Transit Gateway Connect – Inter-VPC and Multi-account Networking – ANS-C01 Study Guide

Identity and Access Management (IAM) is used to manage access into the Transit Gateway service, and users and groups can be applied to define access permissions. Automated provisioning is included with the service that automatically discovers site-to-site VPN connections and other remote networks connecting into your account. SD-WAN offerings from major vendors are also supported. These vendors offer preconfigured site-to-site VPNs to connect your remote networks into the gateway. The Gateway Network Manager utility gives you a complete view of your WAN including both AWS and on-premises networks. Comprehensive metrics are included in the monitoring capabilities.

The service uses BGP as its routing protocol for dynamic updates as networks are added or removed. Tunnels can be established using the Generic Routing Encapsulation (GRE) protocol. Multicast support is included, and different multicast groups can be used to deploy streaming audio, video, and software update content in one-to-many simultaneous data flows. Multicast is supported between VPCs but is not supported for Direct Connect; AWS site-to-site VPN endpoints, static multicast members, and IGMPv2 are all supported. The service works with both IPv4 and IPv6 using MP-BGP. There is a requirement that even if you are only routing IPv6 that IPv4 is used for the BGP peering connection and that the IPv6 prefixes are exchanged over IPv4 BGP peering using the MP-BGP protocol.

Network segmentation and isolation are provided by using multiple Virtual Router Forwarder (VRF) tables. Each VRF is a separate routing instance that supports multiple VPCs, and VPN connections associated with them, to create isolated networks. You can have multiple VRFs in each Transit Gateway. There remains a default routing table for un-assigned VPC, VPN, Direct Connect gateway, Transit Gateway connect, and Transit Gateway peered networks. Route prefixes are propagated using BGP, statics, or APIs from AWS for internal VPC networks. Transit Gateway routes do not populate the VPC route table; static routes must be created to send traffic to the Transit Gateway instance from your VPCs. When you peer Transit Gateways, route propagation is not supported, necessitating the use of static routes across the peering interconnections. For more information, see https://docs.aws.amazon.com/vpc/latest/tgw/what-is-transit-gateway.html.

Transit Gateway Connect

Transit Gateway Connect is a feature of the Transit Gateway service that integrates SD-WAN services to interconnect branch offices into the AWS cloud. AWS native SD-WAN support reduces the complexity and ongoing management of your wide-area network. The Transit Gateway Connect attachment creates an interconnection from the Transit Gateway service to services offered by AWS SD-WAN partners. Transit Gateway Connect uses two BGP peering sessions when connecting to AWS. The dual peer connections enable routing plane redundancy in case one peer is down due to maintenance or a network impairment. However, a single peer is allowed if desired.

Transit Gateway Connect integrates with the Transit Gateway Network Manager that allows you to view your network’s performance by displaying network telemetry and metrics.

AWS partners with leading SD-WAN networking vendors for integration support and services. Vendors include Arista, Aruba, Alkira, Aryaka, Aviatrix, Cisco Systems, Citrix, Fortinet, Juniper, Palo Alto, Peplink, Silver Peak, Sophos, and Versa Networks. For details on each partner, reference the AWS Transit Gateway partner page at https://aws.amazon.com/transit-gateway/partners.