What are the top 10 things I need to know about the new AWS Transit Gateway (TGW)?
AWS announced the Transit Gateway service at re:Invent 2018.
AWS Transit Gateway (TGW) allows you to build more complex networks without the need for VPC peering.
At Aviatrix, we have fully embraced this new service. We spent the last several months working with AWS and their beta to add a layer of management, security, and orchestration. Our founder, Sherry Wei, was invited on stage at re:Invent to demonstrate this integration during the Networking Keynote, delivered by Dave Brown, VP of EC2 and Networking.
In the months since, we have worked with many customers to discuss and deploy the AWS Transit Gateway (TGW). Below we take a look at the top 10 things we have learned about this service and how you can get the most out of it.
1. What is the AWS Transit Gateway?
The Transit Gateway is a managed service from AWS that acts as a hub interconnecting VPCs and VPN connections within a single region.
2. Direct Connect Termination – it’s not (yet) Supported
Terminating Direct Connect on the Transit Gateway is not yet supported. You can only attach AWS VPN connections and VPCs to the Transit Gateway. Direct Connect support is planned to be available in the first half of 2019.
You can connect Direct Connect and your on-premises networks to your Transit Gateway with Aviatrix Transit Gateway Orchestrator.
3. AWS Transit Gateway runs on AWS HyperPlane
AWS HyperPlane is an internal service that powers AWS services such as NAT, PrivateLink, Load Balancers, and EFS. It was introduced publicly at AWS re:Invent 2017 and has been in production since 2015. AWS built Transit Gateway on top of this service.
You can learn more about AWS HyperPlane from the NET405 session at AWS re:Invent 2017.
4. Transit Gateway is Highly Scalable
Because of the tight integration with HyperPlane, Transit Gateway is highly scalable. With its launch, the Transit Gateway can support bandwidths up to 50 Gbps between it and each VPC attachment. And, each Transit Gateway supports up to 5,000 VPCs and 10,000 routes.
5. When Should I Use the Transit Gateway?
The common use cases for the Transit Gateway include:
Connecting multiple VPCs together in a mesh topology
Let’s look at a simple example for connecting four VPCs together before Transit Gateway using VPC Peering and after with Transit Gateway:
Connect many VPCs together in an isolated mesh topology
You may not want all VPCs to communicate with each other. But, rather, you may want a subset to communicate. A simple example of this is splitting dev and prod VPCs from each other.
The diagram below shows an example of this design using a Transit Gateway:
Share a single VPN connection
In small environments, you may want to share a single VPN connection among several VPCs. With the Transit Gateway this is easy:
6. Route Propagation Stops at the Transit Gateway
Routes learned from an attached on-premises VPN connection are propagated to the TGW route table but are not shared with the attached VPCs. This means you must manually update the route tables in your attached VPCs with the routes from your VPN connection (and eventually from any Direct Connect attachments).
For a small number of VPCs, this may not be a big issue, but for 100s of VPCs it will become very cumbersome. If you change the routes advertised from on-premises, you’ll need to manually update the route tables of all VPC attachments to match.
Aviatrix cloud network platform handles this all automatically.
7. VPCs with Overlapping CIDR Ranges cannot be Attached to Same Transit Gateway
AWS Transit Gateway does not support attaching two (or more) VPCs with the same CIDR.
Aviatrix can help if you need a way to connect these VPCs to the Transit Gateway.
8. Cross Region VPC Attachments are not Supported
Transit Gateway is a regional service. You can only attach VPCs from a single region to a Transit Gateway.
If this a requirement, check out how Aviatrix solves this with multi-region Transit Connectivity design.
9. AWS Transit Gateway uses the new AWS Resource Access Manager
The AWS Resource Access Manager allows you to access resources (i.e., the Transit Gateway) from multiple AWS accounts. This allows VPCs from any account to be attached to the same Transit Gateway.
10. Where Can I Learn more about Transit Gateway?
- Read about the Transit Gateway service at AWS
- Watch ‘Introducing AWS Transit Gateway‘ (NET331) from AWS re:Invent 2018
- Watch ‘Transit Gateway and Transit VPCs: Reference Architectures for Many VPCs‘ (NET402) from AWS re:Invent 2018
- Watch ‘Introduction to Transit Gateway‘ from AWS Online Tech Talks
- Email [email protected] and we’ll walk you through a complete demo
Become the cloud networking hero of your business.
See how Aviatrix can increase security and resiliency while minimizing cost, skills gap, and deployment time.