Skip to content

SYSTEM Cited by 2 sources

AWS Transit Gateway

What it is

AWS Transit Gateway is AWS's regional network transit hub — a hub-and-spoke router that interconnects multiple VPCs, VPN connections, and Direct Connect gateways within an AWS Region.

Partition scope

A central cross-partition architectural fact: "AWS Transit Gateway inter-region peering cannot function across partitions" (Source: sources/2026-01-30-aws-sovereign-failover-design-digital-sovereignty). Each partition's Transit Gateway is independent.

Consequence: cross-partition networking has to use one of the three named mechanisms (internet-TLS, IPsec VPN, Direct Connect) — not TGW peering.

Role in sovereign-failover topology

"Networking requires isolated Transit Gateways, separate Amazon Route 53 DNS zones, and secure cross-partition communication using AWS PrivateLink."

Hub for centralised Network-Firewall inspection

The second major TGW shape on the wiki — beyond cross-region / cross-partition hub — is centralised network inspection for many VPCs + on-prem behind a single AWS Network Firewall. Canonical wiki reference: the 2025-11-26 Amazon EVS post.

Mechanism: native TGW ↔ Network Firewall integration (GA July 2025) creates a firewall TGW attachment of resource-type Network Function with Appliance Mode automatically enabled. Traffic is forced through the firewall by the [[patterns/pre-inspection-post-inspection- route-tables|pre-inspection / post-inspection two-RT split]]:

  • Pre-inspection RT — all VPC + DXGW attachments associated; 0.0.0.0/0 → firewall attachment.
  • Post-inspection RT — only the firewall attachment associated; per-destination static routes back to each spoke.

With Default route-table association and Default route- table propagation explicitly deselected on the TGW, new attachments can't accidentally bypass the inspection path.

This shape inspects east-west (VPC↔VPC, VM↔VPC), north-south (VPC↔on-prem via DXGW, VPC↔internet via dedicated egress VPC), and on-prem↔internet through a single firewall with one policy.

Stub page

Seen in

Last updated · 200 distilled / 1,178 read