VPC TGW
VPC TGW
VPC TGW
Transit Gateways
Amazon Virtual Private Cloud Transit Gateways
Amazon's trademarks and trade dress may not be used in connection with any product or service that is not
Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or
discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may
or may not be affiliated with, connected to, or sponsored by Amazon.
Amazon Virtual Private Cloud Transit Gateways
Table of Contents
What is a Transit Gateway? ................................................................................................................. 1
Transit Gateway Concepts ........................................................................................................... 1
Working with Transit Gateways .................................................................................................... 1
Pricing ...................................................................................................................................... 1
How Transit Gateways Work ................................................................................................................ 2
Resource Attachments ................................................................................................................ 2
Availability Zones ....................................................................................................................... 2
Routing ..................................................................................................................................... 2
Route Tables ..................................................................................................................... 2
Route Table Association ...................................................................................................... 2
Route Propagation ............................................................................................................. 3
Scenarios ................................................................................................................................... 3
Centralized Router ............................................................................................................. 3
Isolated Routers ................................................................................................................. 3
Edge Consolidator .............................................................................................................. 3
Getting Started .................................................................................................................................. 4
Prerequisites .............................................................................................................................. 4
Step 1: Create the Transit Gateway .............................................................................................. 4
Step 2: Attach Your VPCs to Your Transit Gateways ........................................................................ 5
Step 3: Add Routes between the Transit Gateway and your VPCs ...................................................... 5
Step 4: Testing the Transit Gateway ............................................................................................. 6
Step 5: Delete the Transit Gateway .............................................................................................. 6
Working with Transit Gateways ............................................................................................................ 7
Transit Gateways ........................................................................................................................ 7
Create a Transit Gateway .................................................................................................... 7
View Your Transit Gateways ................................................................................................. 8
Add or edit tags for a transit gateway .................................................................................. 8
Sharing a Transit Gateway ................................................................................................... 9
Accepting a Resource Share ................................................................................................. 9
Delete a Transit Gateway .................................................................................................... 9
Transit Gateway Attachments to a VPC ....................................................................................... 10
Create a Transit Gateway Attachment to a VPC .................................................................... 10
View Your VPC Attachments .............................................................................................. 10
Delete a VPC Attachment .................................................................................................. 11
Transit Gateway Attachments to a Direct Connect Gateway ........................................................... 11
Transit Gateway VPN Attachments ............................................................................................. 12
Create a Transit Gateway Attachment to a VPN .................................................................... 12
View Your VPN Attachments .............................................................................................. 12
Transit Gateway Route Tables .................................................................................................... 13
Create a Transit Gateway Route Table ................................................................................. 13
Associate a Transit Gateway Route Table ............................................................................. 13
Delete an Association for a Transit Gateway Route Table ....................................................... 13
View Transit Gateway Route Tables .................................................................................... 14
Propagate a Route to a Transit Gateway Route Table ............................................................ 14
Disable Route Propagation ................................................................................................ 14
View Route Table Propagations .......................................................................................... 15
Export Route Tables to Amazon S3 ..................................................................................... 15
Delete a Transit Gateway Route Table ................................................................................. 15
Monitor Your Transit Gateways .......................................................................................................... 16
CloudWatch Metrics .................................................................................................................. 16
Transit Gateway Metrics .................................................................................................... 16
Metric Dimensions for Transit Gateways .............................................................................. 17
CloudTrail Logs ........................................................................................................................ 17
Transit Gateway Information in CloudTrail ........................................................................... 17
iii
Amazon Virtual Private Cloud Transit Gateways
iv
Amazon Virtual Private Cloud Transit Gateways
Transit Gateway Concepts
• attachment — You can attach a VPC, an AWS Direct Connect gateway, or a VPN connection to a transit
gateway.
• transit gateway route table — A transit gateway has a default route table and can optionally have
additional route tables. A route table includes dynamic and static routes that decide the next hop
based on the destination IP address of the packet. The target of these routes could be a VPC or a
VPN connection. By default, the VPCs and VPN connections that you attach to a transit gateway are
associated with the default transit gateway route table.
• associations — Each attachment is associated with exactly one route table. Each route table can be
associated with zero to many attachments.
• route propagation — A VPC or VPN connection can dynamically propagate routes to a transit gateway
route table. With a VPC, you must create static routes to send traffic to the transit gateway. With a
VPN connection, routes are propagated from the transit gateway to your on-premises router using
Border Gateway Protocol (BGP).
• AWS Management Console— Provides a web interface that you can use to access your transit
gateways.
