AWS Transit Gateway (TGW)¶
What Is AWS Transit Gateway?¶
AWS Transit Gateway (TGW) is a managed network transit hub that centrally connects AWS and on-premises networks.
It simplifies connectivity between:
- VPCs
- AWS accounts
- Direct Connect
- Site-to-Site VPN
- SD-WAN
- hybrid environments
Think of Transit Gateway as:
Centralized routing hub for AWS networking.
Why It Matters for Security¶
Transit Gateway helps organizations:
- reduce mesh networking
- centralize routing
- simplify segmentation
- isolate environments
- improve governance
Security teams use TGW for:
- centralized inspection
- network segmentation
- hybrid architectures
- multi-account connectivity
Core Concepts¶
- hub-and-spoke routing
- attachments
- route tables
- centralized networking
- segmentation
- transit routing
Important Integrations¶
Amazon VPC¶
Supports:
- VPC attachments
Very important identity.
AWS Direct Connect¶
Supports:
- private hybrid connectivity
Pattern:
On-Prem
↓
Direct Connect
↓
TGW
↓
VPCs
Site-to-Site VPN¶
Supports:
- encrypted hybrid connectivity
AWS RAM¶
Supports:
- cross-account sharing
Very important architecture capability.
Transit Gateway Connect¶
Supports:
- SD-WAN integration
Uses:
GRE
+
BGP
Very important networking topic.
AWS Network Firewall¶
Supports:
- centralized inspection
Very important Security Specialty pattern.
Security Features¶
Centralized Routing¶
Pattern:
VPC
↓
TGW
↓
VPC
Reduces:
- route complexity
- operational overhead
Segmentation with Route Tables¶
TGW supports:
→ Multiple Route Tables
Example:
Production
↓
Shared Services
↓
Security
Very important architecture capability.
Isolation¶
Control connectivity through:
- route table association
- route propagation
Very important exam distinction.
Hybrid Consolidation¶
Supports:
- centralized ingress
- controlled connectivity
Advanced Security and Operational Concepts¶
Attachments (Service Identity)¶
Transit Gateway connects using:
→ Attachments
Supported:
- VPC
- VPN
- Direct Connect
- Connect
Very important TGW identity.
Dedicated Attachment Subnets (Architecture Trap)¶
TGW VPC Attachments require:
- one subnet per AZ
AWS creates:
- Transit Gateway ENIs
Best practice:
Dedicated /28 Subnet
Do NOT mix:
Workloads
+
TGW Attachment
Benefits:
- cleaner routing
- centralized inspection
- easier operations
Very important architecture pattern.
Association vs Propagation¶
Association¶
Determines:
Which Route Table
Processes Traffic
Propagation¶
Determines:
Which Routes
Appear
Very important exam trap.
Appliance Mode and Asymmetric Routing¶
Supports:
- stateful inspection
Problem:
Request
↓
Firewall AZ-A
↓
Return
↓
Firewall AZ-B
Result:
→ Dropped packets
Enable:
Appliance Mode
Behavior:
Request
↓
AZ-A
↓
Return
↓
AZ-A
Very important Security Specialty concept.
Transit Gateway Connect¶
Supports:
- SD-WAN optimization
Uses:
GRE
+
BGP
Transit Gateway Peering¶
Transit Gateway is:
→ Regional
Need inter-region routing?
Use:
TGW
↓
Peering Attachment
↓
TGW
Characteristics:
- encrypted
- AWS backbone
- private transport
Very important architecture capability.
TGW Peering Route Requirement¶
Transit Gateway Peering does NOT support:
→ automatic propagation
Must configure:
Static Routes
↓
Peered TGW
Very important exam trap.
Throughput Considerations¶
Transit Gateway¶
Per VPC Attachment:
50 Gbps
VPC Peering¶
Bandwidth:
No explicit limit
Limited by:
- EC2 networking
Very important HPC distinction.
Multicast Support¶
Transit Gateway supports:
→ Multicast
Useful for:
- media workloads
- market systems
Very important differentiation.
