Transit Gateway vs VPC Peering vs PrivateLink

Concepts Covered

• AWS Transit Gateway
• VPC peering
• AWS PrivateLink
• Hub-and-spoke networking
• Point-to-point connectivity
• Service-oriented private access
• Transitive routing
• Overlapping CIDR constraints
• Route table segmentation
• Multi-account networking traps

1. Plain-English Mental Model

Transit Gateway, VPC peering, and PrivateLink all connect private things, but they connect them at different scopes.

VPC peering connects two VPCs directly. It is point-to-point routing.

Transit Gateway connects many VPCs, VPNs, and Direct Connect paths through a central regional hub. It is hub-and-spoke routing.

PrivateLink exposes a specific service privately to consumers. It is service access, not full network access.

The short model is:

VPC peering = direct private routing between two VPCs
Transit Gateway = central routing hub for many networks
PrivateLink = private access to one service without full network routing

The exam wants you to choose the connectivity shape, not just the word that sounds private.

2. Why This Service Exists

AWS environments grow from one VPC into many VPCs across accounts, teams, Regions, and environments. Some networks need to communicate broadly. Some need only shared services. Some should never have full routing access to each other.

VPC peering exists for simple direct VPC connectivity.

Transit Gateway exists because large peering meshes become hard to operate and do not provide transitive routing.

PrivateLink exists because many designs only need consumers to reach a service, not the provider's whole network.

For SAA-C03, the right answer often depends on one phrase:

• "connect two VPCs" can be VPC peering
• "connect many VPCs and on-premises networks" points to Transit Gateway
• "expose a service privately to many consumers" points to PrivateLink
• "overlapping CIDR blocks" points away from peering and full routed transit

3. The Naive Approach And Where It Breaks

The naive approach is to peer every VPC with every other VPC:

VPC A <-> VPC B
VPC A <-> VPC C
VPC B <-> VPC C
VPC C <-> VPC D

This breaks at scale. Every new VPC adds connection requests, route table entries, security review, and operational drift. Peering is not transitive, so routing through an intermediate peered VPC is not supported.

Another naive approach is to use Transit Gateway for every private access problem. If a SaaS-like internal service needs to be exposed to dozens of accounts, Transit Gateway may provide too much network reachability. PrivateLink can expose only the service.

The reverse mistake is using PrivateLink when the requirement is full bidirectional network routing between many subnets. PrivateLink is not a general VPC router.

4. Core Primitives

VPC peering uses a peering connection, route table entries in both VPCs, non-overlapping CIDRs, and security controls on each side.

Transit Gateway uses a regional transit gateway, attachments, transit gateway route tables, associations, propagation, static routes, and sharing through AWS Resource Access Manager when used across accounts.

PrivateLink uses endpoint services, service names, interface endpoints, endpoint network interfaces, security groups, endpoint service permissions, acceptance behavior, private DNS, and sometimes Network Load Balancers or other supported provider-side configurations.

The routing implication is the key primitive:

peering = each VPC routes directly to the other VPC CIDR
Transit Gateway = VPCs route to a central attachment
PrivateLink = consumers connect to endpoint ENI IPs for a service

5. Architecture Use Cases

Use VPC peering for a small number of VPCs that need direct private communication and have non-overlapping CIDRs.

Use Transit Gateway for hub-and-spoke multi-VPC connectivity, many account networks, centralized shared services, hybrid connectivity to multiple VPCs, or central inspection patterns.

Use PrivateLink when a provider VPC exposes one application or service to consumers in other VPCs or accounts without giving those consumers routed access to the whole provider VPC.

Use PrivateLink when CIDR overlap prevents peering or Transit Gateway routing, but the requirement is service access rather than broad subnet access.

Use Transit Gateway with VPN or Direct Connect when on-premises networks need scalable access to many VPCs.

Use peering when the environment is small and the simplicity beats the overhead and cost of a transit hub.

7. Security Model

VPC peering creates private routed connectivity between VPC CIDR ranges. Security groups, NACLs, route tables, and resource-level controls still decide what is actually reachable.

