AWS Transit Gateway: Building Blocks
This article explores the concept of segmentation using AWS Transit Gateway (TGW). I’ve grouped together some answers to the most frequently asked questions I receive from customers and partners to provide a quick reference guide. It covers key topics such as TGW and VPC route tables, TGW attachments, the differences between association and propagation.
Cristian
Amazon Employee
Published Oct 23, 2024
I’m writing this post because I frequently get questions about AWS Transit Gateway (TGW) segmentation, particularly around association, propagation, and routing tables. This article aims to provide a quick reference to demystify these topics. It covers essential elements like TGW route tables, attachments, associations and propagations.
AWS Transit Gateway acts as a regional virtual router, allowing you to interconnect your Virtual Private Clouds (VPCs) and on-premises networks through a single gateway. It simplifies your network architecture, scales routing across VPCs, VPNs, and on-premises networks, and offers a centralised model for routing and security. Transit Gateway's route tables and routing domains enable segmentation, where each domain adheres to a set of routing policies, facilitating efficient traffic management, enhanced security, and simplified multi-account, multi-VPC connectivity. Through route propagation and BGP (Border Gateway Protocol) routing, Transit Gateway dynamically learns and adapts to network changes, reducing operational overhead while maintaining a robust, scalable network infrastructure.
Continuing from the centralised routing model of AWS Transit Gateway, its route tables play a pivotal role in orchestrating traffic flow across your network. A route table contains a set of rules, called routes, that are used to determine where network traffic is directed. Each Transit Gateway can have multiple route tables, allowing for the segmentation of networks akin to Virtual Routing and Forwarding (VRF) technology, which enables a router to maintain multiple routing tables simultaneously for network segmentation. As traffic exits a VPC, the Transit Gateway references the associated route table to determine the destination, ensuring traffic is directed to the correct segment, be it another VPC, a VPN connection, or a Direct Connect gateway, emulating the structured, segmented routing framework provided by VRF within AWS environments.
Additionally, we can't avoid talking about the Default Route Table, yes there is one! Upon deploying a Transit Gateway, a default route table is automatically created. When you attach a VPC, VPN, or Direct Connect to the Transit Gateway, entries are auto-populated in this default route table facilitating connectivity between the attached resources without additional configuration. However, while convenient, this setup permits communication between all attached resources without segmentation. For more controlled, segmented traffic flow, additional route tables and configurations would be necessary, else the default behaviour allows broad connectivity across all attachments, potentially conflicting with desired network segmentation and security policies.
For precise traffic routing, it's imperative to configure the VPC route table alongside the Transit Gateway route tables. Within the VPC route table, entries must be made directing traffic to the Transit Gateway attachment for specified destinations. This ensures that traffic destined for particular network segments is forwarded to the Transit Gateway, which then consults its own route tables to route the traffic accordingly. In a VPC, a route table contains a set of rules that dictate how traffic is forwarded to various destinations, acting as a roadmap for navigating traffic through the network infrastructure, thus facilitating accurate and efficient routing to the Transit Gateway and beyond. To leverage the segmentation capabilities offered by AWS Transit Gateway (TGW), it's crucial to have both the Transit Gateway route tables and the VPC route tables correctly configured. This dual-level routing setup forms a structured pathway, guiding traffic securely and efficiently across the various segments of your network infrastructure.
In order to fully understand how TGW works, we need to start from the concept of "Attachment". An attachment in AWS Transit Gateway serves as the bridge for traffic flow between the gateway and other network entities such as VPCs, VPN connections, Direct Connect gateways, and more. Here's a list of the types of attachments you can have with AWS Transit Gateway:
VPC Attachments:
- Attaching a VPC to a Transit Gateway entails specifying a subnet from each Availability Zone for the gateway to route traffic through.
- Within the chosen VPC subnets, AWS Transit Gateway deploys an elastic network interface to handle traffic routing to and from the Transit Gateway.
VPN Attachments:
A VPN attachment enables the association of a VPN connection with the Transit Gateway, making it possible to route traffic between your on-premises network and the AWS cloud securely via a VPN tunnel.
Direct Connect Gateway Attachments:
When a Direct Connect gateway is attached, a private linkage between your on-premises network and AWS is established, allowing traffic routing over a dedicated network connection (Direct Connect).
Peering Connections:
Peering comes into play when two Transit Gateways are interconnected, facilitating the routing of traffic between them, which is especially useful for inter-region traffic routing within AWS.
