AWS Transit Gateway: The Network Hub
AWS Transit Gateway (TGW) acts as a high-performance regional network transit hub. It simplifies your network topology by connecting VPCs and on-premises networks through a central point, eliminating the complexity of managing multiple point-to-point VPC peering connections.
The Real-World Analogy
Imagine a major international airport hub (like Atlanta or Dubai). Instead of every city having a direct flight to every other city in the world (which would be thousands of chaotic routes), all flights go to the central hub. Once at the hub, passengers are routed to their final destination. Transit Gateway is that central hub for your data packets.
Core Concepts and Architecture
For the SAA-C03 exam, you must understand how Transit Gateway scales networking compared to VPC Peering.
- Attachments: You can attach VPCs, AWS Direct Connect gateways, VPN connections, and even other Transit Gateways (peering).
- Transit Gateway Route Tables: These control how packets are routed. A single TGW can have multiple route tables to create isolated network segments (e.g., Prod vs. Dev).
- Associations: Each attachment is associated with exactly one route table.
- Propagations: Attachments can “propagate” their routes to one or more TGW route tables.
VPC Peering vs. Transit Gateway
| Feature | VPC Peering | Transit Gateway |
|---|---|---|
| Architecture | Point-to-Point (Mesh) | Hub-and-Spoke |
| Management | Complex at scale (N*(N-1)/2) | Simplified, central management |
| Transitive Routing | Not supported | Supported natively |
| Bandwidth | No aggregate limit (VPC speed) | Up to 50 Gbps per VPC attachment |
| Security Groups | Supports SG Referencing | Does NOT support SG Referencing |
Decision Matrix / If–Then Guide
- If you have only 2 or 3 VPCs and need low latency… Then use VPC Peering.
- If you have tens or hundreds of VPCs and need to simplify management… Then use Transit Gateway.
- If you need to share a single Direct Connect or VPN across multiple VPCs… Then use Transit Gateway.
- If you need to support IP Multicast… Then use Transit Gateway.
- If you need to inspect all traffic via a centralized “Security VPC”… Then use Transit Gateway.
Exam Tips and Gotchas
- Transitive Routing: This is the “Killer Feature.” If VPC A is connected to TGW, and VPC B is connected to TGW, A can talk to B. In Peering, A-B and B-C does NOT mean A can talk to C.
- Security Group Referencing: You cannot reference a Security Group ID from another VPC over a Transit Gateway. You must use IP CIDR blocks. This is a common distractor in the exam.
- Resource Access Manager (RAM): To use TGW across different AWS Accounts, you must share the TGW resource using AWS RAM.
- IP Overlap: Like VPC Peering, Transit Gateway does not support routing between VPCs with overlapping CIDR blocks.
- MTU: Supports 8500 bytes (Jumbo Frames) for VPC-to-VPC traffic, but VPN traffic is limited to 1500 bytes.
Topics covered:
Summary of key subtopics covered in this guide:
- Hub-and-Spoke networking architecture.
- TGW Attachments (VPC, VPN, DX, Peering).
- Route Table Association vs. Propagation.
- Cross-account sharing with AWS RAM.
- Centralized inspection patterns.
- Performance limits and SG Referencing constraints.
Transit Gateway Visual Architecture
IAM: Control who can create attachments.
CloudWatch: Monitor bytes in/out and packet drops.
RAM: Share TGW across your AWS Organization.
Scaling: Supports up to 5,000 VPC attachments.
Throughput: 50 Gbps per VPC attachment. Virtually unlimited aggregate bandwidth.
Pricing: You pay per attachment per hour + data processing charges ($/GB).
Tip: For very high data transfer between two VPCs, Peering is cheaper (no processing fee).
Production Use Case: Centralized Egress
Route all internet-bound traffic (0.0.0.0/0) from multiple spoke VPCs to a central “Egress VPC” containing a cluster of Firewalls or NAT Gateways. This centralizes security logging and reduces the number of NAT Gateways required, saving significant costs.