Table of Contents

  1. Introduction
  2. Why Transit Gateway? The Problem It Solves
  3. Core Concepts & Architecture
  4. Design Patterns & Common Use Cases
    • 4.1 Hub‑and‑Spoke (Full‑Mesh)
    • 4.2 Inter‑Region Peering
    • 4.3 Centralized Egress & Inspection
    • 4.4 Hybrid Cloud Connectivity
  5. Step‑by‑Step Deployment
    • 5.1 Using the AWS Console
    • 5.2 AWS CLI & PowerShell
    • 5.3 Infrastructure as Code (Terraform & CloudFormation)
  6. Routing Strategies
    • 6.1 Static vs. Dynamic Propagation
    • 6.2 Segmentation with Multiple Route Tables
    • 6.3 Controlling Traffic Flow with Prefix Lists
  7. Security Considerations
    • 7.1 VPC‑to‑VPC Isolation
    • 7.2 Integration with AWS Network Firewall & Security Groups
    • 7.3 Monitoring with VPC Flow Logs & GuardDuty
  8. Cost Management & Optimization
  9. Monitoring, Auditing, and Troubleshooting
  10. Best‑Practice Checklist
  11. Real‑World Case Study: Multi‑Account SaaS Provider
  12. Conclusion
  13. Resources

Introduction

Amazon Web Services (AWS) has matured from a collection of isolated services into a fully integrated, enterprise‑grade platform. As organizations scale, the networking fabric that interconnects Virtual Private Clouds (VPCs), on‑premises data centers, and other cloud environments becomes a critical piece of the puzzle.

Enter AWS Transit Gateway (TGW)—a regional hub that simplifies the management of thousands of connections, replaces complex peering meshes, and provides a single point of control for routing, security, and observability. This article dives deep into the why, how, and when of Transit Gateway, offering practical examples, architectural guidance, and a real‑world case study. By the end, you should be equipped to design, deploy, and operate a robust TGW‑centric network that meets the needs of modern, multi‑account enterprises.

Why Transit Gateway? The Problem It Solves

Before TGW, architects relied on a mixture of VPC peering, VPN connections, and AWS Direct Connect to stitch together networks. While functional, these approaches present several challenges:

IssueTraditional ApproachImpact
ScalabilityEach VPC pair required a separate peering link.O(N²) growth quickly becomes unmanageable.
Routing ComplexityIndividual route tables per VPC.Hard to enforce consistent policies across accounts.
Cross‑Account ManagementPeering needed explicit acceptance from each account.Operational overhead and security risk.
Centralized Services (e.g., DNS, firewalls)Requires custom NAT/Transit instances.Increases latency and cost.
Hybrid ConnectivityMultiple VPN/Direct Connect per VPC.Redundant configurations, difficult to audit.

Transit Gateway addresses these pain points by acting as a single, highly available hub that can attach:

  • VPCs (across accounts and regions)
  • VPN tunnels (site‑to‑site, client VPN)
  • AWS Direct Connect gateways
  • Transit Gateway Connect (for SD‑WAN appliances)

The result is a hub‑and‑spoke topology that scales to thousands of spokes while keeping routing, security, and monitoring centralized.

Core Concepts & Architecture

Transit Gateway (TGW)

A Transit Gateway is a regional resource. It lives in a specific AWS region and can host up to 5,000 attachments (the limit can be increased via a service limit request). Each attachment is associated with a Transit Gateway Attachment ID (tgw-attach-xxxx).

Key attributes:

  • Highly Available – TGW is built on a multi‑AZ, fault‑tolerant architecture.
  • Elastic – Scales automatically with traffic volume.
  • Policy‑Driven Routing – Uses route tables to control traffic flow.