• AWS Command Line Interface (AWS CLI) — Provides commands for a broad set of AWS services,
including Amazon VPC, and is supported on Windows, Mac, and Linux. For more information, see AWS
Command Line Interface.
• AWS SDKs — Provides language-specific APIs and takes care of many of the connection details, such
as calculating signatures, handling request retries, and error handling. For more information, see AWS
SDKs.
• Query API— Provides low-level API actions that you call using HTTPS requests. Using the Query API
is the most direct way to access Amazon VPC, but it requires that your application handle low-level
details such as generating the hash to sign the request, and error handling. For more information, see
the Amazon EC2 API Reference.
Pricing
You are charged based on each hour that your VPC or VPN connection are attached to the transit
gateway. For more information, see AWS Transit Gateway pricing.
1
Amazon Virtual Private Cloud Transit Gateways
Resource Attachments
Resource Attachments
A transit gateway attachment is both a source and a destination of packets. You can attach the following
resources to your transit gateway, if they are in the same Region as the transit gateway:
Availability Zones
When you attach a VPC to a transit gateway, you must enable one or more Availability Zones to be used
by the transit gateway to route traffic to resources in the VPC subnets. To enable each Availability Zone,
you specify exactly one subnet. The transit gateway places a network interface in that subnet using one
IP address from the subnet. After you enable an Availability Zone, traffic can be routed to all subnets in
that Availability Zone, not just the specified subnet.
We recommend that you enable multiple Availability Zones to ensure availability. If one Availability Zone
becomes unavailable or has no healthy attachments, the transit gateway can route traffic to your VPC
using a healthy attachment in a different Availability Zone.
Routing
Your transit gateway routes IPv4 and IPv6 packets between attachments using transit gateway route
tables. You can configure these route tables to propagate routes from the route tables for the attached
VPCs and VPN connections. You can also add static routes to the transit gateway route tables. When
a packet comes from one attachment, it is routed to another attachment using the route table that
matches the destination IP address.
Route Tables
Your transit gateway automatically comes with a default route table. By default, this route table is the
default association route table and the default propagation route table. Alternatively, if you disable
route propagation, we do not create a default route table for the transit gateway
You can create additional route tables for your transit gateway. This enables you to isolate subnets
of attachments. Each attachment can be related to one or more route tables through route table
association and route table propagation.
2
Amazon Virtual Private Cloud Transit Gateways
Route Propagation
Route Propagation
Each attachment comes with routes that can be installed to one or more transit gateway route tables.
For a VPC attachment, these are the CIDR blocks of the VPC. For a VPN connection attachment, these
are the prefixes that are advertised over the BGP session established with the VPN connection. When an
attachment is propagated to a transit gateway route table, these routes are installed in the route table.
Scenarios
The following are common use cases for transit gateways. Your transit gateways are not limited to these
use cases.
Centralized Router
You can configure your transit gateway as a centralized router that connects all of your VPCs and VPN
connections. In this scenario, all attachments are associated with the transit gateway route table and
propagate to the transit gateway route table. Therefore, all attachments can route packets to each other,
with the transit gateway serving as a simple layer 3 IP hub.
Isolated Routers
You can configure your transit gateway as multiple isolated routers. This is similar to using multiple
transit gateways, but provides more flexibility in cases where the routes and attachments might change.
In this scenario, each isolated router has a single route table. All attachments associated with an isolated
router propagate and associate with its route table. Attachments associated with one isolated router can
route packets to each other, but cannot route packets to or receive packets from the attachments for
another isolated router.
Edge Consolidator
You can configure your transit gateway such that your VPCs can route packets to one or more VPN
connections but your VPCs cannot route packets to each other. In this scenario, you create a route table
for the VPCs and a route table for the VPN connections.
3
Amazon Virtual Private Cloud Transit Gateways
Prerequisites
Tasks
• Prerequisites (p. 4)
• Step 1: Create the Transit Gateway (p. 4)
• Step 2: Attach Your VPCs to Your Transit Gateways (p. 5)
• Step 3: Add Routes between the Transit Gateway and your VPCs (p. 5)
• Step 4: Testing the Transit Gateway (p. 6)
• Step 5: Delete the Transit Gateway (p. 6)
Prerequisites
• To demonstrate a simple example of using a transit gateway, create two VPCs in the same Region. The
VPCs cannot have overlapping CIDRs. Launch one EC2 instance in each VPC. For more information, see
Working with VPCs and Subnets in the Amazon VPC User Guide.
• You must enable resource sharing from the master account for your organization. For information
about enabling resource sharing, see Enable Sharing with AWS Organizations in the .
