Copyright (c) 2025 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

2.2.2.1. TGW Attachments & Routing

Transit Gateway (TGW) attachments establish connections to various networks, while TGW routing directs traffic between them, defining the network's logical flow and enabling transitive communication.

Scenario: You have a central shared services VPC and multiple application VPCs connected to an AWS Transit Gateway (TGW). You need to ensure all application VPCs can reach the shared services VPC, but the application VPCs should not be able to communicate directly with each other.

Understanding how networks connect to a Transit Gateway (TGW) and how traffic is routed within it is crucial for building scalable and efficient hub-and-spoke architectures.

Key Concepts:
Practical Implementation: Configuring TGW Route Tables for Shared Services
# Assuming TGW_ID, SHARED_SERVICES_VPC_ATTACHMENT_ID, APP_VPC_ATTACHMENT_ID_1, APP_VPC_CIDR_1, SHARED_SERVICES_CIDR are defined

# 1. Create a TGW Route Table for Shared Services (where app VPCs will associate)
SHARED_RT_ID=$(aws ec2 create-transit-gateway-route-table \
  --transit-gateway-id $TGW_ID \
  --query TransitGatewayRouteTable.TransitGatewayRouteTableId --output text)
echo "Shared Services TGW Route Table ID: $SHARED_RT_ID"

# 2. Associate Application VPC attachments with the Shared Services TGW Route Table
aws ec2 associate-transit-gateway-route-table \
  --transit-gateway-route-table-id $SHARED_RT_ID \
  --transit-gateway-attachment-id $APP_VPC_ATTACHMENT_ID_1

# Repeat for all application VPC attachments

# 3. Propagate routes from the Shared Services VPC attachment to the Shared Services TGW Route Table
aws ec2 enable-transit-gateway-route-table-propagation \
  --transit-gateway-route-table-id $SHARED_RT_ID \
  --transit-gateway-attachment-id $SHARED_SERVICES_VPC_ATTACHMENT_ID

# 4. Create a TGW Route Table for the Shared Services VPC (where shared services VPC will associate)
# This TGW RT will only have routes to the app VPCs it needs to talk to.
SHARED_SERVICES_OUTBOUND_RT_ID=$(aws ec2 create-transit-gateway-route-table \
  --transit-gateway-id $TGW_ID \
  --query TransitGatewayRouteTable.TransitGatewayRouteTableId --output text)
echo "Shared Services Outbound TGW Route Table ID: $SHARED_SERVICES_OUTBOUND_RT_ID"

# 5. Associate the Shared Services VPC attachment with its outbound TGW Route Table
aws ec2 associate-transit-gateway-route-table \
  --transit-gateway-route-table-id $SHARED_SERVICES_OUTBOUND_RT_ID \
  --transit-gateway-attachment-id $SHARED_SERVICES_VPC_ATTACHMENT_ID

# 6. Add static routes from Shared Services TGW RT to each App VPC CIDR
aws ec2 create-transit-gateway-route \
  --transit-gateway-route-table-id $SHARED_SERVICES_OUTBOUND_RT_ID \
  --destination-cidr-block $APP_VPC_CIDR_1 \
  --transit-gateway-attachment-id $APP_VPC_ATTACHMENT_ID_1

# Repeat for all application VPC CIDRs

# 7. Ensure VPC route tables are updated to point to TGW
# For App VPCs: Add route for Shared Services CIDR to TGW attachment
# For Shared Services VPC: Add routes for App VPC CIDRs to TGW attachment

⚠️ Common Pitfall: Incorrectly associating attachments with TGW route tables or misconfiguring route propagations. This can lead to traffic black-holes or unintended communication paths.

Key Trade-Offs:
  • Centralized Control vs. Granular Isolation: Using multiple TGW route tables provides granular control over traffic flow between attachments but adds complexity to the TGW configuration.

Reflection Question: How do TGW attachments establish connections and how does defining custom TGW route tables (with appropriate associations and propagations) fundamentally control routing and enable transitive communication between your networks while isolating application VPCs from each other?