Transit Gateway security is heavily route-table driven. Associations and propagations decide which attachments can route to which destinations. A flat route table can accidentally create broad connectivity.

PrivateLink security is service-oriented. Consumers get access to the endpoint service, not automatic access to the provider VPC CIDR. Providers can control allowed principals and acceptance behavior. Consumers control endpoint security groups and endpoint policies where supported.

PrivateLink can reduce blast radius because the consumer does not need routes to every subnet in the provider VPC.

For all three, IAM controls who can create or modify connectivity. Network reachability is not the same as application authorization.

8. Reliability And Resilience

VPC peering uses AWS private infrastructure and has no separate appliance you manage, but your route tables, DNS, and application dependencies still need resilient design.

Transit Gateway is managed and highly available within a Region, but attachments, route tables, hybrid links, inspection VPCs, and downstream services are still part of the reliability story.

PrivateLink reliability depends on endpoint placement and provider service health. Interface endpoints should be deployed in the AZs where clients need them, and provider services should be multi-AZ when availability matters.

Centralized designs can create centralized failure modes. A Transit Gateway inspection path or shared services VPC must be designed with multi-AZ capacity and clear failover behavior.

Service-oriented designs can fail if DNS, endpoint ENI security groups, provider NLB targets, or acceptance state is wrong.

9. Performance And Scaling

VPC peering is simple and direct for small topologies. It can become operationally complex as the number of VPCs grows.

Transit Gateway scales the topology by replacing many pairwise links with a hub. It may add data processing charges and route-table design complexity, but it is easier to operate for many networks.

PrivateLink scales service consumption. Many consumers can connect to one provider service without route exchange across all VPCs.

Peering and Transit Gateway are routing technologies. They enable IP reachability. PrivateLink is endpoint-based service reachability.

For performance-sensitive applications, compare directness, cross-AZ paths, regional paths, endpoint placement, and inspection layers. The simplest diagram is not always the lowest-latency path.

10. Cost Model

VPC peering has no charge to create the connection, but data transfer charges can apply across Availability Zones and Regions.

Transit Gateway commonly charges for attachment hours and data processing, with additional costs possible for VPN, Direct Connect, inspection services, and data transfer.

PrivateLink commonly charges for endpoint hours and data processing. Providers and consumers may each have cost considerations depending on the design.

For two VPCs, peering may be cheaper and simpler. For many VPCs, Transit Gateway can reduce operational complexity even if the service bill is higher. For service exposure, PrivateLink can avoid the cost and risk of broad network connectivity.

The exam rarely asks for pure price in isolation. It asks for the most appropriate design under constraints.

12. SAA-C03 Exam Signals

"Connect two VPCs using private IP addresses" can point to VPC peering.

"VPC peering is not transitive" points away from peering when many networks need to route through a hub.

"Connect many VPCs and on-premises networks" points to Transit Gateway.

"Hub-and-spoke network architecture" points to Transit Gateway.

"Expose a service privately to consumers in other VPCs or accounts" points to PrivateLink.

"Overlapping CIDR blocks but only service access is required" points to PrivateLink.

"Need full network routing between many VPCs" points to Transit Gateway, not PrivateLink.

13. Common Exam Traps

Do not use VPC peering for transitive routing.

Do not ignore overlapping CIDR restrictions for peering and routed network designs.

Do not use Transit Gateway when consumers only need access to one service and broad routing would violate least privilege.

Do not use PrivateLink when the requirement is broad bidirectional subnet connectivity.

Do not forget route tables on both sides of VPC peering.

Do not assume Transit Gateway route propagation automatically creates the security segmentation you want.

Do not confuse private connectivity with authorization. Applications still need authentication and resource permissions.

15. Related Topics

Review AWS Transit Gateway, VPC Endpoints And PrivateLink, AWS Direct Connect, and Hybrid Network Connectivity To AWS.

Official AWS references:

• What is AWS Transit Gateway for Amazon VPC?
• What is VPC peering?
• AWS PrivateLink concepts