Transit gateways - Amazon VPC
Create a transit gatewayView your transit gatewaysAdd or edit tags for a transit gatewayModify a transit gatewayShare a transit gatewayAccept a resource shareAccept a shared attachmentDelete a transit gateway

Transit gateways

A transit gateway enables you to attach VPCs and VPN connections and route traffic between them. A transit gateway works across AWS accounts, and you can use AWS RAM to share your transit gateway with other accounts. After you share a transit gateway with another AWS account, the account owner can attach their VPCs to your transit gateway. A user from either account can delete the attachment at any time.

You can enable multicast on a transit gateway, and then create a transit gateway multicast domain that allows multicast traffic to be sent from your multicast source to multicast group members over VPC attachments that you associate with the domain.

Each VPC or VPN attachment is associated with a single route table. That route table decides the next hop for the traffic coming from that resource attachment. A route table inside the transit gateway allows for both IPv4 or IPv6 CIDRs and targets. The targets are VPCs and VPN connections. When you attach a VPC or create a VPN connection on a transit gateway, the attachment is associated with the default route table of the transit gateway.

You can create additional route tables inside the transit gateway, and change the VPC or VPN association to these route tables. This enables you to segment your network. For example, you can associate development VPCs with one route table and production VPCs with a different route table. This enables you to create isolated networks inside a transit gateway similar to virtual routing and forwarding (VRFs) in traditional networks.

Transit gateways support dynamic and static routing between attached VPCs and VPN connections. You can enable or disable route propagation for each attachment. Transit gateway peering attachments support static routing only. However, you can't add a static route that points to a peering between two transit gateways in the same Region.

You can optionally associate one or more IPv4 or IPv6 CIDR blocks with your transit gateway. You specify an IP address from the CIDR block when you establish a Transit Gateway Connect peer for a Transit Gateway Connect attachment. You can associate any public or private IP address range, except for addresses in the 169.254.0.0/16 range, and ranges that overlap with addresses for your VPC attachments and on-premises networks. For more information about IPv4 and IPv6 CIDR blocks, see VPCs and subnets in the Amazon VPC User Guide.

Create a transit gateway

When you create a transit gateway, we create a default transit gateway route table and use it as the default association route table and the default propagation route table. If you choose not to create the default transit gateway route table, you can create one later on. For more information about routes and route tables, see Routing.

To create a transit gateway using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. On the navigation pane, choose Transit Gateways.

  3. Choose Create transit gateway.

  4. For Name tag, optionally enter a name for the transit gateway. A name tag can make it easier to identify a specific gateway from the list of gateways. When you add a Name tag, a tag is created with a key of Name and with a value equal to the value you enter.

  5. For Description, optionally enter a description for the transit gateway.

  6. For Amazon side Autonomous System Number (ASN), either leave the default value to use the default ASN or enter the private ASN for your transit gateway. This should be the ASN for the AWS side of a Border Gateway Protocol (BGP) session.

    The range is 64512 to 65534 for 16-bit ASNs.

    The range is 4200000000 to 4294967294 for 32-bit ASNs.

    If you have a multi-Region deployment, we recommend that you use a unique ASN for each of your transit gateways.

  7. For DNS support, select this option if you need the VPC to resolve public IPv4 DNS host names to private IPv4 addresses when queried from instances in another VPC attached to the transit gateway.

  8. For VPN ECMP support, select this option if you need Equal Cost Multipath (ECMP) routing support between VPN tunnels. If connections advertise the same CIDRs, the traffic is distributed equally between them.

    When you select this option, the advertised BGP ASN, the BGP attributes such as the AS-path, and the communities for preference must be the same.

    Note

    To use ECMP, you must create a VPN connection that uses dynamic routing. VPN connections that use static routing do not support ECMP.

  9. For Default route table association, select this option to automatically associate transit gateway attachments with the default route table for the transit gateway.

  10. For Default route table propagation, select this option to automatically propagate transit gateway attachments to the default route table for the transit gateway.

  11. (Optional) To use the transit gateway as a router for multicast traffic, select Multicast support.

  12. For Auto accept shared attachments, select this option to automatically accept cross-account attachments.

  13. (Optional) For Transit gateway CIDR blocks, specify one or more IPv4 or IPv6 CIDR blocks for your transit gateway.

