AWS Transit Gateway incubating
Managed service which offers a hub and spoke model for connecting AWS VPCs and on prem networks. Low operational overhead but not the cheapest.
Features
Multiple VPCs can connect to a single transit gateway, which can allow on-prem connectivity via direct connect or cross region connectivity via transit gateway peering.
When using a VPN, or direct-connect, each VPC must only be connected to the TGW, which in turn is coonected to the DC or VPN.
3 transit gateway connections are supported over 1 direct connect.
If isolation is required between VPCs connected to the TGW, it can be achieved using route table rules.
Works cross-account only. For cross-regions, use Transit Gateway peering.
AWS Transit Gateway works in AZ affinity mode, so keeps the traffic in the specific AZ as long as the destination is in the same AZ.
Multiple Transit Gateways may be used in the same region for operational ease, restricting the blast radius. Centralized design vs distributed design choices. Limit of 5000 connections per region, this may also dictate if additional TGWs are required.
Launch in a dedicated account like networking, and share across the organization accounts using AWS Resource Access Manager. One caveat, it does not share the tags from the source account.
transit gateway vpc attachement has an hourly charge
If you have a multi-Region deployment, we recommend that you use a unique ASN for each of your transit gateways.
- Mix of static and auto-propagated routes
- Administrative distance
- Static routes take precedence over auto-propagated routes on tgw
Attachment Types
#todo Add information about different attachments that TGW supports
AWS Transit Gateway Connect
- Attachment type - Transit Gateway Connect
- Use AWS Transit Gateway Connect to connect AWS infrastructure with on-prem SD-WAN appliances.
- Use Transit Gateway Connect BGP for dynamic routing and GRE tunnel protocol for high performance, delivering up to 20 Gbps total bandwidth per Connect attachment (up to four Transit Gateway Connect peers per Connect attachment).
VPN
- Type of VPC edge consolidation
- Supports IPSec termination for site-to-site VPN, customers can create tunnels terminating at TGW and connect to VPCs connected to the TGW.
- Supports ECMP for VPN attachements which allows you to scale beyond the default limit of 1.25 Gbps per VPN connection. More details - Scaling VPN throughput.
Appliance mode
Without appliance mode, the cross AZ traffic might be dropped when destination is across AZ due to the TGW AZ affinity property. In appliance mode, transit gateway picks a network interface in the appliance VPC and uses that same one for the return traffic as well.
Using 4-tuples of an IP packet, TGW selects a single TGW ENI in the Appliance VPC for the life of a flow to send traffic to.
Ref https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-appliance-scenario.html
References
- https://aws.amazon.com/blogs/networking-and-content-delivery/centralized-inspection-architecture-with-aws-gateway-load-balancer-and-aws-transit-gateway/
- https://aws.amazon.com/blogs/networking-and-content-delivery/building-a-global-network-using-aws-transit-gateway-inter-region-peering/
- https://aws.amazon.com/blogs/security/simplify-dns-management-in-a-multiaccount-environment-with-route-53-resolver/
- https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-appliance-scenario.html
- https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-nat-igw.html