• You cannot have identical routes pointing to two different VPCs. A transit gateway does not propagate
the CIDRs of a newly attached VPC if an identical route exists in the transit gateway route tables.
• Verify that you have the permissions required to work with transit gateways. For more information, see
Authentication and Access Control for Your Transit Gateways (p. 20).
4
Amazon Virtual Private Cloud Transit Gateways
Step 2: Attach Your VPCs to Your Transit Gateways
Confirm that you have created two VPCs and launched an EC2 instance in each, as described in
Prerequisites (p. 4).
Each attachment is always associated with exactly one route table. Route tables can be associated with
zero to many attachments.
5
Amazon Virtual Private Cloud Transit Gateways
Step 4: Testing the Transit Gateway
6. In the Destination column, enter an IP address range that includes the transit gateway you used to
create the transit gateway attachment.
7. Choose Close.
6
Amazon Virtual Private Cloud Transit Gateways
Transit Gateways
Contents
• Transit Gateways (p. 7)
• Transit Gateway Attachments to a VPC (p. 10)
• Transit Gateway Attachments to a Direct Connect Gateway (p. 11)
• Transit Gateway VPN Attachments (p. 12)
• Transit Gateway Route Tables (p. 13)
Transit Gateways
A transit gateway enables you to attach VPCs and VPN connections in the same Region and route traffic
between them. A transit gateway works across AWS accounts, and you can use AWS Resource Access
Manager to share your transit gateway with other accounts. After you share a transit gateway with
another AWS account, the account owner can attach their VPCs to your transit gateway. A user from
either account can delete the attachment at any time.
Each VPC or VPN attachment is associated with a single route table. That route table decides the next
hop for the traffic coming from that resource attachment. A route table inside the transit gateway allows
for both IPv4 or IPv6 CIDRs and targets. The targets are VPCs and VPN connections. When you attach a
VPC or create a VPN connection on a transit gateway, the attachment is associated with the default route
table of the transit gateway.
You can create additional route tables inside the transit gateway, and change the VPC or VPN association
to these route tables. This enables you to segment your network. For example, you can associate
development VPCs with one route table and production VPCs with a different route table. This enables
you to create isolated networks inside a transit gateway similar to virtual routing and forwarding (VRFs)
in traditional networks.
Transit gateways support dynamic and static routing between attached VPCs and VPN connections. You
can enable or disable route propagation for each attachment.
You must enable resource sharing from the master account for your organization. For information about
enabling resource sharing, see Enable Sharing with AWS Organizations in the .
7
Amazon Virtual Private Cloud Transit Gateways
View Your Transit Gateways
4. For Name tag, optionally enter a name for the transit gateway. A name tag can make it easier to
identify a specific gateway from the list of gateways. When you add a Name tag, a tag is created
with a key of Name and with a value equal to the value you enter.
5. For Description, optionally enter a description for the transit gateway.
6. For Amazon side ASN, either leave the default value to use the default Autonomous System Number
(ASN), or enter the private ASN for your transit gateway. This should be the ASN for the AWS side of
a Border Gateway Protocol (BGP) session.
8
Amazon Virtual Private Cloud Transit Gateways
Sharing a Transit Gateway
For Allow external accounts, choose whether to allow sharing for this resource with AWS accounts
that are external to your organization.
6. (Optional) Under Tags, type a tag key and tag value pair for each tag. These tags are applied to the
resource share but not to the transit gateway.
7. Choose Create resource share.
9
Amazon Virtual Private Cloud Transit Gateways
Transit Gateway Attachments to a VPC
Limits
The resources in a VPC attached to a transit gateway and that have the transit gateway in a subnet route
table can only forward traffic to the transit gateway, when the transit gateway has an attachment in any
subnet in that VPC in the same Availability Zone.
The resources in a VPC attached to a transit gateway cannot access the security groups of a different VPC
that is also attached to the same transit gateway.
This VPC must have at least one subnet associated with it.
9. For Subnet IDs, select one subnet for each Availability Zone to be used by the transit gateway to
route traffic. You must select at least one subnet. You can select only one subnet per Availability
Zone.
10. Choose Create attachment.
10
Amazon Virtual Private Cloud Transit Gateways
Delete a VPC Attachment
3. Choose the search bar, select Resource type from the menu, and then select VPC.
4. The VPC attachments are displayed. Choose an attachment to view its details or to add tags.
• Manage a single connection for multiple VPCs or VPNs that are in the same Region.
• Advertise prefixes from on-premises to AWS and from AWS to on-premises.
For information about the Regions that support associations, see Use AWS Transit Gateway & Direct
Connect to Centralize and Streamline Your Network Connectivity at the AWS News Blog website.
