AWS Transit Gateway FAQs
General
In which AWS Regions is AWS Transit Gateway available?
AWS Transit Gateway is available in US East (N. Virginia), US East (Ohio), US West (Oregon), US West (Northern California), AWS GovCloud (US-East), AWS GovCloud (US-West), Canada (Central), South America (São Paulo), Africa (Cape Town), EU (Ireland), EU (Stockholm), EU (London), EU (Frankfurt), EU (Paris), EU (Milan), Middle East (Bahrain), Asia Pacific (Hong Kong), Asia Pacific (Mumbai), Asia Pacific (Osaka), Asia Pacific (Tokyo), Asia Pacific (Singapore), Asia Pacific (Seoul), Asia Pacific (Sydney), Asia Pacific (Beijing), Asia Pacific (Ningxia), Asia Pacific (Jakarta), Middle East (UAE), Europe (Zurich), Europe (Spain), Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Israel (Tel Aviv), and Canada West (Calgary) AWS Regions.
Transit Gateway Peering support is available in US East (N. Virginia), US East (Ohio), US West (Oregon), US West (N. California), AWS GovCloud (US-East), AWS GovCloud (US-West), Canada (Central), EU (Ireland), EU (Frankfurt), EU (Paris), EU (London), EU (Stockholm), EU (Milan), Middle East (Bahrain), Africa (Cape Town), Asia Pacific (Hong Kong), Asia Pacific (Mumbai), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Osaka), Asia Pacific (Beijing), Asia Pacific (Ningxia), South America (Sao Paulo) , Asia Pacific (Jakarta), Middle East (UAE), Europe (Zurich), Europe (Spain), Asia Pacific (Hyderabad), Asia Pacific (Melbourne), and Israel (Tel Aviv) AWS Regions.
Transit Gateway Multicast support is available in US East (N. Virginia), US East (Ohio), US West (Oregon), US West (N. California), AWS GovCloud (US-East), AWS GovCloud (US-West), Canada (Central), EU (Ireland), EU (London), EU (Frankfurt), EU (Stockholm), EU (Paris), EU (Milano), South America (Sao Paulo), South Africa (CapeTown), Asia Pacific (Tokyo), Asia Pacific (Sydney), Asia Pacific (Mumbai), Asia Pacific (Hong Kong), Asia Pacific (Osaka), Asia Pacific (Seoul), Asia Pacific (Singapore), Middle East (Bahrain), Asia Pacific (Beijing), Asia Pacific (Ningxia), Asia Pacific (Jakarta), Middle East (UAE) , Europe (Zurich), Europe (Spain), Asia Pacific (Hyderabad), Asia Pacific (Melbourne), and Israel (Tel Aviv) AWS Regions.
IGMP support for Transit Gateway Multicast is available in US East (N. Virginia), US East (Ohio), US West (Oregon), US West (N. California), Europe (Ireland), Europe (London), Europe (Paris), Europe (Frankfurt), Europe (Stockholm), Europe (Milan), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Mumbai), Asia Pacific (Hong Kong), Asia Pacific (Beijing), Asia Pacific (Ningxia), Asia Pacific (Osaka), Asia Pacific (Jakarta), Canada (Central), South America (São Paulo), Africa (Cape Town), Middle East (Bahrain), Middle East (UAE), Europe (Zurich), Europe (Spain), Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Israel (Tel Aviv), GovCloud (US-East), and GovCloud (US-West) AWS Regions.
Transit Gateway Connect is available in US East (N. Virginia), US East (Ohio), US West (Oregon), US West (N. California), Europe (Ireland), Europe (London), Europe (Paris), Europe (Frankfurt), Europe (Stockholm), Europe (Milan), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Mumbai), Asia Pacific (Hong Kong), Asia Pacific (Beijing), Asia Pacific (Ningxia), Asia Pacific (Osaka), Asia Pacific (Jakarta), Canada (Central), South America (São Paulo), Africa (Cape Town), Middle East (Bahrain), Middle East (UAE), Europe (Zurich), Europe (Spain), Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Israel (Tel Aviv), GovCloud (US-East), and GovCloud (US-West) AWS Regions.
How do I control which Amazon Virtual Private Clouds (VPCs) can communicate with each other?
You can segment your network by creating multiple route tables in an AWS Transit Gateway and associate Amazon VPCs and VPNs to them. This will allow you to create isolated networks inside an AWS Transit Gateway similar to virtual routing and forwarding (VRFs) in traditional networks. The AWS Transit Gateway will have a default route table. The use of multiple route tables is optional.
How does routing work in AWS Transit Gateway?
AWS Transit Gateway supports dynamic and static routing between attached Amazon VPCs and VPNs. By default, Amazon VPCs, VPNs, Direct Connect gateways, Transit Gateway Connect and peered Transit Gateways are associated to the default route table. You can create additional route tables and associate Amazon VPCs, Direct Connect gateways, VPNs, Transit Gateway Connect and peered Transit Gateways with it.
The routes decide the next hop depending on the destination IP address of the packet. Routes can point to an Amazon VPC or a VPN connection, or a Direct Connect gateway, or a Transit Gateway Connect, or a peered Transit Gateway.
