Introduction to AWS Transit Gateway

What is Transit Gateway and why do we need it?

What is AWS Transit Gateway?

AWS Transit Gateway is a network hub that connects your Virtual Private Clouds (VPCs) and on-premises networks through a central point.

Think of it as a cloud router that sits in the middle of your network. Instead of connecting every VPC directly to every other VPC, you connect each VPC to the Transit Gateway once. The Transit Gateway routes traffic between connected networks based on configured route tables.

Imagine an airport hub.

Instead of having direct flights between every pair of cities (which would need thousands of routes), airlines use hub airports. You fly from your city to the hub, then from the hub to your destination.

Transit Gateway works the same way - it's the hub for your AWS network.

What Can You Connect to Transit Gateway?

VPCs - Your AWS Virtual Private Clouds
VPN Connections - Site-to-Site VPN from your office/data center
AWS Direct Connect - Dedicated network connection (via a Direct Connect Gateway)
Other Transit Gateways - In different AWS regions

Transitive Routing is Transit Gateway's superpower.

Connected networks can communicate with each other if routing is explicitly configured to allow it. For example: VPC-A can reach VPC-B, VPC-B can reach your office, which means VPC-A can also reach your office - all through the Transit Gateway.

This is called "transitive routing." Transitive routing is not automatic; it works only when route tables are configured to allow it.

The Problem: VPC Peering Doesn't Scale

Before Transit Gateway, if you wanted to connect VPCs, you used VPC Peering. VPC Peering creates a direct connection between two VPCs.

Sarah's Story:

Sarah is a cloud engineer at a growing company. Three years ago, her company had 3 VPCs:

Production VPC
Development VPC
Testing VPC

She connected them with VPC Peering. It was simple - just 3 peering connections needed.

Today, the company has 50 VPCs.

To connect them all with VPC Peering, Sarah would need to create 1,225 peering connections!

Managing this became impossible. Every time a new VPC was added, she had to update routes in 49 other VPCs. One mistake caused a 2-hour outage.

The Math Problem

The formula for VPC Peering connections is: N × (N-1) / 2

Where N = number of VPCs

VPC Peering: The Connection Explosion

❌ With VPC Peering

• 5 VPCs = 10 connections
• 10 VPCs = 45 connections
• 20 VPCs = 190 connections
• 50 VPCs = 1,225 connections

✅ With Transit Gateway

• 5 VPCs = 5 attachments
• 10 VPCs = 10 attachments
• 20 VPCs = 20 attachments
• 50 VPCs = 50 attachments

Problems with VPC Peering at Scale

1. No Transitive Routing

If VPC-A connects to VPC-B, and VPC-B connects to VPC-C, VPC-A cannot reach VPC-C through VPC-B. You must create a direct connection between A and C.

2. Route Table Chaos

Each VPC needs a separate route for every other VPC. With 50 VPCs, each VPC's route table has 49 entries just for peering!

3. Management Nightmare

Adding or removing a VPC means updating routes in dozens of other VPCs. One mistake = outage.

→ VPC Peering has no hourly cost, only data transfer charges
→ Transit Gateway has hourly cost per attachment + data processing fee
→ VPC Peering is simpler for connecting just a few VPCs
→ Transit Gateway simplifies management when you have many VPCs
→ Transit Gateway is a regional service
→ Transitive routing requires configuring route tables - it's not automatic

How Transit Gateway Solves This

Transit Gateway replaces the mesh of peering connections with a simple hub-and-spoke model.

Transit Gateway: Hub and Spoke Model

Instead of connecting every VPC to every other VPC:

You create ONE Transit Gateway in your region
You connect each VPC to the Transit Gateway (called an "attachment")
You connect your on-premises network to the Transit Gateway
The Transit Gateway routes traffic between all networks

The Big Difference:

With 50 VPCs:

VPC Peering: 1,225 connections to create and manage
Transit Gateway: 50 attachments to create and manage

That's a 96% reduction in complexity!

Quick Summary

Transit Gateway is a network hub that connects VPCs and on-premises networks
It acts like a cloud router in the middle of your network
VPC Peering creates N(N-1)/2 connections - grows very fast as VPCs increase
Transit Gateway creates N attachments - grows linearly
VPC Peering has NO transitive routing
Transit Gateway HAS transitive routing - but requires route table configuration
VPC Peering: No hourly cost, only data transfer charges
Transit Gateway: Hourly cost per attachment + data processing fee
VPC Peering is simpler for a few VPCs, Transit Gateway for many VPCs
Transit Gateway is a regional service

← Back to Topics Next: Core Components →