Aviatrix Answers

What is the AWS Transit Gateway and why do I need orchestration?


Key Concepts
3 minute read


AWS Transit Gateway (TGW), is a new service announced at Re:Invent 2018 that allows customers to interconnect thousands of Virtual Private Clouds (VPCs) and on-premise networks. TGW is highly flexible to enable new cloud network architectures and replace many point-to-point peering connections. This is an overview of what the TGW service can and cannot do. Developed closely with AWS, Aviatrix orchestration helps further simplify your transit network. Also feel free to download and print this 2-page PDF Transit Gateway quick reference guide.

The basics:

TGW is a cross account, per-region service available to VPCs and VPNs in those regions.

TGW Route Tables - the dynamic and static routes that decide the next hop for VPCs/VPNs based on the destination IP address. TGW comes with one default table. You can add many route tables.

TGW Attachment - TGWs can have VPCs or VPNs as attachments. A VPC or VPN can be attached to only one TGW route table. A VPC or VPN can be attached to one or more TGWs.

TGW Route domain - Similar to virtual routing and forwarding (VRFs) in traditional networks, a route domain is conceptual group of VPCs and/or VPNs attached to a single route table.

Those are the TGW components, now let’s talk about the routing:

Route Tables: Dynamic Propagation or Static Routes?

There are 4 types of propagation of routes (see diagram):

  1. Propagation of Spokes to TGW: When enabled, an attached VPC or VPN dynamically propagates its routes into their TGW Route table.
  2. Propagation to On-prem networks: when a VPN is attached, routes in the TGW are advertised via BGP to your on-prem router.
  3. No propagation between Spoke VPCs: as VPC or VPNs are attached to TGW, routes in the TGW are not propagated to the Spoke VPC route tables. Static routes need to be created in the Spoke VPCs to send Traffic to the TGW. APN partner Aviatrix provides dynamic propagation to spokes.
  4. No propagation between TGW Route Tables: For connectivity across route domains, static routes may be added to TGW route tables. E.g. ‘Shared Services’ domain can reach other domains, but ‘Prod’ and ‘Dev’ domains cannot reach each other. Aviatrix automatically updates route tables per connection policies set by the user.

Tell me more about the TGW Edge connectivity use cases:

VPN: IPsec to on-prem is supported by TGW. An Aviatrix Edge VPC can be utilized with an existing VGW, avoiding reconfiguration of the customer gateway (on-premises router/firewall).

Direct Connect: DX or DXGW is not yet supported with TGW at this time. Aviatrix supports VPN and Direct Connect via a VGW.

Cross-region TGW: Not supported natively at this time. Aviatrix 4.1 supports this use case

Multicloud: TGW does not natively support connectivity to other cloud service providers. Aviatrix supports this use case.

Summary of Aviatrix Orchestration of AWS Transit Gateway:

  • Dynamic route propagation of spokes
  • Advanced troubleshooting
  • Auditable policies
  • Compliance reporting
  • Expandable to include VPC egress security, user VPN, and Cloud DMZ

Fig. Aviatrix Controller visualization of Transit Network