AWS Bites – Episode 137: Transit Gateway Explained

Date: December 13, 2024
Hosts: Eoin Shanaghy (“A”), David Lyneham (“B”)

Episode Overview

This episode of AWS Bites explores AWS Transit Gateway: what it is, how it simplifies cloud networking, and why it’s a powerful tool for organizations of any size. Eoin Shanaghy is joined by special guest David Lyneham to break down the core concepts, share real-world scenarios, and discuss practical considerations like segmentation, compliance, and costs. The episode is technical but approachable, and highlights both fundamentals and nuanced use cases.

Key Discussion Points and Insights

1. The Complexity of AWS Networking and the Need for Simplification

• Traditional cloud networking can grow unwieldy, especially with multiple VPCs, peering, VPNs, and Direct Connect forming complex meshes ([00:00]).
• Transit Gateway is designed as a centralized hub to reduce that complexity and improve manageability.

2. Refresher on VPCs and Their Limitations

• VPC (Virtual Private Cloud):
  • Isolated network with its own IP address range ([01:26]).
  • Contains different subnet types: public, private, and isolated.
  • Subnets have route tables controlling network traffic.
• By default, VPCs are isolated; routing outside the VPC requires explicit setup ([02:18]).

3. Traditional Cross-VPC Networking: Peering

• VPC Peering:
  • Direct peer connections between two VPCs (one requester, one acceptor).
  • Limitations:
    • No transitive routing: packets can’t traverse multiple VPCs using peering ([02:37]).
    • Cannot route through NAT Gateways or VPNs in another VPC.
    • Becomes cumbersome at scale due to mesh complexity.
  • "A packet coming into a VPC, if the destination...is outside of the VPC, the VPC will drop that packet." – David ([03:23]).
  • Sometimes a “transit VPC” with EC2 and VPN software was used as a workaround but involved high management overhead ([04:00]).

4. Enter Transit Gateway: The Managed Solution

• Transit Gateway provides a managed hub-and-spoke architecture ([05:53]).
  • Centralizes connections between many VPCs.
  • Scales to thousands of VPCs and supports connections to on-premises networks (Direct Connect, VPNs).
  • Allows fine-grained, cross-account, and multi-AZ routing.
  • Simplifies segmentation and organizational networking.

"It takes the management of the hub and spoke architecture off your hands. So you really only need to worry about routing the traffic where you want it to go." – David ([05:56])

5. Core Components of Transit Gateway

• Attachments: Connect VPCs, VPNs, Direct Connect, or other Transit Gateways.
• Route Tables: Transit Gateway’s own routing configuration, independent from VPC route tables.
• Associations and Propagation:
  • Attachments are associated with route tables.
  • Routes can be propagated, allowing the Transit Gateway to learn connected CIDR blocks (utilizes BGP) ([07:00]).
• AWS Resource Access Manager (RAM) enables centralized Transit Gateway management across accounts ([09:10]).

6. Multi-Account, Multi-VPC Scenarios

• Centralized Transit Gateway can connect VPCs from multiple accounts by sharing it via AWS RAM, making management easier ([08:42]).
• Example use case: applications in separate accounts connect securely through the Transit Gateway while keeping routing control centralized.

7. Routing and Segmentation Strategies

• Custom Routing for Segmentation:
  • Multiple Transit Gateway route tables can allow, restrict, or fine-tune traffic flow between VPCs ([10:15]).
  • Example: Ensuring VPN clients can access applications, but applications remain isolated from each other.
  • Memorable Insight: “...the concepts, I think, are pretty powerful and replicable. Then you know, it's not as advanced as it might seem.” – Eoin ([12:50]).

8. Compliance and Security-centric Designs

• PCI Compliance: Transit Gateway can reduce audit scope by restricting which networks can access sensitive data ([13:15]).
• Centralized Security Services: Use Transit Gateway middlebox pattern to funnel all ingress/egress through security tools (like AWS Firewall) in a specialized account ([14:00]).

9. Pricing and Throughput Considerations

• Pricing:
  • Billed per attachment (hourly) and per GB of data transferred ([15:15]).
  • Example: Two VPCs connected costs ~$73/month minimum.
  • Inter-region traffic is billed at higher, internet rates ([15:55]).
• Limits and Performance:
  • Up to 5,000 attachments, 20 route tables per TGW, 10,000 routes per table.
  • Bandwidth: 100 Gbps per VPC attachment per AZ—far higher than VPN tunnel limits ([16:10], [17:00]).

“If you’re looking for speed, the Transit Gateway is probably the way to go.” – David ([17:15])

Notable Quotes and Memorable Moments

• On Peering Complexity:
  “If you're in VPC A and you want to send traffic to VPC C...you can't send traffic from A all the way through B to C.” – David ([03:00])

• On Segmentation Use Cases:
  “You want to avoid that kind of direct traffic...So you want to prevent the domain accounts from routing to each other.” – Eoin ([11:30])

• On Compliance:
  “Being able to restrict what networks can get to the PCI data means you’re reducing the scope of what’s inside of an audit.” – David ([13:34])

• On Pricing:
  “At a very minimum you’re going to be talking about $73 a month to peer 2 VPCs.” – David ([15:40])

Timestamps for Key Segments

• 00:00–01:16: Introduction and setting the scene (VPC fundamentals)
• 02:18–05:06: VPC Peering, limitations, and need for transitive routing
• 05:53–06:55: What is Transit Gateway and its main components
• 07:00–10:15: Attachments, route tables, associations, propagation, and practical setup example
• 10:44–13:12: Real-world use cases, segmentation, and routing best practices
• 13:15–15:07: Security, compliance, and advanced routing (PCI, middlebox pattern)
• 15:15–17:21: Pricing, bandwidth/performance, and soft limits

Recommendations and Resources

• The hosts highlight the clarity of the official AWS Transit Gateway documentation, recommending it for further examples—praised as “one of the best pieces of AWS documentation I’ve come across” ([17:50]).

Conclusion

This episode offers a thorough and clear explanation of AWS Transit Gateway, from the pitfalls of legacy networking approaches to practical, secure, and scalable solutions for the modern cloud. Whether you’re an architect scaling a complex network or someone looking for clever ways to segment and secure workload traffic, the episode highlights core concepts, real-world patterns, and cost/performance implications—leaving listeners better equipped to navigate AWS networking.

Listener Call to Action:
The hosts invite feedback and additional use cases from the audience and recommend checking the show notes for resources ([18:20]).