The following diagram illustrates how the Direct Connect gateway enables you to create a single
connection to your Direct Connect connection that all of your VPCs can use.
• A transit gateway.
• A Direct Connect gateway.
• An association between the Direct Connect gateway and the transit gateway.
• A transit virtual interface that is attached to the Direct Connect gateway.
11
Amazon Virtual Private Cloud Transit Gateways
Transit Gateway VPN Attachments
For information about configuring Direct Connect gateways with transit gateways, see Transit Gateway
Associations in the AWS Direct Connect User Guide.
For static VPNs, add the static routes to the transit gateway route table.
If your customer gateway is behind a network address translation (NAT) device that's enabled
for NAT traversal (NAT-T), use the public IP address of your NAT device, and adjust your firewall
rules to unblock UDP port 4500.
• To create a customer gateway, choose New, then for IP Address, type a static public IP address
and BGP ASN.
12
Amazon Virtual Private Cloud Transit Gateways
Transit Gateway Route Tables
13
Amazon Virtual Private Cloud Transit Gateways
View Transit Gateway Route Tables
14
Amazon Virtual Private Cloud Transit Gateways
View Route Table Propagations
15
Amazon Virtual Private Cloud Transit Gateways
CloudWatch Metrics
CloudWatch metrics
You can use Amazon CloudWatch to retrieve statistics about data points for your transit gateways as
an ordered set of time series data, known as metrics. You can use these metrics to verify that your
system is performing as expected. For more information, see CloudWatch Metrics for Your Transit
Gateways (p. 16).
VPC Flow Logs
You can use VPC Flow Logs to capture detailed information about the traffic going to and from your
transit gateways. For more information, see VPC Flow Logs in the Amazon VPC User Guide.
CloudTrail logs
You can use AWS CloudTrail to capture detailed information about the calls made to the transit
gateway API and store them as log files in Amazon S3. You can use these CloudTrail logs to
determine which calls were made, the source IP address where the call came from, who made the
call, when the call was made, and so on. For more information, see Logging API Calls for Your Transit
Gateway Using AWS CloudTrail (p. 17).
You can use metrics to verify that your system is performing as expected. For example, you can create a
CloudWatch alarm to monitor a specified metric and initiate an action (such as sending a notification to
an email address) if the metric goes outside what you consider an acceptable range.
Amazon VPC reports metrics to CloudWatch only when requests are flowing through the transit gateway.
If there are requests flowing through the transit gateway, Amazon VPC measures and sends its metrics in
60-second intervals. If there are no requests flowing through the transit gateway or no data for a metric,
the metric is not reported.
Contents
• Transit Gateway Metrics (p. 16)
• Metric Dimensions for Transit Gateways (p. 17)
16
Amazon Virtual Private Cloud Transit Gateways
Metric Dimensions for Transit Gateways
Metric Description
PacketDropCountNoRoute The number of packets dropped because they did not match a route.
Dimension Description
For more information about CloudTrail, see the AWS CloudTrail User Guide.
For an ongoing record of events in your AWS account, including events for the transit gateway API, create
a trail. A trail enables CloudTrail to deliver log files to an Amazon S3 bucket. By default, when you create
a trail in the console, the trail applies to all AWS Regions. The trail logs events from all Regions in the
AWS partition and delivers the log files to the Amazon S3 bucket that you specify. Additionally, you can
configure other AWS services to further analyze and act upon the event data collected in CloudTrail logs.
For more information, see the following:
17
Amazon Virtual Private Cloud Transit Gateways
Understanding Transit Gateway Log File Entries
All calls to transit gateway actions are logged by CloudTrail. For example, calls to the
CreateTransitGateway action generates entries in the CloudTrail log files.
Every event or log entry contains information about who generated the request. The identity
information helps you determine the following:
• Whether the request was made with root or AWS Identity and Access Management (IAM) user
credentials.
• Whether the request was made with temporary security credentials for a role or federated user.
• Whether the request was made by another AWS service.
The log files include events for all AWS API calls for your AWS account, not just transit gateway API calls.
You can locate calls to the transit gateway API by checking for eventSource elements with the value
ec2.amazonaws.com. To view a record for a specific action, such as CreateTransitGateway, check
for eventName elements with the action name.
The following are example CloudTrail log records for the transit gateway API for a user who created a
transit gateway using the console. You can identify the console using the userAgent element. You can
identify the requested API call using the eventName elements. Information about the user (Alice) can
be found in the userIdentity element.
