AWS Transit Gateway – TGW
AWS Transit Gateway
AWS Transit Gateway – TGW is a highly-available and scalable service that consolidates the AWS VPC routing configuration in a region with a hub and spoke architecture.
It acts as a Regional Virtual Router and a network transit hub that can interconnect VPCs with on-premises networks.
Traffic stays on the global AWS network backbone. Data is automatically encrypted and never crosses the public internet. This reduces threat vectors such as DDoS attacks and common exploits.
It is a Regional resource that can connect VPCs within a single AWS Region.
TGWs in different regions can peer with one another to enable VPC communication across regions.
To gain access to other VPCs connected to the TGW, each spoke VPC must only connect to it.
VPC-to VPC communication management is made easier by VPC Peering.
Scales can be adjusted based on network traffic volume.
TGW routing works at layer 3. The packets are sent to a next-hop attachment based on their destination IP addresses.
AWS Resource Access Manager RAM can be used for sharing the TGW with other accounts.
Transit Gateway Attachments
Transit Gateway attachment is the link between resources such as VPC, VPN and Direct Connect.
The YGW attachment can be used as both a source or destination for packets.
TGW supports the following attachmentsOne of more VPCs
One or more VPN connections
One or more AWS Direct Connect Gateways
One or more Transit Gateway Connect attachments
One or more Transit Gateway peering connections
One of many Connect SD-WAN/third party network applianceTransit Gateway Routing
Transit Gateway routes IPv4 or IPv6 packets between attachments via transit gateway route tables
Route tables can be used to propagate routes from VPCs, VPN connections and Direct Connect gateways attached.
A packet is sent from one attachment to another attachment. The route used matches the destination IP address.
Transit Gateway Peering
AWS Transit Gateway allows you to establish peering connections between Transit Gateways located in the same or different AWS Regions.
Customers can extend their connectivity and create global networks across multiple AWS Regions with inter-region peering.
Inter-region peering simplifies routing between VPCs, on-premises networks, and VPCs that are managed and serviced via separate Transit Gateways.
Traffic using interregion Transit Gateway peering stays on the AWS global network, and never traverses public internet. This reduces threat vectors such as DDoS attacks and common exploits.
Inter-region Transit Gateway peering encrypts interregional traffic with no single point failure.
Transit Gateway High Availability
Transit Gateway must be enabled by multiple AZs in order to ensure availability and route traffic to the VPC subnets.
AZ can be enabled by specifying only one subnet within the AZ
TGW creates a network interface in the subnet by using one IP address from that subnet.
TGW can route traffic across all subnets, not just to the enabled AZ.
Resources that are located in AZs without a TGW attachment can’t reach the TGW.Transit Gateway appliance Mode
Appliance mode support for the VPC attachment is available for stateful network appliances in VPC.
Appliance Mode ensures that network flows are symmetrically routed from the same AZ as the same network appliance.
Appliance Mode ensures that the same VPC attachment AZ is used for the entire life of traffic flow between source and destination.
Appliance Mode allows the TGW traffic to be sent to any AZ in VPC as long as there’s a subnet association. Transit Gateway Connect Attachment
Transit Ga
