Aviatrix Answers

How are the VPC route tables updated when connecting VPC’s via AWS Transit Gateway?


Key Concepts
4 minute read


The AWS transit gateway (TGW) allows you to connect VPCs to each other and also allows you to connect VPCs to on-premise environments. The TGW is designed to replace the older Transit VPC architecture where you deployed third-party instances that performed transitive routing functions.

While both, the TGW and the older Transit VPC constructs allow for connectivity, the routing updates and related challenges are completely different. Let’s take look at the legacy approach of implementing transit using the Transit VPC architecture:

The connectivity to on-premise relies on Direct Connect or IPsec VPN, terminates in a VGW attached to the Transit VPC. A third-party appliance, like a CSR 1000v, then connects the VGW to all the “spoke VPCs”.

In this construct, the on-premise (or Datacenter) environment routes are learned by the VGW through Border Gateway Protocol (BGP). The third-party appliance/instance, also learns these on-premise routes through BGP from the VGW and propagates them to the spoke VPCs’ route tables. So, if we add or remove a subnet in the datacenter or connect a new branch location, these route changes will be propagated all the way to the Spoke VPCs using multiple BGP hops.

Now, let’s look at the newer Transit Gateway.

The TGW can connect to on-prem environments using VPN (or Direct Connect) and learn routes using BGP. The TGW has internal Route Tables that will get populated with the on-premise routes. But, the TGW does not propagate these routes to the spoke VPC route tables. The VPC route updates need to be done via static route updates.

Similarly, route changes on-premise or VPC changes in the cloud have to be statically maintained when using the TGW. In this regard, the native TGW solution alone may not meet all your requirements.

To overcome this problem, AWS recommends using Aviatrix’s TGW Orchestrator feature that completes route propagation into the VPC spokes and enforces security domains.

For more information please visit: https://docs.aviatrix.com/HowTos/tgw_faq.html

Or, watch the related videos here: https://www.aviatrix.com/resources/videos/