{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "123456789012",
"arn": "arn:aws:iam::123456789012:user/Alice",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "Alice"
},
"eventTime": "2018-11-15T05:25:50Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "CreateTransitGateway",
"awsRegion": "us-west-2",
"sourceIPAddress": "198.51.100.1",
"userAgent": "console.ec2.amazonaws.com",
"requestParameters": {
"CreateTransitGatewayRequest": {
"Options": {
18
Amazon Virtual Private Cloud Transit Gateways
Understanding Transit Gateway Log File Entries
"DefaultRouteTablePropagation": "enable",
"AutoAcceptSharedAttachments": "disable",
"DefaultRouteTableAssociation": "enable",
"VpnEcmpSupport": "enable",
"DnsSupport": "enable"
},
"TagSpecification": {
"ResourceType": "transit-gateway",
"tag": 1,
"Tag": {
"Value": "my-tgw",
"tag": 1,
"Key": "Name"
}
}
}
},
"responseElements": {
"CreateTransitGatewayResponse": {
"xmlns": "http://ec2.amazonaws.com/doc/2016-11-15/",
"requestId": "a07c1edf-c201-4e44-bffb-3ce90EXAMPLE",
"transitGateway": {
"tagSet": {
"item": {
"value": "my-tgw",
"key": "Name"
}
},
"creationTime": "2018-11-15T05:25:50.000Z",
"transitGatewayId": "tgw-0a13743bd6c1f5fcb",
"options": {
"propagationDefaultRouteTableId": "tgw-rtb-0123cd602be10b00a",
"amazonSideAsn": 64512,
"defaultRouteTablePropagation": "enable",
"vpnEcmpSupport": "enable",
"autoAcceptSharedAttachments": "disable",
"defaultRouteTableAssociation": "enable",
"dnsSupport": "enable",
"associationDefaultRouteTableId": "tgw-rtb-0123cd602be10b00a"
},
"state": "pending",
"ownerId": 123456789012
}
}
},
"requestID": "a07c1edf-c201-4e44-bffb-3ce90EXAMPLE",
"eventID": "e8fa575f-4964-4ab9-8ca4-6b5b4EXAMPLE",
"eventType": "AwsApiCall",
"recipientAccountId": "123456789012"
}
19
Amazon Virtual Private Cloud Transit Gateways
Service-Linked Role
By default, IAM users don't have permission to create, view, or modify AWS resources. To allow an IAM
user to access resources, such as a transit gateway, and perform tasks, you must create an IAM policy that
grants the IAM user permission to use the specific resources and API actions they'll need, then attach the
policy to the IAM user or the group to which the IAM user belongs. When you attach a policy to a user or
group of users, it allows or denies the users permission to perform the specified tasks on the specified
resources.
To work with a transit gateway, one of the following AWS managed policies might meet your needs:
• PowerUserAccess
• ReadOnlyAccess
• AmazonEC2FullAccess
• AmazonEC2ReadOnlyAccess
For more information, see IAM Policies for Amazon EC2 in the Amazon EC2 User Guide.
• ec2:CreateNetworkInterface
• ec2:DescribeNetworkInterface
• ec2:ModifyNetworkInterfaceAttribute
• ec2:DeleteNetworkInterface
• ec2:CreateNetworkInterfacePermission
20
Amazon Virtual Private Cloud Transit Gateways
Edit the Service-Linked Role
For Amazon VPC to create a service-linked role on your behalf, you must have the required permissions.
For more information, see Service-Linked Role Permissions in the IAM User Guide.
You can delete this service-linked role only after you delete all transit gateway VPC attachments in
your AWS account. This ensures that you can't inadvertently remove permission to access your VPC
attachments.
You can use the IAM console, the IAM CLI, or the IAM API to delete service-linked roles. For more
information, see Deleting a Service-Linked Role in the IAM User Guide.
After you delete AWSServiceRoleForVPCTransitGateway, Amazon VPC creates the role again if you
attach a VPC in your account to a transit gateway.
21
Amazon Virtual Private Cloud Transit Gateways
You can use ECMP to get higher VPN bandwidth by aggregating multiple VPN connections.
• Maximum bandwidth per VPN connection: 1.25 Gbps
22
Amazon Virtual Private Cloud Transit Gateways
AWS Direct Connect You can use an AWS Direct Connect gateway to 2019-03-27
Support for AWS connect your AWS Direct Connect connection over
Transit Gateway a transit virtual interface to the VPCs or VPNs
attached to your transit gateway You associate a
Direct Connect gateway with the transit gateway
Then, create a transit virtual interface for your
AWS Direct Connect connection to the Direct
Connect gateway. For information, see the section
called “Transit Gateway Attachments to a Direct
Connect Gateway” (p. 11).
23