Architecture Example¶
Centralized Inspection Architecture¶
flowchart LR
ONPREM[On-Prem]
DX[Direct Connect]
TGW[Transit Gateway]
ATTACH[Dedicated Attachment Subnet]
SEC[Inspection VPC]
PROD[Production VPC]
SHARED[Shared Services]
VPN[Site-to-Site VPN]
ONPREM --> DX
DX --> TGW
VPN -. Backup .-> TGW
TGW --> ATTACH
ATTACH --> SEC
TGW --> PROD
TGW --> SHARED
classDef network fill:#e3f2fd,stroke:#1565c0,color:#0d47a1;
classDef security fill:#e8f5e9,stroke:#2e7d32,color:#1b5e20;
class ONPREM,DX,TGW,ATTACH network;
class SEC,PROD,SHARED,VPN security;Use case: centralized routing with inspection and segmentation.
Routing Workflow¶
sequenceDiagram
autonumber
participant SRC
participant TGW
participant ASSOC
participant PROP
participant DEST
SRC->>TGW: Send packet
TGW->>ASSOC: Select route table
TGW->>PROP: Evaluate routes
PROP->>DEST: Forward
DEST-->>SRC: ResponseInspection Workflow¶
sequenceDiagram
autonumber
participant APP
participant TGW
participant FIREWALL
participant DEST
APP->>TGW: Send traffic
TGW->>FIREWALL: Inspect
FIREWALL->>DEST: Allow
DEST-->>APP: ResponseInter-Region TGW Workflow¶
sequenceDiagram
autonumber
participant TGW1
participant PEER
participant TGW2
participant DEST
TGW1->>PEER: Forward
PEER->>TGW2: Deliver
TGW2->>DEST: RouteTransit Gateway vs VPC Peering¶
| Transit Gateway | VPC Peering |
|---|---|
| hub-and-spoke | mesh |
| transitive | non-transitive |
| centralized | pairwise |
Use TGW when:
- many VPCs
Use Peering when:
- direct high-throughput connectivity
Transit Gateway vs Direct Connect¶
| Transit Gateway | Direct Connect |
|---|---|
| routing | connectivity |
| internal | external |
Transit Gateway vs PrivateLink¶
| Transit Gateway | PrivateLink |
|---|---|
| network | service |
| routing | application |
Common Exam Traps¶
Trap 1 — Association ≠ Propagation¶
Association:
→ route table
Propagation:
→ routes
Trap 2 — TGW Supports Transitive Routing¶
Need transit?
→ TGW
Trap 3 — VPC Peering Is Not Transitive¶
Need mesh reduction?
→ TGW
Trap 4 — Forgetting Attachments¶
TGW connects using:
→ Attachments
Trap 5 — Forgetting Appliance Mode¶
Need stateful inspection?
→ Appliance Mode
Trap 6 — Transit Gateway Is Regional¶
Need inter-region?
→ TGW Peering
Trap 7 — TGW Peering Requires Static Routes¶
No automatic propagation.
Trap 8 — Forgetting Dedicated Subnets¶
Use:
→ Dedicated Attachment Subnets
Trap 9 — Need Extreme East-West Throughput¶
→ VPC Peering
5-Second Recall¶
Identity¶
Transit Gateway = centralized routing hub
Keywords¶
If the scenario mentions:
- hub and spoke
- centralized routing
- segmentation
- multi-account networking
- hybrid cloud
Answer:
→ AWS Transit Gateway
Need Many VPCs?¶
→ Transit Gateway
Need Hybrid Connectivity?¶
→ Direct Connect
Need SD-WAN?¶
→ Transit Gateway Connect
Need Stateful Inspection?¶
→ Appliance Mode
Need Inter-Region Connectivity?¶
→ TGW Peering
Quick Revision Notes¶
- centralized routing
- attachments
- route tables
- association
- propagation
- appliance mode
- dedicated subnets
- TGW peering
- static routes
- multicast
- Connect
- segmentation
- hybrid networking