------+ | || | | Routes: | | || | | All VPC routes propagated | | || | | On-prem routes propagated | | || | +----------------------------------------------------+ | || | | | || | +--------+--------+--------+ | || | | | | | | || | v v v v | || | +------+ +------+ +------+ +------+ | || | | VPC | | VPC | | VPC | | VPN | | || | | A | | B | | C | | | | || | +------+ +------+ +------+ +------+ | || | | || | Result: All VPCs can communicate with each other | || +----------------------------------------------------------+ || || 3. Centralized Egress (Internet/On-Prem) || +----------------------------------------------------------+ || | | || | Spoke Route Table | || | +----------------------------------------------------+ | || | | Routes: | | || | | 0.0.0.0/0 -> Egress VPC | | || | +----------------------------------------------------+ | || | | | || | v | || | +----------+ | || | | Egress | <-- Centralized internet/NAT | || | | VPC | Firewall/Proxy | || | +----------+ | || | | || | Result: All traffic goes through central egress | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+15.4 Cross-Region Connectivity
Section titled “15.4 Cross-Region Connectivity”Transit Gateway Peering
Section titled “Transit Gateway Peering” Transit Gateway Peering+------------------------------------------------------------------+| || Region A (US-East-1) Region B (EU-West-1) || +----------------------+ +----------------------+ || | | | | || | +----------------+ | | +----------------+ | || | | Transit | | | | Transit | | || | | Gateway A | | | | Gateway B | | || | +----------------+ | | +----------------+ | || | | | | | | || | | | | | | || | +------------+------+---------+ | || | | Peering | || | | Attachment | || | | | || | +----------------+ | | +----------------+ | || | | VPC US-East | | | | VPC EU-West | | || | | 10.0.0.0/16 | | | | 10.1.0.0/16 | | || | +----------------+ | | +----------------+ | || | | | | || +----------------------+ +----------------------+ || || Features: || - Connect TGWs across regions || - No single point of failure || - Automatic encryption || - No data transfer charges within same region || |+------------------------------------------------------------------+Global Network Architecture
Section titled “Global Network Architecture” Global Transit Gateway Architecture+------------------------------------------------------------------+| || AWS Global Network || +----------------------------------------------------------+ || | | || | US-East-1 EU-West-1 AP-South-1 | || | +----------+ +----------+ +----------+ | || | | TGW | | TGW | | TGW | | || | | US-East |<-------->| EU-West |<------>| AP-South | | || | +----------+ +----------+ +----------+ | || | | | | | || | v v v | || | +----------+ +----------+ +----------+ | || | | VPCs | | VPCs | | VPCs | | || | | (Prod) | | (Prod) | | (Prod) | | || | +----------+ +----------+ +----------+ | || | | || | On-Premises Connectivity: | || | - Direct Connect to nearest TGW | || | - VPN backup | || | - Routes propagated to all TGWs | || | | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+15.5 Transit Gateway Network Manager
Section titled “15.5 Transit Gateway Network Manager” Network Manager Dashboard+------------------------------------------------------------------+| || Global Network View || +----------------------------------------------------------+ || | | || | Features: | || | - Visualize network topology | || | - Monitor health | || | - View events | || | - Route analysis | || | | || | Dashboard: | || | +----------------------------------------------------+ | || | | | | || | | [Map View] | | || | | - Global map with all locations | | || | | - Status indicators | | || | | | | || | | [Topology View] | | || | | - Transit Gateways | | || | | - Attachments | | || | | - Connections | | || | | | | || | | [Events] | | || | | - Connection status changes | | || | | - Route updates | | || | | - Configuration changes | | || | | | | || | +----------------------------------------------------+ | || | | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+15.6 Practical Configuration
Section titled “15.6 Practical Configuration”Transit Gateway with Terraform
Section titled “Transit Gateway with Terraform”# ============================================================# Transit Gateway# ============================================================
resource "aws_ec2_transit_gateway" "main" { description = "Main Transit Gateway"
# Default route table configuration default_route_table_association = "enable" default_route_table_propagation = "enable"
# DNS support dns_support = "enable"
# VPN ECMP support vpn_ecmp_support = "enable"
# Multicast support (optional) multicast_mode = "enable"
tags = { Name = "main-tgw" }}
# ============================================================# Transit Gateway VPC Attachment# ============================================================
# Create subnets for TGW attachmentresource "aws_subnet" "tgw" { count = 3 vpc_id = aws_vpc.main.id cidr_block = cidrsubnet(aws_vpc.main.cidr_block, 8, 200 + count.index) availability_zone = data.aws_availability_zones.available.names[count.index]
tags = { Name = "tgw-subnet-${count.index + 1}" }}
# VPC Attachmentresource "aws_ec2_transit_gateway_vpc_attachment" "main" { subnet_ids = aws_subnet.tgw[*].id transit_gateway_id = aws_ec2_transit_gateway.main.id vpc_id = aws_vpc.main.id
# DNS support dns_support = "enable"
# IPv6 support (optional) ipv6_support = "disable"
tags = { Name = "vpc-attachment" }}
