AWS Transit Gateway: Concepts, Configuration Steps, and Best Practices

The document introduces AWS Transit Gateway (TGW) as a cloud router that interconnects Amazon VPCs, VPN connections, and on‑premises networks, enabling seamless communication among them.

It explains key TGW concepts, including the types of attachments (VPC, VPN, Direct Connect, and peer), the default and optional route tables, MTU limits (8500 bytes for VPC/Direct Connect/Transit Gateway Connect attachments, 1500 bytes for VPN), and how routes are propagated and associated.

Step‑by‑step instructions are provided for creating a Transit Gateway, configuring its name tag, ASN, and disabling default route‑table association and propagation. The guide then details how to create TGW attachments for four VPCs (vpc‑a, vpc‑b, vpc‑c, vpc‑d), associate each attachment with a custom route table, and enable route propagation for each attachment.

Next, the document shows how to create a custom TGW route table, add routes that point to the TGW ID, and associate the route table with the VPC attachments. It also covers updating each VPC’s private route tables to direct traffic for the 10.0.0.0/8 CIDR to the TGW.

After configuration, the guide suggests verifying connectivity by pinging between the four test hosts (A, B, C, D) located in different VPCs. It then presents a set of best‑practice recommendations for TGW design, such as using separate small CIDR subnets for each attachment, keeping network ACLs open on TGW subnets, using a single VPC route table for all TGW‑associated subnets, enabling BGP‑based Site‑to‑Site VPN with ECMP, enabling route propagation for Direct Connect and VPN attachments, limiting the number of TGW route tables, and deploying a single TGW per region for high availability.

Finally, reference links to the official AWS documentation are listed for further reading.