AWS Networking & Content Delivery

AWS Transit Gateway

5 min read
Updated June 23, 2025
5,046 characters

AWS Transit Gateway: A Comprehensive Cheat Sheet

What is AWS Transit Gateway? (And Why Use It?)

AWS Transit Gateway is a networking service that acts as a central cloud router to simplify your network connectivity. It provides a single point—a "hub"—from which you can connect your Amazon Virtual Private Clouds (VPCs), on-premises networks (via VPN or Direct Connect), and other Transit Gateways across a "spoke" model.

The primary problem Transit Gateway solves is network complexity at scale. Before Transit Gateway, connecting many VPCs required creating a complex mesh of VPC Peering connections. For example, connecting 5 VPCs required 10 separate peering connections. Transit Gateway replaces this complexity with a simple hub-and-spoke design where each VPC just needs one connection to the central gateway.

Core Concepts: Understanding TGW Routing

Routing within a Transit Gateway is controlled by four key concepts: Attachments, TGW Route Tables, Associations, and Propagations.

Attachments

An attachment is simply the connection from a network to the Transit Gateway. You can create several types of attachments:

  • VPC

  • VPN (for on-premises connectivity)

  • AWS Direct Connect (via a Transit VIF)

  • Peering Connection (to another Transit Gateway)

TGW Route Tables

Similar to a VPC route table, a Transit Gateway route table determines the next hop for traffic based on its destination IP address. However, unlike a VPC which has one route table per subnet, a Transit Gateway allows you to create multiple route tables. This enables you to create isolated routing domains within a single gateway (e.g., a "production" route table and a "non-production" route table).

Associations

An Association links an attachment to a single Transit Gateway route table. This association determines which route table the attachment will use to make its routing decisions. When traffic comes from an attachment into the Transit Gateway, the gateway uses that attachment's associated route table to decide where to send the traffic to.

Propagations

A Propagation dynamically adds routes from an attachment to a specified Transit Gateway route table. When you create a propagation, you are telling the Transit Gateway: "Take the routes from this VPC (or VPN) and install them into this route table so other attachments can find them." You can also add static routes manually.

Key Relationship: Every attachment must be associated with exactly one route table. An attachment can propagate its routes to one or more route tables.

Transit Gateway vs. VPC Peering

| Feature | AWS Transit Gateway | VPC Peering |

| :--- | :--- | :--- |

| Topology | Hub and Spoke. Centralized and simple. | Full Mesh. Complex and scales poorly. |

| Transitivity | Yes. Resources in Spoke A can talk to Spoke B via the Hub. | No. Peering is a 1:1 relationship and is not transitive. |

| Management | Centralized routing control in one place. | Decentralized; each peering connection is managed individually. |

| On-Premises | A single connection (VPN/DX) can connect to all VPCs. | Requires separate connections for each VPC. |

| Use Case | Best for networks with more than a handful of VPCs. | Simple and cost-effective for a small number of VPCs. |

Connectivity and Integration

Connecting VPCs

You can connect thousands of VPCs to a single Transit Gateway. Using AWS Resource Access Manager (RAM), you can share your Transit Gateway with other AWS accounts, allowing them to attach their VPCs to your central gateway.

Connecting On-Premises Networks (VPN & Direct Connect)

  • VPN: You can create a VPN attachment to connect your on-premises network. For higher bandwidth, you can use Equal-Cost Multi-Path (ECMP) routing over multiple VPN tunnels.

  • AWS Direct Connect: To connect via Direct Connect, you must use a Transit Virtual Interface (Transit VIF) on your connection. A Transit VIF allows you to access one or more Transit Gateways, simplifying connectivity to thousands of VPCs. You can use Transit VIFs with 1/2/5/10 Gbps Direct Connect connections.

Inter-Region Peering

You can create a peering connection between Transit Gateways in different AWS Regions. This allows you to build a global network and route traffic between attachments in different regions, with all traffic staying on the AWS global backbone.

Advanced Features

Equal-Cost Multi-Path (ECMP) Routing

For VPN attachments, you can enable ECMP. This allows the Transit Gateway to distribute traffic over multiple VPN tunnels, effectively aggregating their bandwidth and providing increased redundancy.

Multicast Support

You can enable multicast on a Transit Gateway, which is often required for legacy on-premises applications. This allows a source to send a single packet that is then distributed to multiple subscribed recipients, which is more efficient than sending multiple unicast packets.

📚 Recommended AWS Resources

AWS Certified Solutions Architect Study Guide
Complete preparation for AWS certification exams
AWS Cookbook
Practical recipes for AWS cloud solutions
As an Amazon Associate, we earn from qualifying purchases.
Back to All