# ============================================================# Transit Gateway Route Tables# ============================================================
# Production Route Tableresource "aws_ec2_transit_gateway_route_table" "production" { transit_gateway_id = aws_ec2_transit_gateway.main.id
tags = { Name = "production-rt" }}
# Development Route Tableresource "aws_ec2_transit_gateway_route_table" "development" { transit_gateway_id = aws_ec2_transit_gateway.main.id
tags = { Name = "development-rt" }}
# Shared Services Route Tableresource "aws_ec2_transit_gateway_route_table" "shared" { transit_gateway_id = aws_ec2_transit_gateway.main.id
tags = { Name = "shared-rt" }}
# ============================================================# Route Table Associations# ============================================================
# Associate Production VPC with Production RTresource "aws_ec2_transit_gateway_route_table_association" "production" { transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.production.id transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.production.id}
# Associate Development VPC with Development RTresource "aws_ec2_transit_gateway_route_table_association" "development" { transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.development.id transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.development.id}
# Associate Shared Services VPC with Shared RTresource "aws_ec2_transit_gateway_route_table_association" "shared" { transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.shared.id transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.shared.id}
# ============================================================# Route Table Propagations# ============================================================
# Production RT: Propagate from Shared and VPNresource "aws_ec2_transit_gateway_route_table_propagation" "production_shared" { transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.production.id transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.shared.id}
resource "aws_ec2_transit_gateway_route_table_propagation" "production_vpn" { transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.production.id transit_gateway_attachment_id = aws_ec2_transit_gateway_vpn_attachment.main.id}
# Development RT: Propagate from Shared and VPNresource "aws_ec2_transit_gateway_route_table_propagation" "development_shared" { transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.development.id transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.shared.id}
resource "aws_ec2_transit_gateway_route_table_propagation" "development_vpn" { transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.development.id transit_gateway_attachment_id = aws_ec2_transit_gateway_vpn_attachment.main.id}
# Shared RT: Propagate from allresource "aws_ec2_transit_gateway_route_table_propagation" "shared_production" { transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.shared.id transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.production.id}
resource "aws_ec2_transit_gateway_route_table_propagation" "shared_development" { transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.shared.id transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.development.id}
# ============================================================# Static Routes# ============================================================
# Default route to VPN for Productionresource "aws_ec2_transit_gateway_route" "production_default" { destination_cidr_block = "0.0.0.0/0" transit_gateway_attachment_id = aws_ec2_transit_gateway_vpn_attachment.main.id transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.production.id}
# ============================================================# VPN Attachment# ============================================================
resource "aws_customer_gateway" "main" { bgp_asn = 65000 ip_address = "203.0.113.1" type = "ipsec.1"
tags = { Name = "customer-gateway" }}
resource "aws_ec2_transit_gateway_vpn_attachment" "main" { transit_gateway_id = aws_ec2_transit_gateway.main.id customer_gateway_id = aws_customer_gateway.main.id type = "ipsec.1"
tags = { Name = "vpn-attachment" }}
# ============================================================# Transit Gateway Peering (Cross-Region)# ============================================================
# Peering Connectionresource "aws_ec2_transit_gateway_peering_attachment" "main" { peer_region = "eu-west-1" peer_transit_gateway_id = aws_ec2_transit_gateway.peer.id transit_gateway_id = aws_ec2_transit_gateway.main.id
tags = { Name = "tgw-peering-us-eu" }}
# Accept Peering (in peer region)resource "aws_ec2_transit_gateway_peering_attachment_accepter" "main" { transit_gateway_attachment_id = aws_ec2_transit_gateway_peering_attachment.main.id
tags = { Name = "tgw-peering-accept" }}
# ============================================================# VPC Route to Transit Gateway# ============================================================
resource "aws_route" "tgw" { route_table_id = aws_route_table.private.id destination_cidr_block = "10.0.0.0/8" transit_gateway_id = aws_ec2_transit_gateway.main.id}
# ============================================================# Transit Gateway Flow Logs# ============================================================
resource "aws_ec2_transit_gateway_vpc_attachment" "main" { # ... other config ...
