Amazon Transit Gateway FAQs

A: You can segment your network by creating multiple route tables in an Amazon Transit Gateway and associate Amazon VPCs. This will allow you to create isolated networks inside an Amazon Transit Gateway similar to virtual routing and forwarding (VRFs) in traditional networks. The Amazon Transit Gateway will have a default route table. The use of multiple route tables is optional.

A: Amazon Transit Gateway supports dynamic and static routing between attached Amazon VPCs. By default, Amazon VPCs and Transit Gateway Connect are associated to the default route table. You can create additional route tables and associate Amazon VPCs and Transit Gateway Connect with it.

The routes decide the next hop depending on the destination IP address of the packet. Routes can point to an Amazon VPC or a Transit Gateway Connect.

A: There are 2 ways where routes get propagated in the Amazon Transit Gateway:

1. Routes propagated to/from virtual router appliance: When you set up Transit Gateway Connect, routes will propagate between the Amazon Transit Gateway and the virtual router appliance in VPC using Border Gateway Protocol (BGP).
2. Routes get propagated in the Amazon Transit Gateway to/from Amazon VPCs: When you attach an Amazon VPC to an Amazon Transit Gateway or resize an attached Amazon VPC, the Amazon VPC Classless Inter-Domain Routing (CIDR) will propagate into the Amazon Transit Gateway route table using internal APIs (not BGP). CIDR is a method for allocating IP addresses and IP routing to slow the growth of routing tables on routers across the Internet, and to help slow the rapid exhaustion of IPv4 addresses. Routes in the Amazon Transit Gateway route table will not be propagated to the Amazon VPC’s route table. Amazon VPC owner need to create static route to send Traffic to the Amazon Transit Gateway.

Peering attachments between Transit Gateways do not support route propagation.

A: Amazon Transit Gateway doesn’t support routing between Amazon VPCs with overlapping CIDRs. If you attach a new Amazon VPC that has a CIDR which overlaps with an already attached Amazon VPC, Amazon Transit Gateway will not propagate the new Amazon VPC route into the Amazon Transit Gateway route table.

A: Amazon Transit Gateway Connect is a feature of Amazon Transit Gateway. It simplifies the branch connectivity through native integration of SD-WAN (Software-Defined Wide Area Network) network virtual appliances into Amazon Transit Gateway. Amazon Transit Gateway Connect provides a new logical attachment type called Connect attachment that utilizes the Amazon VPC attachments as the underlay network transport. It supports standard protocols such as Generic Routing Encapsulation (GRE) and Border Gateway Protocol (BGP) over the Connect attachment.

A: Any third-party network appliances that supports standard protocols such as GRE and BGP will work with Amazon Transit Gateway Connect.

A: Yes, you can create Connect attachment on an existing Amazon Transit Gateway.

A: No, Amazon Transit Gateway Connect does not support static routes. BGP is a minimum requirement.

A: Yes, the BGP sessions are established over the GRE tunnel.

A: Yes, similar to any other Transit Gateway attachments, you can associate route table to the Connect attachment. This route table can be same/different to that of the VPC (underlying transport mechanism) attachment’s associated route table.

A: The table below list the different service limits:

*Each Transit Gateway Connect peer (GRE tunnel) support a maximum throughput of up to 5 Gbps. You can create up to 4 Connect peers per Connect attachment (up to 20 Gbps in total bandwidth per Connect attachment), as long as the underlying transport (VPC) attachment supports the required bandwidth. You can use equal-cost multi-path routing (ECMP) to get higher bandwidth by scaling horizontally across multiple Connect Peers of the same Connect Attachment or across multiple Connect Attachments on the same transit gateway. The transit gateway cannot ECMP between the BGP peerings of the same Connect Peer.

A: Yes, Amazon Transit Gateway supports attaching Amazon VPCs with IPv6 CIDRs.

A: Security Group Referencing on Amazon VPC is not supported at launch. Spoke Amazon VPCs cannot reference security groups in other spokes connected to the same Amazon Transit Gateway.

A: Yes, Amazon Transit Gateway Connect supports IPv6. You can configure both the GRE tunnel and the Border Gateway Protocol (BGP) addresses with IPv6 addresses.

A: Yes, you can configure the GRE tunnel and the BGP addresses to be same or different address family. For example, you can configure the GRE tunnel with IPv4 address range and the BGP addresses with IPv6 address range and vice versa.

A: Yes, Amazon Transit Gateway supports IGMPv2 (Internet Group Management Protocol version 2) for multicast traffic.

A: Yes you can have both IGMP and static members in the same multicast domain. IGMP-capable members can dynamically join or leave a multicast group by sending IGMPv2 messages. You can add or remove static members to a multicast group using console, CLI or SDK.

A: Yes you can use Amazon Resource Access Manager (RAM) to share a transit gateway multicast domain for VPC subnet associations across accounts or across your organization in Amazon Organizations.