CloudWiki

Amazon Web Service (AWS)

Transit Gateway

Network
A transit gateway (TGW) is fully managed service that acts as a network transit hub used to connect virtual private clouds (VPCs) and on-premises networks through a single place, to simplify management and control over your organization connected networks while reducing operational costs.
aws_ec2_transit_gateway
Transit Gateway
attributes:
  • amazon_side_asn - (Optional) Private Autonomous System Number (ASN) for the Amazon side of a BGP session. The range is 64512 to 65534 for 16-bit ASNs and 4200000000 to 4294967294 for 32-bit ASNs. Default value: 64512.
  • auto_accept_shared_attachments - (Optional) Whether resource attachment requests are automatically accepted. Valid values: disable, enable. Default value: disable.
  • default_route_table_association - (Optional) Whether resource attachments are automatically associated with the default association route table. Valid values: disable, enable. Default value: enable.
  • default_route_table_propagation - (Optional) Whether resource attachments automatically propagate routes to the default propagation route table. Valid values: disable, enable. Default value: enable.
  • description - (Optional) Description of the EC2 Transit Gateway.
  • dns_support - (Optional) Whether DNS support is enabled. Valid values: disable, enable. Default value: enable.
  • multicast_support - (Optional) Whether Multicast support is enabled. Required to use ec2_transit_gateway_multicast_domain. Valid values: disable, enable. Default value: disable.
  • tags - (Optional) Key-value tags for the EC2 Transit Gateway. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
  • transit_gateway_cidr_blocks - (Optional) One or more IPv4 or IPv6 CIDR blocks for the transit gateway. Must be a size /24 CIDR block or larger for IPv4, or a size /64 CIDR block or larger for IPv6.
  • vpn_ecmp_support - (Optional) Whether VPN Equal Cost Multipath Protocol support is enabled. Valid values: disable, enable. Default value: enable.

Associating resources with a
Transit Gateway
Resources do not "belong" to a
Transit Gateway
Rather, one or more Security Groups are associated to a resource.
Create
Transit Gateway
via Terraform:
The following HCL creates a transit gateway
Syntax:

resource "aws_ec2_transit_gateway" "example" {
 description = "example"
}

Create
Transit Gateway
via CLI:
Parametres:

create-transit-gateway
[--description <value>]
[--options <value>]
[--tag-specifications <value>]
[--dry-run | --no-dry-run]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Example:

aws ec2 create-transit-gateway \
   --description MyTGW \
   --options AmazonSideAsn=64516,AutoAcceptSharedAttachments=enable,DefaultRouteTableAssociation=enable,DefaultRouteTablePropagation=enable,VpnEcmpSupport=enable,DnsSupport=enable

Best Practices for
Transit Gateway

Categorized by Availability, Security & Compliance and Cost

Info
Cross transit connectivity is allowed by EC2
Info
Cross transit connectivity is allowed by ECS
Info
Cross transit connectivity is allowed by Lambda
Info
Cross transit connectivity is allowed by Pod
Warning
Ensure Transit Gateway 'Auto Accept Shared Attachments' is disabled
No items found.
Warning
Ensure Transit Gateway VPC associations and propagations are disabled
No items found.
Info
Network ACL (NACL) changes alarm
Info
Transit Gateway (TGW) changes alarm
Explore all the rules our platform covers
All Resources