Aviatrix Answers

What is the AWS Transit Gateway (TGW) and why do I need orchestration?


Key Concepts
3 minute read


AWS Transit Gateway (TGW) is a new service announced at Re:Invent 2018 that allows customers to interconnect thousands of Virtual Private Clouds (VPCs) and on-premise networks. AWS Transit Gateway (TGW) is highly flexible to enable new cloud network architectures and replace many point-to-point peering connections. This is an overview of what the AWS Transit Gateway (TGW) service can and cannot do. Developed closely with AWS, Aviatrix orchestration helps further simplify your transit network. Also feel free to download and print this 2-page PDF Transit Gateway quick reference guide.

The basics:

AWS Transit Gateway (TGW) is a cross account, per-region service available to VPCs and VPNs in those regions.

AWS Transit Gateway (TGW) Route Tables - the dynamic and static routes that decide the next hop for VPCs/VPNs based on the destination IP address. AWS Transit Gateway (TGW) comes with one default table. You can add many route tables.

AWS Transit Gateway (TGW) Attachment - AWS Transit Gateways (TGW) can have VPCs or VPNs as attachments. A VPC or VPN can be attached to only one AWS Transit Gateway (TGW) route table. A VPC or VPN can be attached to one or more AWS Transit Gateways (TGW).

AWS Transit Gateway (TGW) Route domain - Similar to virtual routing and forwarding (VRFs) in traditional networks, a route domain is conceptual group of VPCs and/or VPNs attached to a single route table.

Those are the AWS Transit Gateway (TGW) components, now let’s talk about the routing:

Route Tables: Dynamic Propagation or Static Routes?

There are 4 types of propagation of routes (see diagram):

  1. Propagation of Spokes to AWS Transit Gateway (TGW): When enabled, an attached VPC or VPN dynamically propagates its routes into their AWS Transit Gateway (TGW) Route table.
  2. Propagation to On-prem networks: when a VPN is attached, routes in the AWS Transit Gateway (TGW) are advertised via BGP to your on-prem router.
  3. No propagation between Spoke VPCs: as VPC or VPNs are attached to AWS Transit Gateway (TGW), routes in the AWS Transit Gateway (TGW) are not propagated to the Spoke VPC route tables. Static routes need to be created in the Spoke VPCs to send Traffic to the AWS Transit Gateway (TGW). APN partner Aviatrix provides dynamic propagation to spokes.
  4. No propagation between AWS Transit Gateway (TGW) Route Tables: For connectivity across route domains, static routes may be added to AWS Transit Gateway (TGW) route tables. E.g. ‘Shared Services’ domain can reach other domains, but ‘Prod’ and ‘Dev’ domains cannot reach each other. Aviatrix automatically updates route tables per connection policies set by the user.

Tell me more about the AWS Transit Gateway (TGW) Edge connectivity use cases:

VPN: IPsec to on-prem is supported by AWS Transit Gateway (TGW). An Aviatrix Edge VPC can be utilized with an existing VGW, avoiding reconfiguration of the customer gateway (on-premises router/firewall).

Direct Connect: DX or DXGW is not yet supported with AWS Transit Gateway at this time. Aviatrix supports VPN and Direct Connect via a VGW.

Cross-region AWS Transit Gateway (TGW): Not supported natively at this time. Aviatrix 4.1 supports this use case

Multicloud: AWS Transit Gateway (TGW) does not natively support connectivity to other cloud service providers. Aviatrix supports this use case.

Summary of Aviatrix Orchestration of AWS Transit Gateway (TGW):

  • Dynamic route propagation of spokes
  • Advanced troubleshooting
  • Auditable policies
  • Compliance reporting
  • Expandable to include VPC egress security, user VPN, and Cloud DMZ

Fig. Aviatrix Controller visualization of Transit Network