Networking

Building a Hub-and-Spoke Network with AWS Transit Gateway - Multi-VPC Connectivity Design

Consolidate multiple VPCs and on-premises networks in a hub-and-spoke topology, establish security boundaries with route table isolation, and enable multi-region connectivity through peering.

約 3 分で読めます

Transit Gateway Overview

Transit Gateway is a service that connects multiple VPCs and on-premises networks in a hub-and-spoke topology. VPC peering provides one-to-one connections, and managing a full mesh becomes increasingly difficult as the number of VPCs grows. Transit Gateway acts as a single hub, consolidating all VPC and VPN connections.

Route Table Isolation and Multi-Account Support

By isolating Transit Gateway route tables, you can implement segmentation such as allowing production VPCs to communicate with each other while blocking communication with development VPCs, and making shared services VPCs accessible from all VPCs. Use RAM to share the Transit Gateway with other accounts, allowing each account's VPCs to attach. With Direct Connect Gateway integration, on-premises networks can access all VPCs through the Transit Gateway, eliminating the need to build separate VPN connections for each VPC.

Peering and Multi-Region Connectivity

Transit Gateway peering connects Transit Gateways in different regions, enabling you to build a multi-region hub-and-spoke network. Peering connections traverse the AWS global backbone, providing low-latency communication without going through the internet. Peering routes are configured as static routes, with each region's CIDR blocks advertised to the other. Transit Gateway Connect attachments let you establish GRE tunnels and BGP peering with SD-WAN appliances, integrating on-premises networks through dynamic routing. You can also create multicast domains on Transit Gateway to distribute multicast traffic across VPCs. For a systematic understanding of network design from fundamentals to advanced topics, books on Amazon are a great resource.

Transit Gateway Pricing Structure

Transit Gateway pricing consists of attachment charges (hourly billing per VPC, VPN, or Direct Connect Gateway) and data processing charges. Each attachment costs approximately $0.05/hour (about $36/month), and in environments with many VPCs, attachment fees become the primary cost driver. Data processing is charged at approximately $0.02 per GB. Peering attachments incur additional inter-region data transfer charges. By analyzing traffic patterns between VPCs and using VPC peering (no data processing charges) for high-traffic VPC pairs alongside Transit Gateway, you can reduce data processing costs. Use Flow Logs to visualize traffic passing through Transit Gateway for cost optimization decisions.

Summary

Transit Gateway is a service that consolidates multi-VPC networks in a hub-and-spoke topology. It establishes security boundaries between production, development, and shared services through route table isolation, and builds multi-region networks through peering. Connect attachments enable GRE/BGP integration with SD-WAN, and Flow Logs visualize traffic patterns to support cost optimization decisions.

Related Services

AWS Transit GatewayA network hub that connects multiple VPCs and on-premises networks in a hub-and-spoke topologyAmazon VPCBuild a logically isolated virtual network on AWSAWS Direct ConnectA service that provides a dedicated network connection between on-premises and AWS for stable, low-latency connectivity

Related Articles

Building Dedicated Connections with AWS Direct Connect - Redundancy Design and Traffic ControlDesign redundant dedicated connections and connect to VPCs across multiple regions with Direct Connect Gateway. This article also covers bandwidth aggregation with LAG and MACsec encryption.Cross-Account Resource Sharing with AWS RAM - Sharing VPC Subnets and Transit GatewaysLearn how to share VPC subnets and Transit Gateways across accounts to centralize IP address space management and reduce VPC peering connections.Visualizing Your Global Network with AWS Network Manager - Centralized Topology and Health ManagementLearn how to visualize the topology of your global network including Transit Gateways and VPNs, and verify connectivity with route analysis.

More on This Topic

Building a Service Mesh with AWS App Mesh - Controlling and Observing Microservice CommunicationLearn how to declaratively configure canary deployments, retry policies, and mTLS encryption using Envoy sidecars, and visualize service dependencies with X-Ray integration.Service Discovery with AWS Cloud Map - Dynamic Name Resolution for MicroservicesDynamically discover microservice endpoints using DNS-based and API-based approaches. Learn how to automate service registration and deregistration through integration with ECS and EKS.How CloudFront's 600+ PoPs Work - Anycast Routing and the Cache HierarchyLearn how CloudFront routes user requests to the nearest PoP using Anycast, the two-tier structure of edge locations and regional edge caches, and the design factors that determine cache hit rates.Dedicated Connection Design - Achieving Stable Private Network Connectivity with Direct ConnectLearn about dedicated connection design with AWS Direct Connect, including choosing between dedicated and hosted connections, redundancy configurations, and achieving stable private network connectivity through VPC integration.Building Dedicated Connections with AWS Direct Connect - Redundancy Design and Traffic ControlDesign redundant dedicated connections and connect to VPCs across multiple regions with Direct Connect Gateway. This article also covers bandwidth aggregation with LAG and MACsec encryption.Elastic IP Address Management and Design - Static IP Usage and Cost OptimizationLearn about Elastic IP allocation, EC2 association, cost implications of unused EIPs, and alternative approaches to consider.Why ELB Has Three Types - The Design Rationale Behind ALB, NLB, and CLBExplore why ALB, NLB, and CLB (Classic) coexist rather than being unified into a single service, examining OSI model layers, performance characteristics, and historical context.Global Network Optimization with AWS Global Accelerator - Low-Latency Delivery and FailoverLearn how to route traffic onto the AWS global network using Anycast IPs, design endpoint groups, and achieve failover through health checks.

Similar Articles and Services

AWS Transit GatewayA service that interconnects multiple VPCs and on-premises networks in a hub-and-spoke topology, dramatically simplifying network architectureThe Depth of AWS Networking Services - Enterprise Network Design with VPC, Transit Gateway, and PrivateLinkThis article examines AWS networking services centered on VPC, Transit Gateway, PrivateLink, Direct Connect, and Network Firewall, comparing them with Azure VNet/ExpressRoute and GCP VPC/Cloud Interconnect to explain the flexibility advantages in enterprise network design.AWS Network ManagerA service for centralized visualization and management of global networksVisualizing Your Global Network with AWS Network Manager - Centralized Topology and Health ManagementLearn how to visualize the topology of your global network including Transit Gateways and VPNs, and verify connectivity with route analysis.