# Enable flow logs appliance_mode_support = "enable"}
# CloudWatch Log Group for Flow Logsresource "aws_cloudwatch_log_group" "tgw_flow" { name = "/aws/tgw/flow-logs" retention_in_days = 30}15.7 Best Practices
Section titled “15.7 Best Practices” Transit Gateway Best Practices+------------------------------------------------------------------+| || 1. Subnet Sizing || +----------------------------------------------------------+ || | - Use /28 or larger for TGW subnets | || | - One subnet per AZ | || | - Separate from application subnets | || +----------------------------------------------------------+ || || 2. Route Table Design || +----------------------------------------------------------+ || | - Use separate route tables for isolation | || | - Plan propagation vs static routes | || | - Document routing decisions | || +----------------------------------------------------------+ || || 3. High Availability || +----------------------------------------------------------+ || | - Attachments in multiple AZs | || | - Multiple VPN tunnels | || | - Transit Gateway peering for DR | || +----------------------------------------------------------+ || || 4. Security || +----------------------------------------------------------+ || | - Use security groups on VPC resources | || | - Consider Network Firewall for inspection | || | - Enable VPC Flow Logs | || +----------------------------------------------------------+ || || 5. Monitoring || +----------------------------------------------------------+ || | - Use Network Manager dashboard | || | - CloudWatch metrics | || | - Set up alerts for attachment status | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+15.8 Why This Matters in DevOps/SRE
Section titled “15.8 Why This Matters in DevOps/SRE”Transit Gateway is how you build enterprise-scale network architecture. SREs use TGW to implement network segmentation, centralized egress, and multi-account connectivity — the backbone of the AWS Landing Zone pattern.
15.9 Linux Systems Perspective
Section titled “15.9 Linux Systems Perspective”TGW Monitoring from Arch Linux
Section titled “TGW Monitoring from Arch Linux”# Transit Gateway attachment status#!/bin/bashecho "=== Transit Gateway Attachments ==="aws ec2 describe-transit-gateway-attachments \ --query 'TransitGatewayAttachments[*].{ID:TransitGatewayAttachmentId,Type:ResourceType,State:State,Resource:ResourceId}' \ --output table
echo ""echo "=== TGW Route Tables ==="aws ec2 describe-transit-gateway-route-tables \ --query 'TransitGatewayRouteTables[*].{ID:TransitGatewayRouteTableId,State:State,DefaultAssociation:DefaultAssociationRouteTable}' \ --output table15.10 Troubleshooting Guide
Section titled “15.10 Troubleshooting Guide”| Issue | Cause | Solution |
|---|---|---|
| VPCs can’t communicate | Wrong route table associations | Verify TGW RT associations and propagations |
| Asymmetric routing | Multiple route tables with overlapping routes | Review route priorities and blackhole routes |
| TGW attachment pending | Subnet/AZ issue | Ensure TGW subnets exist in required AZs |
| Cross-region latency high | Traffic routing through wrong TGW | Check TGW peering routes, use closest region |
15.11 Interview Questions
Section titled “15.11 Interview Questions”-
Q: How would you design network isolation between prod and dev in a multi-account setup?
- A: Use Transit Gateway with separate route tables: Production RT (only propagates prod VPC and shared services routes), Development RT (only propagates dev VPC and shared services routes). Associate prod VPCs with prod RT, dev VPCs with dev RT. Shared services VPC propagated to both. Result: prod/dev can’t reach each other but both access shared services.
-
Q: Transit Gateway vs VPC Peering — when to use each?
- A: VPC Peering: 2-3 VPCs, no transitive routing needed, lower cost, simpler. TGW: 4+ VPCs, transitive routing required, centralized egress/ingress, hybrid connectivity with VPN/DX, network segmentation with multiple route tables. TGW costs more but scales better and simplifies topology.
15.12 Exam Tips
Section titled “15.12 Exam Tips”
- Transit Gateway: Regional resource, acts as network hub
- Attachments: VPC, VPN, Direct Connect, Peering
- Route Tables: Control routing between attachments
- Association: Which attachments use which route table
- Propagation: Which routes are automatically added
- Isolation: Use separate route tables for network segmentation
- Peering: Connect TGWs across regions
- ECMP: Equal-cost multi-path routing for VPN
- Appliance Mode: For network appliances (firewalls)
- Network Manager: Visualize and monitor global network
Next Chapter
Section titled “Next Chapter”Chapter 16: Amazon S3 - Simple Storage Service
Last Updated: March 2026