Transit Gateway Attachments

Attachments are the logical links between TGW and other networks. Four primary types exist:

Attachment TypeTypical UseExample
VPC AttachmentConnect a VPC to TGW.tgw-attach-vpc-1234
VPN AttachmentSite‑to‑site VPN to on‑prem.tgw-attach-vpn-5678
Direct Connect Gateway AttachmentConnect a Direct Connect gateway.tgw-attach-dxgw-9012
Transit Gateway ConnectAttach SD‑WAN or third‑party appliances.tgw-attach-connect-3456

Attachments can be shared across AWS Organizations using Resource Access Manager (RAM), making cross‑account connectivity seamless.

Route Tables & Propagation

Transit Gateway supports multiple route tables (up to 20 by default). Each attachment can be associated with one route table for inbound traffic and can propagate routes to outbound tables.

  • Static Routes – Manually entered CIDR blocks.
  • Propagated Routes – Automatically learned from attached VPCs or VPNs.

Note: By default, a newly created TGW has a single default route table that all attachments use. Adding custom tables enables segmentation (e.g., separating production and development traffic).

Multicast & VPN Support

  • Multicast – TGW can handle IP multicast traffic, useful for media streaming or IoT workloads.
  • VPN – Supports both static routing and BGP for dynamic route exchange.

Design Patterns & Common Use Cases

4.1 Hub‑and‑Spoke (Full‑Mesh)

The classic pattern: a single TGW hub connects to many VPC spokes. All inter‑VPC traffic flows through the hub, simplifying centralized security (e.g., Network Firewall) and logging (Flow Logs).

[VPC A]   [VPC B]   [VPC C]   [VPC D]
   \        |        /        /
    \       |       /        /
    +--------------------------+
    |   AWS Transit Gateway    |
    +--------------------------+

4.2 Inter‑Region Peering

AWS allows Transit Gateway Peering between TGWs in different regions. This enables global hub‑and‑spoke topologies without using the public internet.

  • Use case: A multinational company with workloads in us-east-1 and eu-central-1 wants low‑latency, private inter‑region traffic.

4.3 Centralized Egress & Inspection

Deploy a secure egress VPC hosting NAT gateways, firewalls, or third‑party proxies. All outbound traffic from spoke VPCs is forced through this egress VPC via TGW route tables.

4.4 Hybrid Cloud Connectivity

Combine Direct Connect and Site‑to‑Site VPN on the same TGW to achieve high‑availability hybrid connectivity. If the Direct Connect link fails, traffic automatically fails over to the VPN tunnel.

Step‑by‑Step Deployment

Below are three practical ways to create a Transit Gateway and attach a VPC.

5.1 Using the AWS Console

  1. Create the Transit Gateway
    Navigate → VPC → Transit Gateways → Create Transit Gateway

    • Name: tgw-enterprise-hub
    • ASN: 64512 (default)
    • Enable Auto‑accept shared attachments if you plan to share across accounts.

  2. Create a VPC Attachment

    • Select your TGW → Attachments → Create attachment
    • Choose VPC vpc-0a1b2c3d and the subnets that will host TGW ENIs (usually one per AZ).

  3. Update Route Tables

    • In the VPC console, edit the Route Table associated with your private subnets:
      • Destination: 10.0.0.0/8 (or the CIDR block of the other VPCs)
      • Target: Transit Gateway (select the newly attached TGW).

  4. Test Connectivity

    • Launch an EC2 instance in each VPC, ping the other instance’s private IP.

5.2 AWS CLI & PowerShell

# 1. Create Transit Gateway
aws ec2 create-transit-gateway \
    --description "Enterprise hub" \
    --options AmazonSideAsn=64512 \
    --tag-specifications 'ResourceType=transit-gateway,Tags=[{Key=Name,Value=tgw-enterprise-hub}]'

# Capture the TGW ID
TGW_ID=$(aws ec2 describe-transit-gateways \
    --filters Name=tag:Name,Values=tgw-enterprise-hub \
    --query 'TransitGateways[0].TransitGatewayId' --output text)