How are routes propagated into the AWS Transit Gateway?
There are 2 ways that routes get propagated in the AWS Transit Gateway:
- Routes propagated to/from on-premises networks: When you connect VPN or Direct Connect Gateway, routes will propagate between the AWS Transit Gateway and your on-premises router using Border Gateway Protocol (BGP).
- Routes Propagated to/from Amazon VPCs: When you attach an Amazon VPC to an AWS Transit Gateway or resize an attached Amazon VPC, the Amazon VPC Classless Inter-Domain Routing (CIDR) will propagate into the AWS Transit Gateway route table using internal APIs (not BGP). CIDR is a method for allocating IP addresses and IP routing to slow the growth of routing tables on routers across the Internet, and to help slow the rapid exhaustion of IPv4 addresses. Routes in the AWS Transit Gateway route table will not be propagated to the Amazon VPC’s route table. The VPC owner needs to create a static route to send Traffic to the AWS Transit Gateway.
Peering attachments between Transit Gateways do not support route propagation. You need to create static routes in Transit gateway route tables to send traffic on peering attachments.
Can I connect Amazon VPCs with identical CIDRs?
AWS Transit Gateway doesn’t support routing between Amazon VPCs with identical CIDRs. If you attach a new Amazon VPC that has a CIDR which is identical to an already attached Amazon VPC, AWS Transit Gateway will not propagate the new Amazon VPC route into the AWS Transit Gateway route table.
What is AWS Transit Gateway Connect?
AWS Transit Gateway Connect is a feature of AWS Transit Gateway. It simplifies the branch connectivity through native integration of SD-WAN (Software-Defined Wide Area Network) network virtual appliances into AWS Transit Gateway. AWS Transit Gateway Connect provides a new logical attachment type called Connect attachment that utilizes the Amazon VPC or AWS Direct Connect attachments as the underlying network transport. It supports standard protocols such as Generic Routing Encapsulation (GRE) and Border Gateway Protocol (BGP) over the Connect attachment.
Which AWS partners support AWS Transit Gateway Connect?
AWS Transit Gateway Connect is supported by a number of leading SD-WAN and Networking partners. Please visit the Partners page for more information.
What types of appliances work with AWS Transit Gateway Connect?
Any third-party network appliances that support standard protocols such as GRE and BGP will work with AWS Transit Gateway Connect.
Can I create Connect attachments with an existing AWS Transit Gateway?
Yes, you can create Connect attachments on an existing AWS Transit Gateway.
Does AWS Transit Gateway Connect support static routes?
No, AWS Transit Gateway Connect does not support static routes. BGP is a minimum requirement.
Are the BGP sessions established over the GRE tunnel?
Yes, the BGP sessions are established over the GRE tunnel.
Can I associate a route table to the Connect attachment?
Yes, similar to any other Transit Gateway attachments, you can associate a route table to the Connect attachment. This route table can be same/different to that of the VPC or AWS Direct Connect (underlying transport mechanism) attachment’s associated route table.
Performance and limits
What are the default limits or quotas for AWS Transit Gateway?
Details on limits and quotas can be found in our documentation.
Should you need to exceed these limits, please create a support case.
Security and compliance
With which compliance programs does AWS Transit Gateway conform?
AWS Transit Gateway inherits compliance from Amazon VPC and meets the standards for PCI DSS Level 1, ISO 9001, ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, SOC 3, FedRAMP Moderate, FedRAMP High and HIPAA eligibility.
Feature interoperability
Can I associate my AWS Transit Gateway with a Direct Connect gateway in a different account?
Yes, you can associate your AWS Transit Gateway with an AWS Direct Connect gateway from a different AWS account. Only the owner of the AWS Transit Gateway can create association to a Direct Connect gateway. You cannot use Resource Access Manager to associate your AWS Transit Gateway with Direct Connect gateway. For more information, please review the AWS Transit Gateway Support section in the Direct Connect FAQs.
I want to associate my Transit Gateway to a Direct Connect gateway. Can I use the same Autonomous System Number (ASN) for the Direct Connect gateway and the Transit Gateway?
No, you cannot use the same ASN for the Transit Gateway and the Direct Connect gateway.
Which attachment types can I use to route multicast traffic?
You can route multicast traffic within and between VPC attachments to a Transit Gateway. Multicast routing is not supported over AWS Direct Connect, AWS Site-to-Site VPN, and peering attachments.
Does AWS Transit Gateway Connect support IPv6?
Yes, AWS Transit Gateway Connect supports IPv6. You can configure both the GRE tunnel and the Border Gateway Protocol (BGP) addresses with IPv6 addresses.
Can I use different address families for the GRE tunnel and BGP addresses?
Yes, you can configure the GRE tunnel and the BGP addresses to be same or different address family. For example, you can configure the GRE tunnel with IPv4 address range and the BGP addresses with IPv6 address range and vice versa.
Does AWS Transit Gateway support IGMP for multicast?
