This chapter covers AWS Transit Gateway, a core networking service that simplifies connecting multiple Amazon Virtual Private Clouds (VPCs) and on-premises networks. For the CLF-C02 exam, this falls under Domain 3: Cloud Technology Services, Objective 3.4: Identify the services that enable connectivity. Transit Gateway is a key service for network architecture questions, which appear in about 10-15% of the exam. Mastering this topic will help you answer questions about hybrid connectivity, VPC peering, and network scaling.
Jump to a section
Imagine a large corporation with multiple office buildings scattered across a city. Each building has its own local network, but they all need to communicate with each other and with the central headquarters. Without a hub, each building would need a dedicated direct cable to every other building, which is expensive, complex, and doesn't scale. This is the problem AWS Transit Gateway solves. Think of Transit Gateway as a central airport hub. Each building (VPC or on-premises network) is like a city with its own airport. Instead of flying direct flights between every pair of cities (which would require countless routes and planes), all flights go through the central hub. The hub handles routing, security, and scaling. In AWS, Transit Gateway is a regional service that acts as this hub. You attach your VPCs and VPN connections to it, and it automatically routes traffic between them. It can also centrally manage routing policies, like a hub that decides which cities can fly to which others. Just as an airport hub reduces the number of required runways and gates, Transit Gateway reduces the number of VPC peering connections and simplifies network management. It also supports multicast, like a hub broadcasting an announcement to all gates. The mechanism is exactly this: a managed, scalable, and highly available hub-and-spoke network topology.
What is AWS Transit Gateway and the Problem It Solves
AWS Transit Gateway is a regional network transit hub that you use to interconnect your virtual private clouds (VPCs) and on-premises networks. As your cloud infrastructure grows, you may have dozens or hundreds of VPCs. Traditionally, to connect VPCs together, you would use VPC peering. However, VPC peering has several limitations: it's a one-to-one connection, does not support transitive routing (if VPC A is peered with VPC B and VPC B is peered with VPC C, traffic cannot flow from A to C through B), and managing hundreds of peering connections becomes operationally complex. Transit Gateway solves this by providing a central hub that all VPCs and on-premises networks attach to. It uses a hub-and-spoke model, where the Transit Gateway acts as the hub, and each VPC or VPN connection is a spoke. This allows transitive routing between all attached networks without the need for individual peering connections.
How It Works — Walk Through the Mechanism
Transit Gateway is a fully managed service. When you create a Transit Gateway, AWS provisions a highly available, scalable router in the region. You then create attachments to connect your VPCs, VPN connections (from on-premises or other clouds), AWS Direct Connect gateways, and even other Transit Gateways (via peering). Each attachment is associated with a route table. Transit Gateway uses route tables to determine where to send traffic. You can create multiple route tables to isolate networks (e.g., production vs. development) or to control routing policies. For example, you can have a route table that only allows traffic between specific VPCs, while another route table allows all traffic.
Behind the scenes, Transit Gateway uses the AWS global network infrastructure to route traffic efficiently. It supports multicast and can handle up to 50 Gbps per attachment (default limit, can be increased). Transit Gateway also integrates with AWS Network Manager to provide a centralized view of your global network.
Key Tiers, Configurations, and Pricing Models
Transit Gateway has two main pricing components: an hourly charge for each Transit Gateway you create (currently $0.05 per hour in most regions) and a per-GB data transfer charge for data processed by the Transit Gateway (e.g., $0.02 per GB for intra-region transfers). There is also a charge for each attachment (e.g., VPC attachment costs $0.05 per hour). Note that data transfer between VPCs via Transit Gateway is charged at the standard inter-AZ or inter-region data transfer rates, which can add up.
There is no tiered pricing for Transit Gateway itself—it's a flat hourly rate plus usage charges. However, you can use Transit Gateway with AWS Organizations to manage multiple accounts centrally.
