AWS Transit Gateway – TGW

AWS Transit Gateway

  • AWS Transit Gateway – TGW is a highly available and scalable service to consolidate the AWS VPC routing configuration for a region with a hub-and-spoke architecture.
  • TGW acts as a Regional virtual router and is a network transit hub that can be used to interconnect VPCs and on-premises networks.
  • TGW traffic always stays on the global AWS backbone, data is automatically encrypted, and never traverses the public internet, thereby reducing threat vectors, such as common exploits and DDoS attacks.
  • TGW is a Regional resource and can connect VPCs within the same AWS Region.
  • Transit Gateways across different regions can peer with each other to enable VPC communications across regions.
  • Each spoke VPC only needs to connect to the Transit Gateway to gain access to other connected VPCs.
  • TGW provides simpler VPC-to-VPC communication management over VPC Peering with a large number of VPCs.
  • TGW scales elastically based on the volume of network traffic.
  • TGW routing operates at layer 3, where the packets are sent to a specific next-hop attachment, based on their destination IP addresses.

Transit Gateway

Transit Gateway High Availability

  • Transit Gateway must be enabled with multiple AZs to ensure availability and to route traffic to the resources in the VPC subnets.
  • AZ can be enabled by specifying exactly one subnet within the AZ
  • TGW places a network interface in that subnet using one IP address from the subnet.
  • TGW can route traffic to all the subnets and not just the specified subnet within the enabled AZ.
  • Resources that reside in AZs where there is no transit gateway attachment cannot reach the transit gateway.

Transit Gateway Attachments

  • Transit Gateway attachment is the connection between resources like VPC, VPN, Direct Connect, and the Transit Gateway.
  • Transit Gateway attachment is both a source and a destination of packets.
  • TGW supports the following attachments
    • One or more VPCs
    • One or more VPN connections
    • One or more AWS Direct Connect gateways
    • One or more Transit Gateway Connect attachments
    • One or more transit gateway peering connections
    • One of more Connect SD-WAN/third-party network appliance

Transit Gateway Routing

  • Transit Gateway routes IPv4 and IPv6 packets between attachments using transit gateway route tables.
  • Route tables can be configured to propagate routes from the route tables for the attached VPCs, VPN connections, and Direct Connect gateways.
  • When a packet comes from one attachment, it is routed to another attachment using the route that matches the destination IP address.
  • VPC attached to a transit gateway must be added a route to the subnet route table in order for traffic to route through the transit gateway.

Transit Gateway vs Transit VPC vs VPC Peering

VPC Peering vs Transit VPC vs Transit Gateway

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. A company is using a VPC peering strategy to connect its VPCs in a single Region to allow for cross-communication. A recent increase in account creations and VPCs has made it difficult to maintain the VPC peering strategy, and the company expects to grow to hundreds of VPCs. There are also new requests to create site-to-site VPNs with some of the VPCs.
    A solutions architect has been tasked with creating a centrally managed networking setup for multiple accounts, VPCs, and VPNs.Which networking solution meets these requirements?
    1. Configure shared VPCs and VPNs and share with each other.
    2. Configure a hub-and-spoke VPC and route all traffic through VPC peering.
    3. Configure an AWS Direct Connect connection between all VPCs and VPNs.
    4. Configure a transit gateway with AWS Transit Gateway and connect all VPCs and VPNs
  2. A company hosts its core network services, including directory services and DNS, in its on-premises data center. The data center is connected to the AWS Cloud using AWS Direct Connect (DX). Additional AWS accounts are planned that will require quick, cost-effective, and consistent access to these network services. What should a solutions architect implement to meet these requirements with the LEAST amount of operational overhead?
    1. Create a DX connection in each new account. Route the network traffic to the on-premises servers.
    2. Configure VPC endpoints in the DX VPC for all required services. Route the network traffic to the on-premises servers.
    3. Create a VPN connection between each new account and the DX VPC. Route the network traffic to the on-premises servers.
    4. Configure AWS Transit Gateway between the accounts. Assign DX to the transit gateway and route network traffic to the on-premises servers.