AWS Transit Gateway

Concepts Covered

• AWS Transit Gateway
• VPC attachments
• VPN attachments
• Direct Connect gateway integration
• Transit Gateway route tables
• Route association and propagation
• Network segmentation
• Central inspection patterns
• Transit Gateway peering
• Transit Gateway versus VPC peering and PrivateLink

1. Plain-English Mental Model

AWS Transit Gateway is a regional network transit hub.

The simple model is:

VPCs, VPNs, and Direct Connect paths -> Transit Gateway -> route tables -> destinations

Without Transit Gateway, teams often connect VPCs one pair at a time using VPC peering. That creates a mesh. Every new VPC needs more connections, more route tables, and more security review.

Transit Gateway turns that mesh into hub-and-spoke routing. VPCs and hybrid connections attach to the gateway. Transit Gateway route tables decide which attachments can talk to which other attachments.

It is a networking service for connectivity at scale.

2. Why This Service Exists

AWS environments rarely stay as one VPC.

Production, development, shared services, security tooling, analytics, networking, and partner connectivity may all live in separate VPCs or accounts. On-premises networks may need access too. VPC peering works for a small number of direct connections, but it is point-to-point and not transitive.

Transit Gateway exists to simplify multi-VPC and hybrid routing.

For SAA-C03, Transit Gateway appears in questions about connecting many VPCs, connecting VPCs to on-premises networks, replacing complex VPC peering meshes, central inspection VPCs, hub-and-spoke networking, route table segmentation, and scalable hybrid connectivity.

It does not replace PrivateLink for private service exposure. PrivateLink is better when the requirement is private access to a service without full network routing.

3. The Naive Approach And Where It Breaks

The naive pattern is VPC peering everywhere:

VPC A <-> VPC B
VPC A <-> VPC C
VPC B <-> VPC C
VPC C <-> VPC D

This breaks because every new VPC increases route and connection complexity. Peering is not transitive, so VPC A cannot reach VPC C through VPC B. Overlapping CIDRs are not allowed. Central inspection becomes difficult.

Another naive pattern is one VPN per VPC from on-premises. That creates many tunnels, inconsistent routing, and operational overhead.

Transit Gateway centralizes the routing problem, but it also requires careful route table design. A poorly designed Transit Gateway can accidentally connect networks that should be segmented.

4. Core Primitives

A Transit Gateway is the regional transit hub.

An attachment connects something to the Transit Gateway. Common attachments include VPC, VPN, Direct Connect gateway, peering, and Connect attachments depending on design.

A Transit Gateway route table controls routing between attachments.

Route table association links an attachment to the route table used for traffic leaving that attachment.

Route propagation automatically adds routes from attachments into selected route tables.

Static routes can be added manually.

Transit Gateway peering can connect Transit Gateways in different Regions.

AWS Resource Access Manager can share Transit Gateways across accounts.

5. Architecture Use Cases

Use Transit Gateway for hub-and-spoke multi-VPC connectivity:

spoke VPCs -> Transit Gateway -> shared services VPC

Use separate route tables for segmentation:

prod route table -> prod shared services only
dev route table -> dev shared services only
security route table -> inspection paths

Use Transit Gateway with Site-to-Site VPN when on-premises networks need access to multiple VPCs.

Use Transit Gateway with Direct Connect gateway for private dedicated connectivity to many VPCs.

Use an inspection VPC pattern with Network Firewall when traffic between VPCs or to the internet must be inspected centrally.

Use PrivateLink instead when consumers only need access to a specific service and not full routed network connectivity.

7. Security Model

Transit Gateway security is route-table security.

If attachments share a route table and routes point to each other, networks can communicate. If they are isolated in separate route tables, they may not.

Use segmentation deliberately. Do not put every attachment into one flat route table unless full connectivity is intended.

VPC security groups, NACLs, route tables, Network Firewall, and IAM still matter. Transit Gateway creates a path, but endpoints and resources still need to allow traffic.

Sharing Transit Gateway across accounts should be controlled through AWS RAM and account governance.

Logs and flow visibility should be planned using VPC Flow Logs, Transit Gateway Flow Logs where available, and centralized observability.

8. Reliability And Resilience

Transit Gateway is managed and highly available within a Region, but attachment and routing design still matter.

VPC attachments should include subnets in multiple Availability Zones where workloads require resilience.

Hybrid connectivity should use redundant VPN tunnels, multiple Direct Connect connections, or resilient combinations depending on requirements.

Route propagation mistakes can cause outages or unexpected connectivity.

Central inspection can become a critical path. If all traffic routes through an inspection VPC, that inspection design must be multi-AZ and operationally mature.

9. Performance And Scaling

Transit Gateway scales better than large peering meshes.

However, central routing can add data processing charges and latency compared with direct paths.

Traffic between VPCs through Transit Gateway is not the same as local VPC traffic. Account for throughput, routing, inspection, and data transfer.

Large environments need route table discipline. Too many propagated routes without segmentation can become difficult to understand.

Use route tables to model intent: shared services, production, non-production, inspection, hybrid, and isolated zones.

10. Cost Model

Transit Gateway costs commonly include attachment hours and data processing charges.

VPN, Direct Connect, cross-AZ, cross-Region, Network Firewall, NAT, and data transfer charges can also apply depending on architecture.

Transit Gateway may cost more than simple peering for a tiny environment, but it can reduce operational cost at scale.

Cost questions often hinge on scale. Two VPCs may use peering. Many VPCs and hybrid networks usually point to Transit Gateway.

12. SAA-C03 Exam Signals

"Connect many VPCs" points to Transit Gateway.

"Hub-and-spoke network architecture" points to Transit Gateway.

"VPC peering mesh is hard to manage" points to Transit Gateway.

"Connect on-premises to multiple VPCs" points to Transit Gateway with VPN or Direct Connect.

"Need transitive routing" points to Transit Gateway, not VPC peering.

"Private access to one service without full routing" points to PrivateLink.

"Overlapping VPC CIDRs" may point away from Transit Gateway and toward PrivateLink if only service access is needed.

13. Common Exam Traps

Do not use VPC peering when transitive routing is required.

Do not assume Transit Gateway route tables are automatically secure.

Do not confuse Transit Gateway with PrivateLink.

Do not forget attachment route tables and subnet route tables.

Do not ignore cost for small two-VPC scenarios.

Do not build centralized inspection without resilient inspection paths.

15. Related Topics

Review VPC Networking Model, VPC Endpoints And PrivateLink, AWS Direct Connect, AWS Site-to-Site VPN, and AWS Network Firewall.

Official AWS references:

• What is a transit gateway?
• Transit gateway attachments to a VPC
• Transit gateway route tables