SYSTEM Cited by 2 sources

AWS Transit Gateway

What it is

AWS Transit Gateway is AWS's regional network transit hub — a hub-and-spoke router that interconnects multiple VPCs, VPN connections, and Direct Connect gateways within an AWS Region.

Partition scope

A central cross-partition architectural fact: "AWS Transit Gateway inter-region peering cannot function across partitions" (Source: sources/2026-01-30-aws-sovereign-failover-design-digital-sovereignty). Each partition's Transit Gateway is independent.

Consequence: cross-partition networking has to use one of the three named mechanisms (internet-TLS, IPsec VPN, Direct Connect) — not TGW peering.

Role in sovereign-failover topology

"Networking requires isolated Transit Gateways, separate Amazon Route 53 DNS zones, and secure cross-partition communication using AWS PrivateLink."

Hub for centralised Network-Firewall inspection

The second major TGW shape on the wiki — beyond cross-region / cross-partition hub — is centralised network inspection for many VPCs + on-prem behind a single AWS Network Firewall. Canonical wiki reference: the 2025-11-26 Amazon EVS post.

Mechanism: native TGW ↔ Network Firewall integration (GA July 2025) creates a firewall TGW attachment of resource-type Network Function with Appliance Mode automatically enabled. Traffic is forced through the firewall by the [[patterns/pre-inspection-post-inspection- route-tables|pre-inspection / post-inspection two-RT split]]:

• Pre-inspection RT — all VPC + DXGW attachments associated; 0.0.0.0/0 → firewall attachment.
• Post-inspection RT — only the firewall attachment associated; per-destination static routes back to each spoke.

With Default route-table association and Default route- table propagation explicitly deselected on the TGW, new attachments can't accidentally bypass the inspection path.

This shape inspects east-west (VPC↔VPC, VM↔VPC), north-south (VPC↔on-prem via DXGW, VPC↔internet via dedicated egress VPC), and on-prem↔internet through a single firewall with one policy.

Stub page

Seen in

• sources/2025-11-26-aws-secure-amazon-evs-with-aws-network-firewall — canonical wiki reference for the centralised Network- Firewall inspection shape: native TGW attachment of resource-type Network Function with auto-enabled Appliance Mode, two-RT split (pre/post-inspection), inspecting EVS + Workload + Ingress + Egress VPCs + Direct Connect Gateway through one firewall.
• sources/2026-01-30-aws-sovereign-failover-design-digital-sovereignty — Transit Gateway inter-region peering named as a primitive that does not function across partitions; isolated TGWs per partition prescribed in the sovereign-failover topology.

Related

• systems/aws-direct-connect, systems/aws-privatelink
• systems/aws-network-firewall — canonical inspection engine behind a TGW attachment.
• concepts/aws-partition
• concepts/centralized-network-inspection — the hub-and-spoke inspection architectural class.
• concepts/tgw-appliance-mode — attachment property auto-enabled by the native Network-Firewall integration.
• concepts/bump-in-the-wire-middlebox — the insertion mechanism behind the TGW inspection path.
• patterns/cross-partition-failover
• patterns/pre-inspection-post-inspection-route-tables — the TGW routing pattern for centralised inspection.