# 2. Create VPC Attachment (assume VPC ID and subnet IDs are known)
aws ec2 create-transit-gateway-vpc-attachment \
    --transit-gateway-id $TGW_ID \
    --vpc-id vpc-0a1b2c3d \
    --subnet-ids subnet-11111111 subnet-22222222 \
    --tag-specifications 'ResourceType=transit-gateway-attachment,Tags=[{Key=Name,Value=spoke-vpc-attachment}]'

# 3. Add route to VPC route table (replace with your route table ID)
aws ec2 create-route \
    --route-table-id rtb-12345678 \
    --destination-cidr-block 10.20.0.0/16 \
    --transit-gateway-id $TGW_ID

5.3 Infrastructure as Code (IaC)

Terraform Example

provider "aws" {
  region = "us-east-1"
}

resource "aws_ec2_transit_gateway" "hub" {
  description = "Enterprise TGW hub"
  amazon_side_asn = 64512

  tags = {
    Name = "tgw-enterprise-hub"
  }
}

resource "aws_ec2_transit_gateway_vpc_attachment" "spoke" {
  transit_gateway_id = aws_ec2_transit_gateway.hub.id
  vpc_id              = var.spoke_vpc_id
  subnet_ids          = var.spoke_subnet_ids

  tags = {
    Name = "spoke-vpc-attachment"
  }
}

resource "aws_route" "spoke_to_hub" {
  route_table_id         = var.spoke_route_table_id
  destination_cidr_block  = "10.0.0.0/8"
  transit_gateway_id    = aws_ec2_transit_gateway.hub.id
}

CloudFormation Snippet

Resources:
  TransitGateway:
    Type: AWS::EC2::TransitGateway
    Properties:
      Description: "Enterprise TGW hub"
      AmazonSideAsn: 64512
      Tags:
        - Key: Name
          Value: tgw-enterprise-hub

  VpcAttachment:
    Type: AWS::EC2::TransitGatewayVpcAttachment
    Properties:
      TransitGatewayId: !Ref TransitGateway
      VpcId: !Ref SpokeVPC
      SubnetIds:
        - !Ref SubnetA
        - !Ref SubnetB
      Tags:
        - Key: Name
          Value: spoke-vpc-attachment

Routing Strategies

6.1 Static vs. Dynamic Propagation

  • Static Routes – Best for predictable, low‑change environments (e.g., a set of well‑known VPC CIDRs).
  • BGP Propagation – Ideal for hybrid setups where on‑prem networks change frequently. TGW can learn routes from VPN or Direct Connect sessions that use BGP.

6.2 Segmentation with Multiple Route Tables

Create separate route tables for:

Route TablePurpose
ProductionOnly allow traffic to approved services.
DevelopmentFull mesh between dev VPCs, but block access to prod CIDRs.
EgressDirect all outbound traffic to a central NAT/Firewall VPC.

Attach each VPC to the appropriate table using the Attachment Association API.

aws ec2 associate-transit-gateway-route-table \
    --transit-gateway-id $TGW_ID \
    --transit-gateway-attachment-id $ATTACH_ID \
    --transit-gateway-route-table-id $RTB_PROD_ID

6.3 Controlling Traffic Flow with Prefix Lists

AWS Prefix Lists simplify the management of large CIDR collections.

resource "aws_ec2_managed_prefix_list" "prod_cidrs" {
  name        = "prod-cidrs"
  address_family = "IPv4"
  max_entries = 20

  entries = [
    { cidr = "10.0.0.0/8", description = "All prod CIDRs" },
  ]
}

Reference the prefix list in TGW route tables:

Destination: pl-xxxxxx (prod_cidrs)
Target: Transit Gateway

Security Considerations

7.1 VPC‑to‑VPC Isolation

Even though TGW centralizes routing, security groups and network ACLs remain VPC‑level controls. Use them to enforce:

  • Least‑privilege inbound/outbound rules.
  • Segmentation between workloads (e.g., database tier vs. web tier).