Comparison to On-Premises or Competing Approaches
Before Transit Gateway, the primary AWS solution for connecting multiple VPCs was VPC peering. VPC peering is a one-to-one connection that does not support transitive routing. So if you have 10 VPCs, you would need up to 45 peering connections (n*(n-1)/2) to fully mesh them. Transit Gateway reduces this to 10 attachments (one per VPC). Additionally, VPC peering does not support overlapping CIDR blocks, while Transit Gateway can handle overlapping CIDRs with careful route table design (though it's not recommended). For hybrid connectivity, you can use AWS VPN or Direct Connect to connect your on-premises network to Transit Gateway, enabling connectivity to all attached VPCs. Without Transit Gateway, you would need a separate VPN connection for each VPC.
Another alternative is the Third-party virtual firewall or router in a VPC (e.g., Cisco CSR), but that requires manual management and scaling. Transit Gateway is fully managed and scales automatically.
When to Use It vs Alternatives
Use Transit Gateway when you need to connect multiple VPCs (more than three or four) and need transitive routing. Also use it when you need to connect on-premises networks to multiple VPCs via VPN or Direct Connect. For a simple connection between two VPCs, VPC peering is simpler and cheaper. For connecting a single VPC to an on-premises network, a direct VPN or Direct Connect connection may be sufficient. Use Transit Gateway when you anticipate growth or need centralized network management. On the CLF-C02 exam, look for scenarios with "many VPCs" or "hybrid connectivity" that require "transitive routing"—Transit Gateway is the answer.
Configuration Example
To create a Transit Gateway and attach a VPC using the AWS CLI:
# Create a Transit Gateway
aws ec2 create-transit-gateway --description "MyTGW" --region us-east-1
# Create a VPC attachment
aws ec2 create-transit-gateway-vpc-attachment \
--transit-gateway-id tgw-0abcdef1234567890 \
--vpc-id vpc-1a2b3c4d \
--subnet-ids subnet-11111111 subnet-22222222Note that you must specify at least one subnet per Availability Zone to ensure high availability.
Route Tables
Transit Gateway route tables are similar to VPC route tables. Each attachment is associated with a route table. You can propagate routes from attachments to route tables. For example, you can create a route table that has a static route to an inspection VPC for traffic filtering.
Limits
Default maximum attachments per Transit Gateway: 500 (can be increased)
Default maximum route tables per Transit Gateway: 20
Default maximum number of Transit Gateways per region: 5
Maximum transmission unit (MTU): 1500 bytes (does not support jumbo frames)
Transit Gateway supports multicast, but it requires a separate configuration.
Security and Monitoring
Transit Gateway integrates with AWS CloudWatch for metrics (e.g., BytesIn, BytesOut) and AWS CloudTrail for API logging. You can also use VPC Flow Logs on the attachments to monitor traffic. Security groups and network ACLs are applied at the VPC/subnet level, not at the Transit Gateway level. For centralized security, you can route traffic through a security appliance VPC (inspection VPC) using Transit Gateway route tables.
Create a Transit Gateway
Navigate to the VPC console in AWS Management Console, select Transit Gateways, and click Create Transit Gateway. You can provide a name, description, and choose the Amazon side ASN (default is 64512). You can also enable multicast support if needed. AWS will provision the Transit Gateway in the region. Behind the scenes, AWS creates a highly available router infrastructure that spans multiple Availability Zones. The Transit Gateway is assigned a unique ID (e.g., tgw-0a1b2c3d4e5f67890). There is an hourly charge for the Transit Gateway itself, currently $0.05 per hour. This step is the foundation for all future attachments.
Attach a VPC to the Transit Gateway
In the Transit Gateway console, select Create Transit Gateway Attachment. Choose VPC as the attachment type. Select the VPC you want to attach. You must specify at least one subnet in each Availability Zone where the Transit Gateway will be available. AWS creates an elastic network interface (ENI) in each specified subnet. These ENIs act as the entry/exit points for traffic between the VPC and the Transit Gateway. The attachment is assigned an ID (e.g., tgw-attach-1234567890abcdef0). There is an hourly charge for each attachment (currently $0.05 per hour). Ensure that the VPC's route tables are updated to direct traffic destined for other networks to the Transit Gateway attachment.
