Transit gateway peering attachments - Amazon Virtual Private Cloud

Transit gateway peering attachments

You can peer two transit gateways and route traffic between them, which includes IPv4 and IPv6 traffic. To do this, create a peering attachment on your transit gateway, and specify a transit gateway in another AWS Region. The peer transit gateway can be in your account or a different AWS account.

After you create a peering attachment request, the owner of the peer transit gateway (also referred to as the accepter transit gateway) must accept the request. To route traffic between the transit gateways, add a static route to the transit gateway route table that points to the transit gateway peering attachment.

We recommend using unique ASNs for the peered transit gateways to take advantage of future route propagation capabilities.

Transit gateway cross-region peering does not support resolving public IPv4 DNS host names to private IPv4 addresses across VPCs on either side of the transit gateway peering attachment.

Transit gateway peering uses the same network infrastructure as VPC peering and is therefore encrypted. For more information about VPC encryption, Encryption in transit in the Amazon VPC User Guide.

For information about what Regions support transit gateway peering attachments, see AWS Transit Gateways FAQs.

Create a peering attachment

Before you begin, ensure that you have the ID of the transit gateway that you want to attach. If the transit gateway is in another AWS account, ensure that you have the AWS account ID of the owner of the transit gateway.

After you create the peering attachment, the owner of the accepter transit gateway must accept the attachment request.

To create a peering attachment using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. On the navigation pane, choose Transit Gateway Attachments.

  3. Choose Create Transit Gateway Attachment.

  4. For Transit Gateway ID, choose the transit gateway for the attachment. You can choose a transit gateway that you own or a transit gateway that was shared with you.

  5. For Attachment type, choose Peering Connection.

  6. Optionally enter a name tag for the attachment.

  7. For Account, do one of the following:

    • If the transit gateway is in your account, choose My account.

    • If the transit gateway is in different AWS account, choose Other account. For Account ID, enter the AWS account ID.

  8. For Region, choose the Region that the transit gateway is located in.

  9. For Transit gateway ID (accepter), enter the ID of the transit gateway that you want to attach.

  10. Choose Create attachment.

To create a peering attachment using the AWS CLI

Use the create-transit-gateway-peering-attachment command.

Accept or reject a peering attachment request

To activate the peering attachment, the owner of the accepter transit gateway must accept the peering attachment request. This is required even if both transit gateways are in the same account. The peering attachment must be in the pendingAcceptance state. Accept the peering attachment request from the Region that the accepter transit gateway is located in.

Alternatively, you can reject any peering connection request that you've received that's in the pendingAcceptance state. You must reject the request from the Region that the accepter transit gateway is located in.

To accept a peering attachment request using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. On the navigation pane, choose Transit Gateway Attachments.

  3. Select the transit gateway peering attachment that's pending acceptance.

  4. Choose Actions, Accept.

  5. Add the static route to the transit gateway route table. For more information, see Create a static route.

To reject a peering attachment request using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. On the navigation pane, choose Transit Gateway Attachments.

  3. Select the transit gateway peering attachment that's pending acceptance.

  4. Choose Actions, Reject.

To accept or reject a peering attachment using the AWS CLI

Use the accept-transit-gateway-peering-attachment and reject-transit-gateway-peering-attachment commands.

Add a route to the transit gateway route table

To route traffic between the peered transit gateways, you must add a static route to the transit gateway route table that points to the transit gateway peering attachment. The owner of the accepter transit gateway must also add a static route to their transit gateway's route table.

To create a static route using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. On the navigation pane, choose Transit Gateway Route Tables.

  3. Select the route table for which to create a route.

  4. Choose Actions, Create route.

  5. On the Create route page, enter the CIDR block for which to create the route. For example, specify the CIDR block of a VPC that's attached to the peer transit gateway.

  6. Choose the peering attachment for the route.

  7. Choose Create route.

To create a static route using the AWS CLI

Use the create-transit-gateway-route command.

After you create the route, associate the transit gateway route table with the transit gateway peering attachment. For more information, see Associate a transit gateway route table.

View your transit gateway peering connection attachments

You can view your transit gateway peering attachments and information about them.

To view your peering attachments using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. On the navigation pane, choose Transit Gateway Attachments.

  3. Choose the search bar, select Resource type from the menu, and then select peering.

  4. The peering attachments are displayed. Choose an attachment to view its details.

To view your transit gateway peering attachments using the AWS CLI

Use the describe-transit-gateway-peering-attachments command.

Delete a peering attachment

You can delete a transit gateway peering attachment. The owner of either of the transit gateways can delete the attachment.

To delete a peering attachment using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. On the navigation pane, choose Transit Gateway Attachments.

  3. Select the transit gateway peering attachment.

  4. Choose Actions, Delete.

  5. When prompted for confirmation, choose Delete.

To delete a peering attachment using the AWS CLI

Use the delete-transit-gateway-peering-attachment command.