7.2 Integration with AWS Network Firewall & Security Groups

Deploy AWS Network Firewall in a dedicated inspection VPC:

  1. Create a TGW attachment to the inspection VPC.
  2. Route all inbound/outbound traffic from spokes through the firewall’s stateless and stateful rule groups.
  3. Use firewall policy to enforce egress filtering, TLS inspection, or DNS security.

7.3 Monitoring with VPC Flow Logs & GuardDuty

  • VPC Flow Logs attached to the TGW capture every packet that traverses the hub. Export logs to CloudWatch Logs or S3 for long‑term retention.
  • GuardDuty can ingest TGW flow logs, providing threat detection for cross‑VPC traffic patterns.
aws ec2 create-flow-logs \
    --resource-type TransitGateway \
    --resource-ids $TGW_ID \
    --traffic-type ALL \
    --log-group-name /aws/tgw/flow-logs \
    --deliver-logs-permission-arn arn:aws:iam::123456789012:role/FlowLogDeliveryRole

Cost Management & Optimization

Cost ComponentPricing Model (as of 2024)Optimization Tips
Transit Gateway Hourly$0.05 per TGW per hour (per AZ)Consolidate TGWs where possible; delete unused TGWs.
Attachment Data Processing$0.02 per GB (in/out)Use Traffic Mirroring only where needed; compress traffic.
Transit Gateway Peering$0.02 per GB across regionsPrefer intra‑region traffic; enable Regional Peering only when required.
Transit Gateway ConnectSame as attachment data processingUse Connect only for SD‑WAN; avoid unnecessary Connect attachments.

Best‑practice: Enable Cost Allocation Tags (Name=TGW, Environment=Prod) and use AWS Cost Explorer or Budgets to track TGW spend per account.

Monitoring, Auditing, and Troubleshooting

ToolUse Case
Amazon CloudWatch MetricsTransitGateway.BytesIn, TransitGateway.BytesOut, TransitGateway.PacketDropCount.
AWS ConfigDetect unauthorized changes to TGW attachments or route tables.
AWS CloudTrailAudit API calls that create/modify TGW resources.
Transit Gateway Network Analyzer (preview)Visualize traffic paths, detect loops, and verify routing.
VPC Reachability AnalyzerTest connectivity between endpoints across TGW.

Sample CloudWatch Alarm – Alert when outbound traffic exceeds 10 TB in a 24‑hour window:

AlarmName: TGW-High-Outbound-Traffic
MetricName: BytesOut
Namespace: AWS/TransitGateway
Statistic: Sum
Period: 86400
Threshold: 85899345920  # 10 TB in bytes
ComparisonOperator: GreaterThanThreshold
EvaluationPeriods: 1
AlarmActions:
  - arn:aws:sns:us-east-1:123456789012:OpsAlerts

Best‑Practice Checklist

  • Use AWS Organizations + RAM to share TGW across accounts.
  • Separate route tables for production, development, and egress.
  • Enable BGP propagation for dynamic hybrid routes.
  • Deploy a central inspection VPC with Network Firewall.
  • Tag all TGW resources for cost allocation and governance.
  • Activate flow logs on the TGW and route them to a secure S3 bucket.
  • Set CloudWatch alarms on traffic spikes and packet drops.
  • Periodically review attachment utilization and delete unused ones.
  • Implement least‑privilege security groups per workload tier.
  • Document the topology using Architecture Diagrams (e.g., AWS Perspective).

Real‑World Case Study: Multi‑Account SaaS Provider

Background

  • Company: DataStreamCo, a SaaS platform delivering real‑time analytics.
  • Environment: 12 AWS accounts (2 per environment: dev, test, prod; plus shared services).
  • Requirements:
    • Isolate customer VPCs per account.
    • Centralize egress via a hardened NAT/Firewall VPC.
    • Provide low‑latency cross‑region replication between us-east-1 and ap-southeast-2.
    • Ensure compliance (PCI‑DSS) with full traffic logging.

