AWS-ANS-C01 & AWS CERTIFICATION | TGW Scenarios (Hub-and-Spoke, Shared Services) - AWS Certified Advanced Networking

2.2.2.3. TGW Scenarios (Hub-and-Spoke, Shared Services)

Transit Gateway (TGW) simplifies complex network architectures by enabling scalable patterns like Hub-and-Spoke and Shared Services, enhancing network isolation and centralized management.

Scenario: You need to design a network for a large enterprise that has 70 application VPCs across multiple accounts. All these VPCs need to access a central VPC hosting shared IT services (e.g., Active Directory), and application VPCs should not be able to communicate directly with each other.

AWS Transit Gateway (TGW) is designed to solve complex networking challenges in AWS. Its ability to enable transitive routing and act as a central hub makes it ideal for several common enterprise scenarios.

Key TGW Scenarios:

Hub-and-Spoke Network:
- Concept: A centralized hub (the Transit Gateway) connects to multiple spoke networks (VPCs, on-premises networks). All traffic between spoke networks must pass through the hub.
- Benefits: Simplifies routing (no complex VPC peering mesh), centralizes network management, and enhances security by allowing a central point for inspection.
- Use Cases: Connecting many application VPCs in different accounts or business units, enabling communication between them.
Shared Services VPC:
- Concept: A dedicated VPC hosts common, shared services (e.g., Active Directory, DNS servers, centralized logging, bastion hosts) that need to be accessed by multiple application VPCs.
- Benefits: Promotes resource sharing and efficiency, reduces duplication of services, centralizes management of common infrastructure.
- Implementation: Application VPCs connect to the Transit Gateway, and the shared services VPC also connects to the TGW. Routing is configured on the TGW to allow traffic from application VPCs to the shared services VPC.
VPC Connectivity to On-premises: Connecting Direct Connect or VPN connections to the TGW to allow all connected VPCs to access on-premises resources.

Practical Implementation: Hub-and-Spoke with TGW (Conceptual Routing)

Loading diagram...

⚠️ Common Pitfall: Misconfiguring TGW route tables, leading to unintended transitive routing between spoke VPCs that should be isolated, or preventing necessary communication with shared services.

Key Trade-Offs:

Centralized Management vs. Granular Control: TGW centralizes network management but requires careful design of route tables to achieve specific granular control over traffic flow between different segments.

Reflection Question: How does AWS Transit Gateway (TGW) fundamentally simplify complex network architectures by enabling scalable patterns like Hub-and-Spoke (for inter-VPC communication) and Shared Services (for accessing common resources), enhancing network isolation and centralized management for enterprises?