AWS Transit Gateway

Introduction to Transit Gateway

We have previously seen VPC peering, it provides one-to-one connectivity between your VPC’s. Its a good solution to connect your resources in VPC’s. But as the account increases, the number of VPC’s increases, and managing the connection between these VPC’s is cumbersome. Imagine establishing hundreds of peering connections. Also VPC peering is not transitive in nature.
Consider another use case. Suppose you have a VPN connection between your VPC and On-premise. Now if you have multiple VPC’s, you will need multiple VPN connectiosn, which is neither cost effective nor a feasible solution. To overcome these problems, transit gateway comes into the picture.
Transit gateway acts as a centralized point to connect all your connections in your network. In simple terms, you can connect all you VPC’s to the transit gateway, eliminating the need for one-to-one connections between them. You can also connect your on-premise to transit gateway via a VPN connection. Transit gateway does the job of virtual private gateway(VGW) here.
It acts as a router for all the traffic coming to it. But how does it route traffic? To understand this, let's understand a few terms-
  • Attachment - An attachment is a connection to the transit gateway. It could be a VPC , A VPN or a Direct Connect. There can be upto 5000 attachments to a transit gateway.
  • Transit Gateway Route Table - This route table is used to give the directions to transit gateway. When you add an attachment, a route to that attachment is automatically added to the route table. This lets the gateway know where to route traffic next.
You also have to attach transit gateway in the route table of VPC’s to connect. In this way, transitive gateway routes the traffic.
To list down the benefits of transitive gateway - 
  • Problem of no transitive peering eliminated.
  • Whenever a new VPC is created, it can be added easily, hence easier connectivity.
  • Number of connections is reduced.
  • A single VPN connection to the on-premise.
  • Higher bandwidth- transitive gateway scales automatically
  • Centralized Control mechanism.

Cross Account Transit Gateway

You can also leverage transit gateway functionality for cross account use-case. This can be done by sharing it with a different account. To share the Transit Gateway with a different account, Resource Access Manager (RAM) is used. Go to Resource Share in RAM and you can initiate sharing. After the resource is shared, an invitation is sent to the other account. The other account owner has to accept the resource share in RAM. Once accepted, the resource is shared.
Transitive gateway has made connectivity in AWS simpler. It has overcome the limitations with Peering connections and VPN. However, every service has its own use case. If you have fewer VPC’s, peering connections is always a better option. I have also written an article on VPC peering, if you are interested, refer to