Transit gateways - Amazon Virtual Private Cloud

Transit gateways

A transit gateway enables you to attach VPCs and VPN connections in the same Region and route traffic between them. A transit gateway works across AWS accounts, and you can use AWS Resource Access Manager to share your transit gateway with other accounts. After you share a transit gateway with another AWS account, the account owner can attach their VPCs to your transit gateway. A user from either account can delete the attachment at any time.

You can enable multicast on a transit gateway, and then create a transit gateway multicast domain that allows multicast traffic to be sent from your multicast source to multicast group members over VPC attachments that you associate with the domain.

You can also create a peering connection attachment between transit gateways in different AWS Regions. This enables you to route traffic between the transit gateways' attachments across different Regions.

Each VPC or VPN attachment is associated with a single route table. That route table decides the next hop for the traffic coming from that resource attachment. A route table inside the transit gateway allows for both IPv4 or IPv6 CIDRs and targets. The targets are VPCs and VPN connections. When you attach a VPC or create a VPN connection on a transit gateway, the attachment is associated with the default route table of the transit gateway.

You can create additional route tables inside the transit gateway, and change the VPC or VPN association to these route tables. This enables you to segment your network. For example, you can associate development VPCs with one route table and production VPCs with a different route table. This enables you to create isolated networks inside a transit gateway similar to virtual routing and forwarding (VRFs) in traditional networks.

Transit gateways support dynamic and static routing between attached VPCs and VPN connections. You can enable or disable route propagation for each attachment. Transit gateway peering attachments support static routing only.

Create a transit gateway

When you create a transit gateway, we create a default transit gateway route table and use it as the default association route table and the default propagation route table.

To create a transit gateway using the console

  1. Open the Amazon VPC console at

  2. On the navigation pane, choose Transit Gateways.

  3. Choose Create Transit Gateway.

  4. For Name tag, optionally enter a name for the transit gateway. A name tag can make it easier to identify a specific gateway from the list of gateways. When you add a Name tag, a tag is created with a key of Name and with a value equal to the value you enter.

  5. For Description, optionally enter a description for the transit gateway.

  6. For Amazon side ASN, either leave the default value to use the default Autonomous System Number (ASN), or enter the private ASN for your transit gateway. This should be the ASN for the AWS side of a Border Gateway Protocol (BGP) session.

    The range is 64512 to 65534 for 16-bit ASNs.

    The range is 4200000000 to 4294967294 for 32-bit ASNs.

    If you have a multi-region deployment, we recommend that you use a unique ASN for each of your transit gateways.

  7. For DNS support, choose enable if you need the VPC to resolve public IPv4 DNS host names to private IPv4 addresses when queried from instances in another VPC attached to the transit gateway.

  8. For VPN ECMP support, choose enable if you need Equal Cost Multipath (ECMP) routing support between VPN tunnels. If connections advertise the same CIDRs, the traffic is distributed equally between them.

    When you select this option, the advertised BGP ASN, the BGP attributes such as the AS-path and the communities for preference must be the same.

  9. For Default route table association, choose enable to automatically associate transit gateway attachments with the default route table for the transit gateway.

  10. For Default route table propagation, choose enable to automatically propagate transit gateway attachments to the default route table for the transit gateway.

  11. (Optional) To use the transit gateway as a router for multicast traffic, select Multicast support.

  12. For Auto accept shared attachments, choose enable to automatically accept cross-account attachments.

  13. Choose Create Transit Gateway.

  14. After you see the message Create Transit Gateway request succeeded, choose Close.

To create a transit gateway using the AWS CLI

Use the create-transit-gateway command.

View your transit gateways

To view your transit gateways using the console

  1. Open the Amazon VPC console at

  2. On the navigation pane, choose Transit Gateways. The details for the transit gateway are displayed below the list of gateways on the page.

To view your transit gateways using the AWS CLI

Use the describe-transit-gateways command.

Add or edit tags for a transit gateway

Add tags to your resources to help organize and identify them, such as by purpose, owner, or environment. You can add multiple tags to each transit gateway. Tag keys must be unique for each transit gateway. If you add a tag with a key that is already associated with the transit gateway, it updates the value of that tag. For more information, see Tagging your Amazon EC2 Resources.

Add tags to a transit gateway using the console

  1. Open the Amazon VPC console at

  2. On the navigation pane, choose Transit Gateways.

  3. Choose the transit gateway for which to add or edit tags.

  4. Choose the Tags tab in the lower part of the page.

  5. Choose Add/Edit Tags.

  6. Choose Create Tag.

  7. Enter a Key and Value for the tag.

  8. Choose Save.

Share a transit gateway

You can use AWS Resource Access Manager (RAM) to share a transit gateway across accounts or across your organization in AWS Organizations. Use the following procedure to share a transit gateway that you own.

You must enable resource sharing from the master account for your organization. For information about enabling resource sharing, see Enable Sharing with AWS Organizations in the AWS RAM User Guide.

To share a transit gateway

  1. Open the AWS Resource Access Manager console at

  2. Choose Create a resource share.

  3. Under Description, for Name, type a descriptive name for the resource share.

  4. For Select resource type, choose Transit Gateways. Select the transit gateway.

  5. (Optional) For Principals, add principals to the resource share. For each AWS account, OU, or organization, specify its ID and choose Add.

    For Allow external accounts, choose whether to allow sharing for this resource with AWS accounts that are external to your organization.

  6. (Optional) Under Tags, type a tag key and tag value pair for each tag. These tags are applied to the resource share but not to the transit gateway.

  7. Choose Create resource share.

Accept a resource share

If you were added to a resource share, you receive an invitation to join the resource share. You must accept the resource share before you can access the shared resources.

To accept a resource share

  1. Open the AWS Resource Access Manager console at

  2. On the navigation pane, choose Shared with me, Resource shares.

  3. Select the resource share.

  4. Choose Accept resource share.

  5. To view the shared transit gateway, open the Transit Gateways page in the Amazon VPC console.

Accept a shared attachment

If you didn't enable the Auto accept shared attachments functionality when you created your transit gateway, you must manually accept cross-account (shared) attachments.

To manually accept a shared attachment

  1. Open the Amazon VPC console at

  2. On the navigation pane, choose Transit Gateway Attachments.

  3. Select the transit gateway attachment that's pending acceptance.

  4. Choose Actions, Accept.

To accept a shared attachment using the AWS CLI

Use the accept-transit-gateway-vpc-attachment command.

Delete a transit gateway

You can't delete a transit gateway with existing attachments. You need to delete all attachments before you can delete a transit gateway.

To delete a transit gateway using the console

  1. Open the Amazon VPC console at

  2. Choose the transit gateway to delete.

  3. Choose Actions, Delete, then choose Delete to confirm the deltion.

To delete a transit gateway using the AWS CLI

Use the delete-transit-gateway command.