Cloud & Engineering

Sumit Gaur

Simplification of AWS networking scenarios using Transit Gateway

Posted by Sumit Gaur on 11 August 2020

Cloud Strategy, Microservices, aws, Infrastructure as Code, Networking, cloud computing, cloud infrastructure, Infrastructure, transit gateway, multicloud, multi-VPC, Hybrid-cloud, multi-Account, AWS VPC, VPC peering, Inter-Account, Inter-Region, On-premises, Multicast

The purpose of this blog is to help readers understand various scenarios where we can use Amazon Web Services (AWS) network component Transit Gateway and optimise the platform architecture by simplification of network components.

AWS Transit Gateway enables efficient network connectivity and routing for AWS's multi-VirtualPrivateCloud (VPC), multi-account and hybrid-cloud scenarios. Transit Gateway provides ways to combine one or many AWS VPCs and AWS VirtualPrivateNetwork (VPNs) in the same or different regions. A Transit Gateway can also be shared between different AWS accounts or organisations.

In short, AWS Transit Gateway is a simplified networking component to resolve challenges around resource sharing, inter-VPC connectivity and on-premise location to AWS VPC connectivity. Transit Gateway controls how traffic is routed among all the connected networks using route tables, which removes complex routing challenges as there are fewer components to manage when compared to other solutions like VPC peering and Transit VPC. 

Let's discuss various network communication scenarios which could be simplified using AWS Transit Gateway.

Various networks

AWS Transit Gateway Usage Scenerios

Inter-Account Communication 

The AWS Resource Access Manager is used to share the Transit Gateway of one account with other accounts in the same organisation. Once shared, the Transit Gateway can be used with other AWS accounts - the account owner can attach/detach their VPCs to the shared Transit Gateway as they see fit.

Inter-Region Communication 

This scenario requires us to create a Transit Gateway in both regions. To start traffic between the AWS VPCs of different regions, we need to create a peering connection attachment between the Transit Gateways (here I should note that peering supports static routing only). With Transit Gateway we only need to maintain a single connection. This allows for easy maintenance when one considers the previous complex solutions at play like VPC peering. The Transit Gateway inter-region connection capability also brings the benefit of a single global network spanning across multiple AWS Regions. This single global network increases the network security and reduces the chance of a single point of failure. 

On-premises Data Centre to AWS Cloud Communication 

A Direct Connection gateway is needed for establishing a dedicated connection to AWS from on-premises or enterprise data centres. A Direct Connect gateway allows AWS Direct Connect users to connect Transit Gateway in the same or a different AWS Region. An attachment to a Direct Connect gateway uses a Transit Gateway association. Please note that you cannot use the Resource Access Manager to associate a AWS Transit Gateway with a Direct Connect Gateway.

Multicast Communication

Multicast on a Transit Gateway can be enabled at the time of creation and then used to create a Transit Gateway multicast domain. This allows multicast traffic to be sent from a multicast source to all multicast group members over VPC attachments that are associated with the domain. Multicast domain membership is defined at the subnet level. Enabling a Transit Gateway for multicast forwarding can only be done at the time a Transit Gateway is created. An existing gateway cannot be modified to enable multicast. Multicast routing is not supported over AWS Direct Connect, AWS Site-to-Site VPN or peering attachments.

Transit Gateway Deployment

The below resources are needed to deploy and configure for Transit Gateway:

  • Transit Gateway
  • Transit Gateway attachment (VPC, VPN and DirectConnect)
  • Transit Gateway route table
  • Attachment association with route table
  • Routes pointing to attachments

 The route table decides the next hop for the traffic coming from the resource attachment. For example, Development VPCs can be associated with one route table and Production VPCs with a different route table. This enables network segmentation for traffic.

Associating an attachment to a route table allows traffic to be sent from the attachment to the target route table. An attachment can only be associated to one route table.

Propagation allows routes to be propagated from an attachment to a target Transit Gateway route table. An attachment can be propagated to multiple route tables.

Transit Gateway Design

Wrap Up

In this blog post, we have outlined the required resources for Transit Gateway deployment and also different scenarios where an AWS Transit Gateway can be of benefit. Within AWS architecture, we should restrict ourselves with just one Transit Gateway in a region, connecting all the VPCs and VPNs using Transit Gateway routing tables to isolate them wherever needed. This is due to the fact that we cannot peer Transit Gateways in a single region coupled with the fact that we can only connect a max of 3 Transit Gateways over a single Direct Connect for hybrid connectivity. Thus, Transit Gateway provides a far less complex network component by remaining easy to use and maintain when one compares it with other solutions.



If you like what you read, join our team as we seek to solve wicked problems within Complex Programs, Process Engineering, Integration, Cloud Platforms, DevOps & more!


Have a look at our opening positions in Deloitte. You can search and see which ones we have in Cloud & Engineering.


Have more enquiries? Reach out to our Talent Team directly and they will be able to support you best.

Leave a comment on this blog: