Transit gateway configuration

In the AWS Region where the most AWS resources will be provisioned or applications deployed, create a transit gateway in the network account. When you create the transit gateway, clear the default route table propagation and association. Instead, you will attach and propagate routes in specific transit gateway route tables based on the type of VPC.

For this transit gateway, create three different transit gateway route tables:

Inbound VPC transit gateway route table:
- Association – All VPC attachments whose traffic must be inspected, except for the outbound and firewall VPCs.
- Propagation – Static route with destination 0.0.0.0/0 pointing out to the firewall VPC attachment.
Firewall inspection transit gateway route table:
- Association – Firewall VPC gateway attachment.
- Propagation – In the firewall VPC transit gateway route table, configure propagation to route traffic from the firewall VPC to respective VPC attachments. To route traffic to internet after inspection, add a static route with destination 0.0.0.0/0 pointing to the outbound VPC.
Outbound transit gateway route table:
- Association – Associate outbound VPC attachment in this route table.
- Propagation – Create a static route with destination 0.0.0.0/0 pointing out to the firewall VPC gateway attachment.

Note

The network account is dedicated to configuring network-related services and components. Don't deploy any additional applications or services in the network account.

The following diagram shows how the traffic from child account VPCs will be routed to and from the centralized network account and the internet or other VPCs.

Centralized transit gateway connects to spoke accounts through transit gateway attachments.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Centralized firewall

Configure endpoints