Update VPC route tables
For each subnet that needs to communicate through the Transit Gateway, you must add a route to the VPC's route table. The destination is the CIDR block of the other VPC or on-premises network, and the target is the Transit Gateway attachment ID. For example, if VPC A (10.0.0.0/16) needs to reach VPC B (10.1.0.0/16), add a route in VPC A's route table: destination 10.1.0.0/16, target tgw-attach-xxx. Repeat for all subnets that need connectivity. Without this step, traffic will not be forwarded to the Transit Gateway. You can also automate this using AWS Resource Access Manager (RAM) to share the Transit Gateway with other accounts.
Connect on-premises network via VPN
To connect your on-premises data center, create a VPN attachment. In the Transit Gateway console, select Create Transit Gateway Attachment, choose VPN, and select an existing Site-to-Site VPN connection or create a new one. You must configure the customer gateway (CGW) with the public IP of your on-premises VPN device. AWS will create two VPN tunnels for high availability. The VPN attachment is then associated with a Transit Gateway route table. Traffic from on-premises can now reach all attached VPCs, provided route tables are correctly configured. This eliminates the need for multiple VPN connections to each VPC. The VPN connection charges apply separately.
Configure route tables for isolation
By default, all attachments are associated with the default route table, which allows all traffic to flow between all attachments. For network isolation, create additional route tables. For example, create a 'Prod' route table and associate only production VPC attachments with it. Create a 'Dev' route table for development VPCs. Then, in the route tables, specify which attachments can send traffic to which. You can also use static routes to force traffic through an inspection VPC. This step is critical for security and compliance. On the exam, know that Transit Gateway supports multiple route tables for traffic isolation.
Scenario 1: Large Enterprise with Multiple VPCs and On-Premises
A financial services company has 50 VPCs across multiple AWS accounts, each serving different business units (e.g., trading, risk, compliance). They also have an on-premises data center with legacy systems. Without Transit Gateway, they would need 1,225 VPC peering connections (50*49/2) and separate VPN connections to each VPC from the data center. By using Transit Gateway, they attach all VPCs and a VPN connection to a single Transit Gateway. They use separate route tables to isolate trading VPCs from other VPCs for security. The cost includes the Transit Gateway hourly fee, attachment fees, and data transfer charges. They save significantly on operational overhead and reduce complexity. A common mistake is forgetting to update route tables in each VPC, causing connectivity failures.
Scenario 2: Multi-Region Hub-and-Spoke
A global e-commerce company operates in three AWS regions: us-east-1, eu-west-1, and ap-southeast-1. They need to connect VPCs in each region to a central shared services VPC in us-east-1. They create a Transit Gateway in each region and peer them together using Transit Gateway peering (inter-region peering). This allows VPCs in different regions to communicate through the hub. They use AWS Network Manager to visualize the entire network. Cost considerations include inter-region data transfer fees, which are higher than intra-region. A pitfall is not planning for bandwidth limits; each Transit Gateway attachment supports up to 50 Gbps, but peering across regions may have lower limits.
Scenario 3: Mergers and Acquisitions
A company acquires another company that already has an AWS environment with its own VPCs. To integrate networks quickly, they use Transit Gateway to connect the two sets of VPCs without requiring IP address renumbering. They create a Transit Gateway and attach both companies' VPCs. They use route tables to control which VPCs can communicate. This allows a phased integration. A common misconfiguration is overlapping CIDR blocks; Transit Gateway does not natively handle overlapping IPs, so they must use network address translation (NAT) or careful route design. AWS recommends using non-overlapping CIDRs.
What CLF-C02 Tests on This Objective
Objective 3.4: "Identify the services that enable connectivity." The exam expects you to know that AWS Transit Gateway is used to connect multiple VPCs and on-premises networks in a hub-and-spoke topology. You should understand that it supports transitive routing, which VPC peering does not. You should also know that Transit Gateway is a regional service, but can be peered across regions. The exam may present a scenario where a company has many VPCs and needs a scalable, managed solution—Transit Gateway is the correct answer.
Common Wrong Answers and Why Candidates Choose Them
VPC Peering: Candidates choose this because they know it connects VPCs. However, VPC peering does not support transitive routing. If the scenario requires connecting more than two VPCs or mentions "transitive routing," VPC peering is wrong. The exam often uses the phrase "hub-and-spoke" to signal Transit Gateway.
