AWS: Services & Architecture
by Sergey Okinchuk
Direct ConnectPrivateLink
AWS Transit Gateway
Service 30

AWS Transit Gateway

NetworkingHybridNetwork

Transit Gateway is a managed hub-and-spoke router that interconnects VPCs, on-premises networks (over VPN or Direct Connect), and other Transit Gateways. Instead of a mesh of peering connections, you attach every VPC once and let the gateway route between them.

The scaling math is the point: connecting N VPCs needs N(N-1)/2 peering connections but only N Transit Gateway attachments. Ten VPCs mean 45 peerings versus 10 attachments. Beyond five or six VPCs, Transit Gateway is the standard answer.

VPC Peering — mesh5 VPCs → 10 connections
ABCDE
Every pair wired directly: N(N-1)/2 connections. 5 VPCs = 10 peerings, 10 VPCs = 45. Unmanageable past five or six.
Transit Gateway — hub5 VPCs → 5 attachments
ABCDETGW
Each VPC attaches once: N attachments. Routing handled centrally in the hub; segmentation via TGW route tables.

Attachments and Route Tables

A Transit Gateway connects through attachments: VPC, VPN, Direct Connect (via a DX Gateway), TGW-peering (cross-Region or cross-account), and Connect (GRE to SD-WAN). For VPC attachments it places ENIs in subnets you choose, one per AZ.

A TGW has one or more route tables, each attachment associated with one and propagating into others. This enables segmentation (dev and prod share the gateway but cannot route to each other), inspection (force all traffic through a central firewall VPC), or a flat everything-talks-to-everything topology.

Inter-Region Peering

Two Transit Gateways in different Regions can peer, with traffic flowing encrypted across the AWS backbone at predictable latency. This is the standard way to build a global private network across Regions without running your own backbone, adding per-GB cross-Region transfer cost.

Pricing

Transit Gateway is not free: you pay per attachment-hour plus per-GB processed, plus per-GB for inter-Region peering. A 50-VPC TGW with moderate traffic can cost more than the VPCs it connects, and cross-AZ traffic through it pays both the TGW charge and cross-AZ charges. Plan for it.

Transit Gateway vs VPC Peering vs PrivateLink

Transit Gateway — many VPCs (beyond three or four) and hybrid links needing full-network routing through one managed hub.

VPC Peering — two or three VPCs that only need to reach each other — simpler and cheaper at small scale.

PrivateLink — exposing one specific service to consumers, not connecting whole networks.

Common Mistakes
  • Using a Transit Gateway for two or three VPCs where plain peering is simpler and cheaper.
  • Attaching a single VPC to a Transit Gateway — that is pure cost with no benefit.
  • Deferring route-table segmentation, then retrofitting it later and dropping traffic during the move.
  • Ignoring data-processing charges, where cross-AZ traffic through the TGW pays both TGW and cross-AZ fees.
  • Meshing VPC peering across Regions instead of peering Transit Gateways for a multi-Region network.
  • Using a Transit Gateway when only one service in another VPC needs to be reached — PrivateLink is the targeted tool.
Best Practices
  • Adopt Transit Gateway once you exceed three or four VPCs; below that, peer directly.
  • Plan route-table segmentation up front (dev vs prod, inspection paths).
  • Share a central TGW across accounts with Resource Access Manager from a networking account.
  • Peer Transit Gateways across Regions for multi-Region private networking.
  • Monitor per-GB data-processing charges and cross-AZ traffic.
Comparable services GCP Network Connectivity CenterAzure Virtual WAN

Knowledge Check

Why does Transit Gateway scale better than VPC peering for many VPCs?

  • It needs N attachments for N VPCs, not N(N-1)/2 connections
  • It is free no matter how many attachments you add
  • It eliminates the need for route tables entirely
  • It merges every VPC into one shared, overlapping CIDR block

How do you keep dev and prod VPCs isolated while sharing one Transit Gateway?

  • Use separate TGW route tables so the two routing domains share no routes
  • Attach each one to its own separate Transit Gateway in the same AWS Region
  • Disable cross-zone load balancing on the gateway
  • Use one flat route table and a NACL per subnet

When is plain VPC peering the better choice over a Transit Gateway?

  • For two or three VPCs that only reach each other — simpler and cheaper
  • For ten or more fully interconnected VPCs in a mesh
  • For multi-Region global networking across many VPCs
  • Whenever you need centralized traffic inspection through a firewall VPC

What is true about Transit Gateway pricing?

  • It charges per attachment-hour and per GB processed, sometimes above the VPCs
  • It is free for the first 100 attachments you create in each Region
  • It charges only for cross-Region peering traffic flowing between two distinct hubs
  • It has one flat monthly fee regardless of how much you use

You got correct