AWS Transit Gateway
A transit gateway is a network transit hub that connects your virtual private clouds (VPCs) and on-premises networks. Inter-Region peering links transit gateways utilizing the AWS Global Architecture as your cloud infrastructure extends internationally. Your information is automatically encrypted and is never sent over the public internet.
The CIDR blocks for each VPC propagate to the route table. Therefore, each attachment can route packets to the other two attachments.
Destination | Target | Route type |
---|---|---|
VPC A CIDR |
Attachment for VPC A |
propagated |
VPC B CIDR |
Attachment for VPC B |
propagated |
VPC C CIDR |
Attachment for VPC C |
propagated |
The following are the key concepts for transit gateways:
following are the key concepts for transit gateways:
- Attachments— You can attach the following:
- One or more VPCs
- A Connect SD-WAN/third-party network appliance
- An AWS Direct Connect gateway
- A peering connection with another transit gateway
- A VPN connection to a transit gateway
- Route Tables– A transit gateway can have one or more route tables based on the design requirements. These route tables are where the transit gateway attachments are associated and have the IP prefixes or subnets in the routing table which would take you to the appropriate destination (VPC, VPN, cross-region peering connections, Direct Connect Gateway connections, etc.)
By default, there will be a default route table created while we create the transit gateway. We can either choose to use the default route table or create specific additional route tables based on traffic segregation and organization needs.
- Associations– Every attachment to the transit gateway should be associated to exactly one route table and a route table can have multiple attachments in the form of a VPC or VPN attachment.
- Route Propagation– The Routes inside the routing table can either be statically defined or propagated dynamically using BGP with a VPN, VPC or Direct Connect Gateway propagations. An attachment with local routes once propagated into the routing table will allow other attachments on that associated route table to reach propagated prefix or service of that target. For transit gateway peering attachments, only static routes are supported.
- Availability Zones– When we attach a VPC resource to the transit gateway, to route traffic towards that VPC subnet we must enable one of more availability zones and its recommended to add more than one AZ to have redundancy in case of failure of a single availability zone, this can be achieved by specifying any one subnet from each zone and transit gateway uses a single IP from that specified subnet for routing traffic.
- Route evaluation order– in a route table where there are multiple routes for the same subnet, here is the order at which routes will be preferred
Most specific routes are preferred first, however, when there are same routes with different attached or propagated targets then here is the order or precedence
Transit Gateway vs Transit VPC vs VPC Peering
Advantages of AWS Transit Gateway
- Allows for more VPCs per region compared to VPC peering.
- Better visibility (network manager, CloudWatch metrics, and flow logs) compared to VPC peering.
- TGW Route Tables per attachment allow for fine-grained routing.
- Complexity is based on region count.
Disadvantages of AWS Transit Gateway
- The additional hop will introduce some latency.
- Potential bottlenecks around regional peering links.
- Priced on hourly cost per attachment, data processing, and data transfer.
For More : https://docs.aws.amazon.com/vpc/latest/tgw/what-is-transit-gateway.html