General
Q: How do I control which Amazon VPCs can communicate with each other?
A: You can segment your network by creating multiple route tables in an Amazon Transit Gateway and associate Amazon VPCs. This will allow you to create isolated networks inside an Amazon Transit Gateway similar to virtual routing and forwarding (VRFs) in traditional networks. The Amazon Transit Gateway will have a default route table. The use of multiple route tables is optional.
Q: How does routing work in Amazon Transit Gateway?
A: Amazon Transit Gateway supports dynamic and static routing between attached Amazon VPCs. By default, Amazon VPCs and Transit Gateway Connect are associated to the default route table. You can create additional route tables and associate Amazon VPCs and Transit Gateway Connect with it.
The routes decide the next hop depending on the destination IP address of the packet. Routes can point to an Amazon VPC or a Transit Gateway Connect.
Q: How do routes get propagated into the Amazon Transit Gateway?
A: There are 2 ways where routes get propagated in the Amazon Transit Gateway:
- Routes propagated to/from virtual router appliance: When you set up Transit Gateway Connect, routes will propagate between the Amazon Transit Gateway and the virtual router appliance in VPC using Border Gateway Protocol (BGP).
- Routes get propagated in the Amazon Transit Gateway to/from Amazon VPCs: When you attach an Amazon VPC to an Amazon Transit Gateway or resize an attached Amazon VPC, the Amazon VPC Classless Inter-Domain Routing (CIDR) will propagate into the Amazon Transit Gateway route table using internal APIs (not BGP). CIDR is a method for allocating IP addresses and IP routing to slow the growth of routing tables on routers across the Internet, and to help slow the rapid exhaustion of IPv4 addresses. Routes in the Amazon Transit Gateway route table will not be propagated to the Amazon VPC’s route table. Amazon VPC owner need to create static route to send Traffic to the Amazon Transit Gateway.
Peering attachments between Transit Gateways do not support route propagation.
Q: Can I connect Amazon VPCs with overlapping CIDRs?
A: Amazon Transit Gateway doesn’t support routing between Amazon VPCs with overlapping CIDRs. If you attach a new Amazon VPC that has a CIDR which overlaps with an already attached Amazon VPC, Amazon Transit Gateway will not propagate the new Amazon VPC route into the Amazon Transit Gateway route table.
Q: What is Amazon Transit Gateway Connect?
A: Amazon Transit Gateway Connect is a feature of Amazon Transit Gateway. It simplifies the branch connectivity through native integration of SD-WAN (Software-Defined Wide Area Network) network virtual appliances into Amazon Transit Gateway. Amazon Transit Gateway Connect provides a new logical attachment type called Connect attachment that utilizes the Amazon VPC attachments as the underlay network transport. It supports standard protocols such as Generic Routing Encapsulation (GRE) and Border Gateway Protocol (BGP) over the Connect attachment.
Q: What types of appliances work with Amazon Transit Gateway Connect?
A: Any third-party network appliances that supports standard protocols such as GRE and BGP will work with Amazon Transit Gateway Connect.
Q: Can I create Connect attachments with an existing Amazon Transit Gateway?
A: Yes, you can create Connect attachment on an existing Amazon Transit Gateway.
Q: Does Amazon Transit Gateway Connect support static routes?
A: No, Amazon Transit Gateway Connect does not support static routes. BGP is a minimum requirement.
Q: Are the BGP sessions established over the GRE tunnel?
A: Yes, the BGP sessions are established over the GRE tunnel.
Q: Can I associate a route table to the Connect attachment?
A: Yes, similar to any other Transit Gateway attachments, you can associate route table to the Connect attachment. This route table can be same/different to that of the VPC (underlying transport mechanism) attachment’s associated route table.
Performance and limits
Q: What are the service limits that I need to keep in mind while using Amazon Transit Gateways?
A: The table below list the different service limits:
Limit | Default |
---|---|
Number of Amazon Transit Gateway attachments |
5,000 |
Maximum bandwidth (burst) per VPC connection | 50 Gbps |
Number of Amazon Transit Gateways per account |
5 |
Number of Amazon Transit Gateway attachments per VPC |
5 |
Number of routes | 10,000 |
Number of Transit Gateway connect peers (GRE tunnels) per Transit Gateway Connect attachment | 4 |
Maximum (burst) bandwidth per Transit Gateway Connect peer (GRE tunnels) | 5 Gbps (up to 20 Gbps in total per Connect attachment) |
Dynamic routes advertised from a virtual router appliance to a Transit Gateway Connect peer | 1,000 |
Routes advertised from a Transit Gateway Connect peer to a virtual router appliance | 5,000 |
*Each Transit Gateway Connect peer (GRE tunnel) support a maximum throughput of up to 5 Gbps. You can create up to 4 Connect peers per Connect attachment (up to 20 Gbps in total bandwidth per Connect attachment), as long as the underlying transport (VPC) attachment supports the required bandwidth. You can use equal-cost multi-path routing (ECMP) to get higher bandwidth by scaling horizontally across multiple Connect Peers of the same Connect Attachment or across multiple Connect Attachments on the same transit gateway. The transit gateway cannot ECMP between the BGP peerings of the same Connect Peer.
Feature interoperability
Q: Does Amazon Transit Gateway support IPv6?
A: Yes, Amazon Transit Gateway supports attaching Amazon VPCs with IPv6 CIDRs.
Q: Which Amazon VPC features are not supported in the first release?
A: Security Group Referencing on Amazon VPC is not supported at launch. Spoke Amazon VPCs cannot reference security groups in other spokes connected to the same Amazon Transit Gateway.
Q: Does Amazon Transit Gateway Connect supports IPv6?
A: Yes, Amazon Transit Gateway Connect supports IPv6. You can configure both the GRE tunnel and the Border Gateway Protocol (BGP) addresses with IPv6 addresses.
Q: Can I use different address families for the GRE tunnel and BGP addresses?
A: Yes, you can configure the GRE tunnel and the BGP addresses to be same or different address family. For example, you can configure the GRE tunnel with IPv4 address range and the BGP addresses with IPv6 address range and vice versa.
Q: Does Amazon Transit Gateway support IGMP for multicast?
A: Yes, Amazon Transit Gateway supports IGMPv2 (Internet Group Management Protocol version 2) for multicast traffic.
Q. Can I have both IGMP and static members in the same multicast domain?
A: Yes you can have both IGMP and static members in the same multicast domain. IGMP-capable members can dynamically join or leave a multicast group by sending IGMPv2 messages. You can add or remove static members to a multicast group using console, CLI or SDK.
Q. Can I share a Transit Gateway for multicast?
A: Yes you can use Amazon Resource Access Manager (RAM) to share a transit gateway multicast domain for VPC subnet associations across accounts or across your organization in Amazon Organizations.
Get started building with Amazon Transit Gateway in the Amazon Web Services Console.