Transit Gateway is a service in AWS that simplifies network architecture and connectivity by acting as a hub for connecting multiple Virtual Private Clouds (VPCs) and on-premises networks.
Basics and Functionality:
- Definition: Transit Gateway is a network transit hub that allows you to connect multiple VPCs and on-premises networks through a single gateway.
- Hub-and-Spoke Model: Transit Gateway follows a hub-and-spoke architecture, making it easier to manage network connections.
- Centralized Routing: It provides centralized routing for VPCs, simplifying complex routing configurations.
- VPC Peering: Transit Gateway supports VPC peering, allowing VPCs to communicate with each other across the transit hub.
- Global Service: It’s a global service, meaning it operates across all AWS regions.
Transit Gateway Attachments:
- VPC Attachments: You can attach multiple VPCs to a Transit Gateway to enable communication between them.
- VPN Attachments: It supports VPN connections for connecting on-premises networks.
- Direct Connect Attachments: Transit Gateway can connect to on-premises networks through AWS Direct Connect.
- VPC Peering Attachments: You can attach VPC peering connections to a Transit Gateway to enable communication between peered VPCs.
- Transit Gateway Peering: Transit Gateway can also peer with other Transit Gateways in different AWS accounts.
Routing and Route Tables:
- Route Tables: Transit Gateway uses route tables to control traffic between attachments.
- Association with VPCs: Each attachment (VPC, VPN, Direct Connect) has its associated route table.
- Propagation: You can propagate routes between route tables to control traffic flow.
- Prefix-Based Routing: Routing decisions are made based on destination prefixes (CIDR blocks) in the route tables.
- Default Route: A default route (0.0.0.0/0) can be used for routing traffic to a default destination.
Security and Control:
- Security Groups and NACLs: Security Groups and Network Access Control Lists (NACLs) are still used within VPCs for fine-grained control over traffic.
- Security Groups Across VPCs: You can apply security groups to resources in different VPCs connected via Transit Gateway.
- Inter-Region Peering: Transit Gateway does not support direct peering between Transit Gateways in different regions.
- Encryption: Traffic between Transit Gateway and on-premises networks can be encrypted using VPN or Direct Connect.
Transit Gateway Network Manager (TGNM):
- Management: Transit Gateway Network Manager (TGNM) provides a centralized dashboard for managing global networks.
- Monitoring: TGNM provides visibility into network health and performance across multiple regions.
Scalability and Limits:
- VPC Limit: Each Transit Gateway can be attached to a maximum of 5,000 VPCs.
- Route Limits: Transit Gateway has a limit on the number of routes that can be added to a route table.
- Prefix Length Limit: Transit Gateway supports prefix lengths from /0 to /26.
- Propagation Limits: Route propagation has a limit of 100 route tables.
Integration:
- Integration with AWS Organizations: You can associate a Transit Gateway with AWS Organizations to share it across accounts.
- VPC Endpoints: Transit Gateway does not support VPC endpoints; traffic destined for AWS services should go through the internet.
- Integration with Direct Connect Gateway: You can associate Transit Gateways with Direct Connect Gateways for more complex hybrid network architectures.
Billing:
- Data Transfer Costs: Data transfer costs apply when traffic traverses Transit Gateway, but internal VPC-to-VPC traffic within the same region is not charged.
- Pricing: Transit Gateway has its own pricing model based on the number of attachments and data processed.
Transit Gateway simplifies network architecture in AWS by providing a centralized hub for connecting multiple VPCs and on-premises networks. Understanding its capabilities and configurations is essential for building scalable and well-connected AWS environments.