Transit Gateway Connect Attachments:
This is a logical attachment type that allows your TGW to establish a connection with a 3rd party SD-WAN Appliance. It supports standard protocols like Generic Routing Encapsulation (GRE) and Border Gateway Protocol (BGP) over the Connect attachment, providing a streamlined way to manage routing protocols.
Each attachment type is instrumental in defining how traffic is navigated and managed through the AWS Transit Gateway, contributing to a robust, scalable, and secure network architecture adaptable to various network setups and configurations.
Let's talk about Association now that we discussed the concepts for 'Attachments". Association in the context of AWS Transit Gateway refers to the linking of a route table to a particular attachment, be it a VPC, VPN, Direct Connect gateway, or peering connection. This association directs how traffic is routed from the attachment through the Transit Gateway.
Route Table Association:
- By default, the attachment is associated with the default route table of the Transit Gateway unless specified otherwise.
- You can also create Custom Route Tables and associate them to the attachments.
Traffic Routing:
- Once an attachment is associated with a route table, the routing rules defined in that route table govern the traffic flow from the attachment.
- The route table contains entries that tell the Transit Gateway how to route traffic from the associated attachment to other attachments or network segments.
Customisation and Segmentation:
- You can create multiple route tables within a Transit Gateway to achieve network segmentation and more granular control over traffic routing.
- By associating different attachments with different route tables, you can control which network segments can communicate with each other.
Route Propagation:
- Besides manual entry, route tables can automatically learn routes from the attachments through a feature called route propagation.
- When an attachment is associated with a route table and route propagation is enabled, the routes from the attachment are automatically propagated to the route table, simplifying route management.
Overriding Defaults:
- You can override the default association by explicitly associating an attachment with a different route table.
- This allows for more sophisticated routing configurations and network architectures.
Association is a fundamental aspect of managing traffic flow through AWS Transit Gateway. By associating route tables with attachments, you dictate the paths that traffic can take through the Transit Gateway, enabling organised, efficient, and secure network communication.
Propagation on the other hand, refers to the automatic "dissemination" of routes from an attachment to the Transit Gateway's route table. This feature alleviates the need for manual route entry, enhancing route management efficiency. Here’s an in-depth look at propagation:
Route Propagation Mechanism:
When an attachment is associated with a route table and route propagation is enabled, the Transit Gateway automatically populates the route table with routes from the attachment, facilitating seamless connectivity without manual intervention.
Propagation Source:
The source of propagation can be a VPC, VPN, or Direct Connect gateway attachment, each having its own set of routes that can be propagated to the Transit Gateway's route table.
Route Learning:
AWS Transit Gateway learns the routes from the attachment and populates them in the specified route table, ensuring that the routing information is up-to-date and accurate.
Traffic Routing:
Post propagation, the Transit Gateway uses the learned routes to make informed routing decisions, directing traffic to the appropriate destinations based on the most current routing information. Network Scalability and Management:
Propagation fosters network scalability and simplifies routing management, especially in dynamic or large-scale network environments where manual route entry and updates would be impractical.
Route Overlap Handling:
In instances where there's a route overlap, the Transit Gateway adheres to specific route precedence rules to determine which route to use for traffic routing. In the case of multiple routes for the same destination, the route selection follows the "longest prefix match" rule. This means that the route with the most specific (i.e., longest) prefix is chosen to route the traffic. The longest prefix match rule ensures that the most precise routing path is selected when there are multiple potential routes.
Propagation Control:
You have the control to enable or disable route propagation for each attachment and route table association, allowing for fine-grained control over which routes are propagated and used for routing decisions.
Multi-Route Table Propagation:
It's possible to propagate routes from an attachment to multiple route tables, further extending the flexibility and control over traffic routing within your network infrastructure.
Propagation is a critical feature that augments the routing capabilities of AWS Transit Gateway, providing a mechanism for automatic route dissemination from attachments to the Transit Gateway's route tables.
In this cheat sheet, I’ve grouped together some of the most frequently asked questions about AWS Transit Gateway (TGW) segmentation, covering key aspects like association, propagation, routing tables, and different attachment types. These concepts play a crucial role in creating an efficient and secure network infrastructure within AWS. By understanding and leveraging TGW route tables and segmentation models, such as hub-and-spoke, inspection, and centralized egress, you can better manage traffic, reduce complexity, and enhance security across your AWS environments. This guide serves as a quick reference to help you implement and optimize TGW segmentation, providing actionable insights for common customer scenarios.
Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.