    You can specify a size /24 CIDR block or larger (for example, /23 or /22) for IPv4, or a size /64 CIDR block or larger (for example, /63 or /62) for IPv6. You can associate any public or private IP address range, except for addresses in the 169.254.0.0/16 range, and ranges that overlap with the addresses for your VPC attachments and on-premises networks.

  14. Choose Create transit gateway.

To create a transit gateway using the AWS CLI

Use the create-transit-gateway command.

View your transit gateways

To view your transit gateways using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. On the navigation pane, choose Transit Gateways. The details for the transit gateway are displayed below the list of gateways on the page.

To view your transit gateways using the AWS CLI

Use the describe-transit-gateways command.

Add or edit tags for a transit gateway

Add tags to your resources to help organize and identify them, such as by purpose, owner, or environment. You can add multiple tags to each transit gateway. Tag keys must be unique for each transit gateway. If you add a tag with a key that is already associated with the transit gateway, it updates the value of that tag. For more information, see Tagging your Amazon EC2 Resources.

Add tags to a transit gateway using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. On the navigation pane, choose Transit Gateways.

  3. Choose the transit gateway for which to add or edit tags.

  4. Choose the Tags tab in the lower part of the page.

  5. Choose Manage tags.

  6. Choose Add new tag.

  7. Enter a Key and Value for the tag.

  8. Choose Save.

Modify a transit gateway

You can modify the configuration options for your transit gateway. When you modify a transit gateway, the modified options are applied to new transit gateway attachments only. Your existing transit gateway attachments are not modified and do not see any service interruption.

You cannot modify a transit gateway that has been shared with you.

You cannot remove a CIDR block for the transit gateway if any of the IP addresses are currently used for a Connect peer.

To modify a transit gateway

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. On the navigation pane, choose Transit Gateways.

  3. Choose the transit gateway to modify.

  4. Choose Actions, Modify transit gateway.

  5. Modify the options as needed, and choose Modify transit gateway.

To modify your transit gateway using the AWS CLI

Use the modify-transit-gateway command.

Share a transit gateway

You can use AWS RAM to share a transit gateway across accounts or across your organization in AWS Organizations. Use the following procedure to share a transit gateway that you own.

You must enable resource sharing from the management account for your organization. For information about enabling resource sharing, see Enable Sharing with AWS Organizations in the AWS RAM User Guide.

To share a transit gateway

  1. Open the AWS RAM console at https://console.aws.amazon.com/ram/.

  2. Choose Create a resource share.

  3. Under Name, type a descriptive name for the resource share.

  4. For Select resource type, choose Transit Gateways. Select the transit gateway.

  5. (Optional) For Principals, add principals to the resource share. For each AWS account, OU, or organization, specify its ID and choose Add.

    For Allow external accounts, choose whether to allow sharing for this resource with AWS accounts that are external to your organization.

  6. (Optional) Under Tags, type a tag key and tag value pair for each tag. These tags are applied to the resource share but not to the transit gateway.

  7. Choose Create resource share.

Accept a resource share

If you were added to a resource share, you receive an invitation to join the resource share. You must accept the resource share before you can access the shared resources.

To accept a resource share

  1. Open the AWS RAM console at https://console.aws.amazon.com/ram/.

  2. On the navigation pane, choose Shared with me, Resource shares.

  3. Select the resource share.

  4. Choose Accept resource share.

  5. To view the shared transit gateway, open the Transit Gateways page in the Amazon VPC console.

Accept a shared attachment

If you didn't enable the Auto accept shared attachments functionality when you created your transit gateway, you must manually accept cross-account (shared) attachments.

To manually accept a shared attachment

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. On the navigation pane, choose Transit Gateway Attachments.

  3. Select the transit gateway attachment that's pending acceptance.

  4. Choose Actions, Accept transit gateway attachment.

To accept a shared attachment using the AWS CLI

Use the accept-transit-gateway-vpc-attachment command.

Delete a transit gateway

You can't delete a transit gateway with existing attachments. You need to delete all attachments before you can delete a transit gateway.

To delete a transit gateway using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. Choose the transit gateway to delete.

  3. Choose Actions, Delete transit gateway. Enter delete and choose Delete to confirm the deletion.

To delete a transit gateway using the AWS CLI

Use the delete-transit-gateway command.