Skip to content
Pablo Rodriguez

Scaling Vpc Transit Gateway

Scaling your VPC network with AWS Transit Gateway

Section titled “Scaling your VPC network with AWS Transit Gateway”

Network Design with Multiple VPCs

Section titled “Network Design with Multiple VPCs”

When your business or architecture expands, you might need to separate logical elements for security, architectural purposes, or management simplicity. Many VPC environments need connectivity to other network environments, with enterprise organizations often deploying hundreds of VPCs requiring interconnectivity.

Full Mesh Architecture

Section titled “Full Mesh Architecture”
  • Design: Every node directly connected to every other node
  • Formula: N * (N – 1) / 2 connections required for N nodes
  • Example: 4 VPCs need 6 connections; 100 VPCs need 4,950 connections
  • Benefits: Fast network speeds with little latency
  • Drawbacks: Heavy operational and maintenance effort for network engineers

Hub-and-Spoke Architecture

Section titled “Hub-and-Spoke Architecture”
  • Design: Central intermediary hub manages connectivity
  • Connection requirement: Each node requires only one connection to hub
  • Example: 4 VPCs need 4 connections; 100 VPCs need 100 connections
  • Benefits: Significantly simplifies management and reduces operational effort
  • Trade-off: Added latency for hub processing

AWS Transit Gateway

Section titled “AWS Transit Gateway”
Managed Service

AWS Transit Gateway is a centralized, Regional router to connect VPCs and on-premises networks based on hub-and-spoke architecture. Key characteristics include:

  • Managed AWS service that automatically scales based on volume of network traffic
  • Connectivity: Can be peered with other transit gateways in other AWS Regions and AWS accounts
  • Cost structure: Charges based on number of connections and amount of traffic throughput
  • Monitoring: Has Transit Gateway Flow Logs feature to publish traffic logs
  • Capacity: Can connect thousands of VPCs and on-premises networks

Technical Features

Section titled “Technical Features”
  • Uses hub-and-spoke architecture where any new VPC connected becomes automatically available to every other connected network
  • Supports both dynamic and static routing between attached VPCs
    • Static routes: Configured before network traffic can be routed
    • Dynamic routing: Routers exchange route information to discover routing paths
  • Supports both IPv4 and IPv6 traffic
  • Traffic always stays on global AWS backbone infrastructure, never traverses public internet
  • Reduces threat vectors such as common exploits and DDoS attacks

Centralized VPC Routing Pattern

Section titled “Centralized VPC Routing Pattern”

  1. Create VPC attachment using Transit Gateway

    • Connects transit gateway to VPC through elastic network interface deployed in subnets
    • Must ensure every Availability Zone has network interface by selecting at least one subnet from each AZ

  2. Add transit gateway route to each VPC route table

    • Send traffic destined for other VPCs to transit gateway
    • Use CIDR block like 10.0.0.0/8 to include all VPC networks
    • This is a wildcard routing CIDR block, not same as VPC CIDR block

  3. Configure transit gateway route table

    • Route traffic to connected VPCs
    • Default transit gateway route table created automatically
    • Each route sends traffic destined for specific VPC to corresponding attachment
    • Transit gateway can have multiple route tables with attachments associated to specific route table

Centralized Routing for Outbound Traffic

Section titled “Centralized Routing for Outbound Traffic”

Design a dedicated VPC to handle egress internet traffic for added outbound network security. This centralized outbound routing pattern routes internet traffic from workload VPCs to an egress VPC containing NAT gateway.

Benefits

Section titled “Benefits”
  • Provides centralized gate for outbound traffic monitoring and security
  • Cost efficient: Run NAT gateways in one VPC instead of per-VPC
  • Can centralize access to shared services like traffic inspection or interface VPC endpoint access
  • Simplifies complexity of managing resources across multiple VPCs

Transit Gateway Peering

Section titled “Transit Gateway Peering”

For network traffic flow between AWS Regions or different AWS accounts, create transit gateway peering connection between transit gateways.

Configuration Process

Section titled “Configuration Process”
  • Create transit gateway peering attachment on your transit gateway
  • Specify target transit gateway (can be in your account or different AWS account)
  • Target transit gateway owner must accept the request
  • Add static route to transit gateway route table pointing to peering attachment

Cross-Region and Cross-Account Benefits

Section titled “Cross-Region and Cross-Account Benefits”
  • Seamless communication between VPCs in different AWS accounts or Regions
  • Secure traffic: Does not traverse public internet between Regions
  • Efficient data transfers: Uses AWS backbone infrastructure

Company Use Case Example

Section titled “Company Use Case Example”

Scenario: Company with multiple IT departments, each with own VPC. Some VPCs in same AWS account, others in different accounts. All VPCs should be peered for full resource access, considering future business group additions.

Solution: Connect each department’s VPC to transit gateway - requires least maintenance and effort while providing adequate capacity for future growth.

Alternative: If one VPC needs access to only one other VPC, update route tables to limit traffic to specified IP address range of target VPC.

Transit Gateway provides a scalable, manageable solution for connecting multiple VPCs across accounts and regions while maintaining centralized control and reducing operational complexity compared to full mesh architectures.