AWS Direct Connect: Candidates may choose Direct Connect because it connects on-premises to AWS. However, Direct Connect is just a physical connection; you still need a VPN or Transit Gateway to connect to multiple VPCs. Transit Gateway can use Direct Connect as an attachment.
AWS VPN CloudHub: This is an older solution using multiple VPN connections from on-premises to multiple VPCs. Transit Gateway is the modern, managed alternative. The exam may test that Transit Gateway replaces CloudHub.
Internet Gateway: Candidates confuse Internet Gateway (for public internet access) with Transit Gateway (for private network interconnect). The exam will specify "private connectivity" or "between VPCs."
Specific Terms That Appear on the Exam
Transitive routing: The ability for traffic to pass through an intermediate network (the Transit Gateway) to reach another network.
Hub-and-spoke topology: The design pattern where a central hub (Transit Gateway) connects multiple spokes (VPCs, VPNs).
Attachment: A connection between a Transit Gateway and a VPC, VPN, or Direct Connect gateway.
Route table: Used to control traffic flow between attachments.
Multicast: Supported by Transit Gateway (optional).
Tricky Distinctions
Transit Gateway vs. VPC Peering: Transit Gateway supports transitive routing; VPC peering does not. Transit Gateway can handle overlapping CIDRs with route tables; VPC peering requires non-overlapping.
Transit Gateway vs. AWS PrivateLink: PrivateLink exposes services privately within VPCs; Transit Gateway connects entire networks.
Transit Gateway vs. AWS Direct Connect Gateway: Direct Connect Gateway connects Direct Connect to multiple VPCs in the same region; Transit Gateway can connect across regions and supports VPN attachments.
Decision Rule for Multi-Choice Questions
When you see a question about connecting multiple VPCs (more than 2) or connecting on-premises to multiple VPCs, ask: "Does the scenario require transitive routing?" If yes, choose Transit Gateway. If it's just two VPCs, consider VPC peering. If it's about exposing a service privately, choose PrivateLink. If it's about a dedicated physical connection, choose Direct Connect. Eliminate Internet Gateway if the traffic is private.
AWS Transit Gateway is a regional hub-and-spoke service for connecting multiple VPCs and on-premises networks.
It supports transitive routing, which VPC peering does not.
You attach VPCs, VPNs, and Direct Connect gateways to Transit Gateway.
Transit Gateway uses route tables to control traffic flow; you can isolate networks using separate route tables.
Pricing includes an hourly fee for the Transit Gateway ($0.05/hr) plus per-attachment fees ($0.05/hr) and data transfer charges.
Transit Gateway can be peered across regions for inter-region connectivity.
Common exam trap: choosing VPC peering when transitive routing is needed; Transit Gateway is the correct answer for hub-and-spoke topologies.
Transit Gateway does not resolve overlapping CIDRs automatically; use non-overlapping IPs or NAT.
Maximum attachments per Transit Gateway is 500 (default), can be increased.
AWS Network Manager can monitor and visualize Transit Gateway networks.
These come up on the exam all the time. Here's how to tell them apart.
AWS Transit Gateway
Supports transitive routing (hub-and-spoke)
Can connect many VPCs with fewer connections (n attachments vs n*(n-1)/2 peering)
Allows overlapping CIDRs with careful route design
Supports VPN and Direct Connect attachments for hybrid connectivity
Managed service with hourly and per-GB charges
VPC Peering
One-to-one connection, no transitive routing
Requires full mesh for many VPCs (scales poorly)
Requires non-overlapping CIDR blocks
Only connects VPCs (no direct VPN/Direct Connect)
No additional cost beyond data transfer
AWS Transit Gateway
Connects entire networks (VPCs, on-premises)
Used for network interconnectivity
Supports routing between many networks
Operates at Layer 3 (IP routing)
Can be used with VPN and Direct Connect
AWS PrivateLink
Connects specific services (e.g., a web server) to VPCs
Used for exposing services privately
One-to-many service access
Operates at Layer 4 (using NLB/ENI)
Does not provide full network connectivity
Mistake
Transit Gateway is a global service that can connect VPCs across regions automatically.
Correct
Transit Gateway is regional. To connect VPCs across regions, you must peer Transit Gateways in different regions. It does not automatically span regions.
