Q: In which AWS Regions is AWS Transit Gateway available?
A: AWS Transit Gateway is available in US East (Virginia), US East (Ohio), US West (Oregon), US West (Northern California), AWS GovCloud (US-East), AWS GovCloud (US-West), Canada (Central), South America (São Paulo), EU (Ireland), EU (London), EU (Frankfurt), EU (Paris), Asia Pacific (Hong Kong), Asia Pacific (Mumbai), Asia Pacific (Tokyo), Asia Pacific (Singapore), Asia Pacific (Seoul), and Asia Pacific (Sydney) AWS Regions with support for other regions coming soon.
Q: How do I control which Amazon VPCs can communicate with each other?
A: You can segment your network by creating multiple route tables in an AWS Transit Gateway and associate Amazon VPCs and VPNs to them. This will allow you to create isolated networks inside an AWS Transit Gateway similar to virtual routing and forwarding (VRFs) in traditional networks. The AWS Transit Gateway will have a default route table. The use of multiple route tables is optional.
Q: How does routing work in AWS Transit Gateway?
A: AWS Transit Gateway supports dynamic and static routing between attached Amazon VPCs and VPNs. By default, Amazon VPCs, VPNs, and Direct Connect gateways are associated to the default route table. You can create additional route tables and associate Amazon VPCs, Direct Connect gateways, and VPNs with it.
The routes decide the next hop depending on the destination IP address of the packet. Routes can point to an Amazon VPC or a VPN connection or a Direct Connect gateway.
Q: How do routes get propagated into the AWS Transit Gateway?
A: There are 2 ways where routes get propagated in the AWS Transit Gateway:
- Routes propagated to/from on-premises networks: When you connect VPN, routes will propagate between the AWS Transit Gateway and your on-premises router using Border Gateway Protocol (BGP).
- Routes Propagated to/from Amazon VPCs: When you attach an Amazon VPC to an AWS Transit Gateway or resize an attached Amazon VPC, the Amazon VPC Classless Inter-Domain Routing (CIDR) will propagate into the AWS Transit Gateway route table using internal APIs (not BGP). CIDR is a method for allocating IP addresses and IP routing to slow the growth of routing tables on routers across the Internet, and to help slow the rapid exhaustion of IPv4 addresses. Routes in the AWS Transit Gateway route table will not be propagated to the Amazon VPC’s route table. Amazon VPC owner need to create static route to send Traffic to the AWS Transit Gateway.
Q: Can I connect Amazon VPCs with overlapping CIDRs?
A: AWS Transit Gateway doesn’t support routing between Amazon VPCs with overlapping CIDRs. If you attach a new Amazon VPC that has a CIDR which overlaps with an already attached Amazon VPC, AWS Transit Gateway will not propagate the new Amazon VPC route into the AWS Transit Gateway route table.
Performance and limits
Q: What are the service limits that I need to keep in mind while using AWS Transit Gateways?
A: The table below list the different service limits:
|Number of AWS Transit Gateway attachments
|Maximum bandwidth per VPN connection*||1.25 Gbps|
|Maximum bandwidth (burst) per VPC connection||50 Gbps|
|Number of AWS Transit Gateways per account
|Number of AWS Transit Gateway attachments per VPC
|Number of routes||10,000|
|Number of Direct Connect gateways per AWS Transit Gateway||20|
*You can use equal-cost multi-path routing (ECMP) to get higher VPN bandwidth by aggregating multiple VPN connections.
Security and compliance
Q: With which compliance programs does AWS Transit Gateway conform?
A: AWS Transit Gateway inherits compliance from Amazon Virtual Private Cloud (Amazon VPC) and meets the standards for PCI DSS Level 1, ISO 9001, ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, SOC 3, FedRAMP Moderate, FedRAMP High and HIPAA eligibility.
For more information, visit our compliance page.
Q: Does AWS Transit Gateway support IPv6?
A: Yes, AWS Transit Gateway supports attaching Amazon VPCs with IPv6 CIDRs.
Q: Which Amazon VPC features are not supported in the first release?
A: Security Group Referencing on Amazon VPC is not supported at launch. Spoke Amazon VPCs cannot reference security groups in other spokes connected to the same AWS Transit Gateway.
Q: Can I associate my AWS Transit Gateway with a Direct Connect gateway in a different account?
A: Yes, you can associate your AWS Transit Gateway with an AWS Direct Connect gateway from a different AWS account, if both of their AWS accounts have the same AWS payer account ID. Only the owner of the AWS Transit Gateway can create association to a Direct Connect gateway. You cannot use Resource Access Manager to associate your AWS Transit Gateway with Direct Connect gateway. For more information, please review the AWS Transit Gateway Support section in the Direct Connect FAQs.
Q: I want to associate my Transit Gateway to a Direct Connect gateway, can I use the same Autonomous System Number (ASN) for the Direct Connect gateway and the Transit Gateway?
A: No, you cannot use the same ASN for the Transit Gateway and the Direct Connect gateway.