Yes, AWS Transit Gateway supports IGMPv2 (Internet Group Management Protocol version 2) for multicast traffic.
Can I have both IGMP and static members in the same multicast domain?
Yes you can have both IGMP and static members in the same multicast domain. IGMP-capable members can dynamically join or leave a multicast group by sending IGMPv2 messages. You can add or remove static members to a multicast group using console, CLI or SDK.
Can I share a Transit Gateway for multicast?
Yes you can use AWS Resource Access Manager (RAM) to share a transit gateway multicast domain for VPC subnet associations across accounts or across your organization in AWS Organizations.
Network Manager
What is AWS Transit Gateway Network Manager?
AWS Transit Gateway Network Manager is a feature of AWS Transit Gateway. It centralizes management and monitoring of networking resources and connections to remote branch locations.
How do I set up AWS Transit Gateway Network Manager?
Use the following steps to set up and manage Transit Gateway Network Manager:
- Create a new ‘global network’, initially an empty object.
- Register your AWS Transit Gateways from any AWS Region.
- Add on-premises resources/cloud resources: Input information about your on-premises/cloud devices, sites, links, connections, Connect peers and the Site-to-Site VPN connections with which they are associated.
- Monitor your global network: through Network Manager’s visualizations, events, and metrics.
Which AWS partners are supporting AWS Transit Gateway Network Manager?
AWS Transit Gateway Network Manager is supported by a number of leading SD-WAN partners. Please visit the Partners page for more information. Their integration of Network Manager into their SD-WAN solutions enables you to automate the branch-cloud connectivity and provides end-to-end monitoring of the global network from a single dashboard.
What is a global network?
A ‘Global Network’ is an object in the AWS Transit Gateway Network Manager service that represents your private global network in AWS. It includes your AWS Transit Gateway hubs, their attachments, AWS partner SD-WAN network virtual appliances, and on-premises devices, sites, links and connections.
What resources are automatically included in the global network when I register an AWS Transit Gateway?
For registered AWS Transit Gateways, all attachments are automatically included. Attachments include VPCs, VPNs, Direct Connect gateways, AWS Transit Gateway Connect, and AWS Transit Gateway peering.
How can I visualize the resources and connections in my global network?
The AWS Transit Gateway Network Manager dashboard shows your AWS Transit Gateways across all AWS Regions and on-premises. It offers a logical view and a geographic view of your network resources and connections, along with connection status.
How does AWS Transit Gateway Network Manager help me monitor my global network?
The dashboard of AWS Transit Gateway Network Manager also shows you these events and metrics, such as bytes in/out, packets in/out, and packets dropped. Connection status is embedded into the topology and goegraphic views of your global network. AWS Transit Gateway Network Manager also offers real-time network events and metrics for your global network through AWS CloudWatch. These events, metrics, and visualizations help you monitor your network and take actions as needed.
What metrics are available in AWS Transit Gateway Network Manager?
From the dashboard of Network Manager, you can view Transit Gateway availability and performance metrics, such as bytes in/out, packets in/out, and packets dropped. AWS Site-to-Site VPN up/down metrics are also available to view for your on-premises devices and links.
What network events are available in AWS Transit Gateway Network Manager?
AWS Transit Gateway Network Manager offers built-in event notifications for network topology changes, routing updates, and connection status updates. These events are delivered through CloudWatch Events.
How do AWS partners support AWS Transit Gateway Network Manager?
SD-WAN providers offer integration with AWS Transit Gateway Network Manager. Their integration of Network Manager into their SD-WAN solutions enables them to automate the branch-cloud connectivity and provides end-to-end monitoring of the global network from a single pane of glass, the dashboard of the Network Manager.
How do I automatically connect using a partner SD-WAN device?
Your SD-WAN solution from the partner uses AWS application programming interfaces (APIs) on your behalf to automatically register the branch device, create a VPN connection, and then applies the VPN configurations to the branch device to establish the connection.
What is Route Analyzer?
Route Analyzer is a feature of AWS Transit Gateway Network Manager. It helps you to verify routing configurations of Transit Gateways across your global network.
Does Route Analyzer send data packets to analyze the route?
No, Route Analyzer does not send any data packets but verifies the associated Transit Gateway route table configuration between the given source and the destination.
Can I use the Route Analyzer on my existing Transit Gateways?
Yes, you can if your Transit Gateway is registered to your Global Network. If you have multiple Transit Gateways on the path to destination, then all of them need to be registered to the Global Network.
Can I use the Route Analyzer to analyze routes in VPC route tables?
No, Route Analyzer only verifies Transit Gateway route tables. VPC route tables and customer gateway devices are not a part of the analysis.
Can I use the Route Analyzer to analyze security group rules and network ACL rules in VPC?
No, Route Analyzer only verifies Transit Gateway route tables. Security Group rules and Network ACL rules are not a part of the analysis.
I have a middlebox appliance attached to my transit gateway; will this feature work with this type of network architecture?
Yes, you can use this feature with a middlebox appliance architecture set up on your Transit Gateway. When you run the analysis, Route Analyzer will ask you to confirm if there is a middlebox appliance between the source and destination.