Architecture Overview

[Customer VPCs] → (Spoke Attachments) → [Transit Gateway Hub (us-east-1)]
                                 ↘︎
                     [Transit Gateway Peering] ↔︎ [Transit Gateway Hub (ap-southeast-2)]
                                 ↘︎
                         [Egress VPC (Network Firewall + NAT)]
                                 ↘︎
                         Internet / External APIs

Implementation Steps

  1. Create a Central TGW per Regiontgw-data-stream-us-east-1, tgw-data-stream-ap-southeast-2.
  2. Share TGWs via RAM – Each account receives Read‑Write permission to attach its VPCs.
  3. Attach Customer VPCs – Automated via Terraform module that runs in each account’s CI pipeline.
  4. Set Up Inter‑Region Peering – Enables replication traffic between regions without crossing the public internet.
  5. Deploy Central Egress VPC – Contains AWS Network Firewall with PCI‑DSS rule groups, NAT Gateways, and VPC Flow Logs.
  6. Routing:
    • Spoke VPC route tables point all 0.0.0.0/0 traffic to TGW.
    • TGW route tables forward internet‑bound traffic to the Egress VPC attachment.
    • Internal service CIDRs are routed directly between spokes via TGW (no egress).
  7. Security:
    • Security groups allow only required ports; NACLs block all other traffic.
    • Network Firewall enforces TLS inspection for outbound web traffic.
  8. Observability:
    • Flow logs stored in encrypted S3 bucket, processed by Athena for compliance reporting.
    • GuardDuty alerts on anomalous cross‑account traffic.

Outcomes

MetricBefore TGWAfter TGW
Number of VPC Peering Connections66 (full‑mesh)12 (spokes)
Average Latency (inter‑region)180 ms (via internet)95 ms (via TGW peering)
Monthly TGW CostN/A (manual)$2,400 (≈ 5 % of overall spend)
Compliance Reporting Time3 days (manual)< 30 minutes (automated Athena queries)
Security Incidents3 (undetected traffic)0 (full flow‑log visibility)

The case study demonstrates how TGW can simplify network management, lower latency, and enhance security for large, multi‑account SaaS environments.

Conclusion

AWS Transit Gateway has become the linchpin for modern, scalable, and secure cloud networking. By consolidating VPCs, VPNs, and Direct Connect links into a single, highly available hub, TGW eliminates the exponential complexity of traditional peering meshes.

Key takeaways:

  • Scalability: One TGW can handle thousands of attachments, making hub‑and‑spoke designs practical at enterprise scale.
  • Centralized Control: Multiple route tables, propagation, and RAM sharing give you fine‑grained traffic governance across accounts and regions.
  • Security & Observability: Integration with Network Firewall, GuardDuty, and Flow Logs provides deep visibility and compliance readiness.
  • Cost‑Effective Hybrid Connectivity: Combine Direct Connect and VPN on the same TGW for resilient, low‑cost hybrid clouds.

Whether you are building a multi‑account SaaS platform, a global e‑commerce network, or a hybrid data‑center extension, mastering Transit Gateway equips you with the tools to design a future‑proof architecture that balances performance, security, and operational simplicity.

Resources

  • AWS Transit Gateway Documentation – Official guide covering concepts, limits, and API reference.
    AWS Transit Gateway Docs

  • AWS Network Firewall – Learn how to integrate a stateful firewall with TGW for centralized inspection.
    AWS Network Firewall

  • AWS Well‑Architected Framework – Networking Pillar – Best‑practice recommendations for secure and reliable networking.
    Well‑Architected Networking Pillar

  • Terraform AWS Provider – Transit Gateway Resources – Example modules and reference for IaC implementations.
    Terraform AWS TGW

  • AWS Blog: “Simplify Multi‑Region Connectivity with Transit Gateway Peering” – Real‑world patterns and performance results.
    Transit Gateway Peering Blog