VPC Peering & Transit Gateway
In the AWS ecosystem, connecting multiple Virtual Private Clouds (VPCs) is a fundamental requirement for building scalable and resilient architectures. AWS provides two primary methods for this: VPC Peering for point-to-point connections and AWS Transit Gateway for centralized hub-and-spoke networking.
The Analogy: Walkie-Talkies vs. A Switchboard
Imagine your VPCs are individual offices in a large building. VPC Peering is like having a direct walkie-talkie channel between two specific offices. If Office A wants to talk to Office B, they use that channel. But if you have 50 offices, keeping track of 1,225 walkie-talkie channels becomes a nightmare. Transit Gateway is like a central telephone switchboard. Every office plugs one line into the switchboard, and the operator routes calls to any other office instantly.
Core Concepts & Well-Architected Framework
Operational Excellence
Transit Gateway simplifies operations by providing a single point of management for network traffic. Instead of managing hundreds of peering relationships, you manage one gateway and its route tables.
Reliability & Performance
Both services leverage the AWS global backbone. VPC Peering has no single point of failure or bandwidth bottleneck. Transit Gateway is highly available by design but introduces a managed “hop” in the network path.
Comparison: VPC Peering vs. Transit Gateway
| Feature | VPC Peering | Transit Gateway |
|---|---|---|
| Topology | Point-to-Point (Mesh) | Hub-and-Spoke |
| Transitive Routing | Not Supported | Fully Supported |
| Complexity | High at scale (n*(n-1)/2) | Low (Linear growth) |
| Performance | No aggregate bandwidth limit | Up to 50 Gbps per VPC attachment |
| Cost | No hourly charge (Data transfer only) | Hourly charge + Data processing fees |
Scenario-Based Decision Matrix
- If you need to connect just two VPCs with the lowest possible latency and no extra cost: Use VPC Peering.
- If you need to connect hundreds of VPCs and On-premises VPNs/Direct Connects: Use Transit Gateway.
- If you need to share a single Direct Connect connection across multiple AWS accounts: Use Transit Gateway.
- If you need to inspect all traffic between VPCs using a central security appliance: Use Transit Gateway.
Exam Tips: Golden Nuggets
- No Transitive Peering: If VPC A is peered with B, and B is peered with C, A cannot talk to C through B. This is a classic SAA-C03 distractor.
- Overlapping CIDRs: You cannot peer VPCs or connect them to a Transit Gateway if their IP address ranges (CIDRs) overlap.
- Cross-Region: Both services support cross-region connectivity, but data transfer costs apply.
- Security Groups: In VPC Peering, you can reference Security Groups from the peered VPC (same region only). In Transit Gateway, you cannot reference SGs across the gateway.
Architectural Visualization
Resource Access Manager (RAM): Used to share a Transit Gateway across different AWS accounts in an organization.
Forgetting to update Route Tables. Even if the connection is active, traffic won’t flow without local routes pointing to the Peer or TGW.
Centralized Egress: Use Transit Gateway to route all VPC internet traffic through a single “Inspection VPC” containing a NAT Gateway.