Mistake
Transit Gateway supports transitive routing by default for all attachments.
Correct
Transitive routing requires proper route table configuration. By default, all attachments are associated with the default route table, which allows full transitive routing. However, you can isolate attachments using separate route tables.
Mistake
Transit Gateway can replace all VPC peering connections, including for inter-region peering.
Correct
Transit Gateway can replace VPC peering for many-to-many connections, but for a simple two-VPC connection, VPC peering is simpler and cheaper. Transit Gateway also has additional costs (hourly charge).
Mistake
Transit Gateway is required to connect a VPC to an on-premises network via VPN.
Correct
You can connect a VPC to on-premises directly using a VPN connection attached to a virtual private gateway. Transit Gateway is needed only when you want to connect multiple VPCs or networks.
Mistake
Transit Gateway automatically handles overlapping CIDR blocks.
Correct
Transit Gateway does not automatically resolve overlapping IP addresses. You must use route tables and possibly network address translation (NAT) to handle overlaps. It is best practice to use non-overlapping CIDRs.
Transit Gateway is a hub-and-spoke service that supports transitive routing, meaning traffic can flow from one VPC to another through the Transit Gateway. VPC peering is a one-to-one connection that does not support transitive routing. For example, if you have three VPCs (A, B, C) and peer A with B and B with C, traffic cannot flow from A to C through B. With Transit Gateway, you attach all three VPCs to the same Transit Gateway, and traffic can flow between any of them. Transit Gateway also supports VPN and Direct Connect attachments, while VPC peering only connects VPCs. For a simple two-VPC connection, VPC peering is simpler and cheaper. For multiple VPCs, Transit Gateway is more scalable. On the exam, if the question mentions 'transitive routing' or 'hub-and-spoke', choose Transit Gateway.
Yes, but you need to create a Transit Gateway in each region and then peer them together using Transit Gateway peering. This allows VPCs in different regions to communicate through the peered Transit Gateways. Each Transit Gateway is regional, so you must set up peering connections between them. Note that inter-region data transfer charges apply. On the exam, remember that Transit Gateway itself is regional, but can be extended across regions via peering.
No, AWS Transit Gateway is not free. There is an hourly charge for each Transit Gateway you create (currently $0.05 per hour in most regions). Additionally, there is a per-attachment hourly charge (e.g., $0.05 per hour for a VPC attachment). Data processed by the Transit Gateway is also charged per GB (e.g., $0.02 per GB for intra-region data transfer). These charges are separate from standard data transfer costs. For a small setup with a few VPCs, VPC peering might be more cost-effective. However, for large-scale deployments, the operational savings often outweigh the costs.
By default, you can attach up to 500 VPCs (or other attachments) to a single Transit Gateway. This limit can be increased by requesting a service limit increase from AWS. Additionally, there are limits on the number of Transit Gateways per region (default 5) and the number of route tables per Transit Gateway (default 20). On the exam, you may be asked about these limits—remember 500 attachments per Transit Gateway.
Yes, AWS Transit Gateway supports multicast, but it is not enabled by default. You must enable multicast support when creating the Transit Gateway. Then you can create multicast domains and associate attachments with them. Multicast allows you to send a single stream of data to multiple receivers, which is useful for applications like video streaming or financial data distribution. On the exam, know that Transit Gateway can support multicast, but it's an optional feature.
Transit Gateway does not automatically resolve overlapping IP addresses. If two VPCs have overlapping CIDR blocks, you must carefully configure route tables to avoid routing conflicts. You can use static routes to prioritize one network over another, or you can use network address translation (NAT) to change IP addresses. However, AWS recommends using non-overlapping CIDR blocks to simplify management. On the exam, remember that Transit Gateway does not natively handle overlapping CIDRs.
Yes, you can attach a Direct Connect Gateway to a Transit Gateway. This allows your on-premises network, connected via Direct Connect, to communicate with all VPCs attached to the Transit Gateway. You need to create a Transit Gateway attachment for the Direct Connect Gateway. This simplifies hybrid connectivity because you only need one Direct Connect connection to reach multiple VPCs. On the exam, this is a common scenario for Transit Gateway.
You've just covered AWS Transit Gateway — now see how well it sticks with free CLF-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?