11.28.19

AWS Transit Gateway Examined

By Juan Ignacio Giro
#AWSTransitGateway Examined

Multi-cloud environments may be the latest trend in cloud infrastructure, but that doesn’t mean on-premise servers are no longer used. Though many have adopted cloud technology, there are a lot of companies still relying on on-premise hardware for their apps and/or databases as well. This means there is a big need for cloud and on-premise infrastructure integration.

AWS Transit Gateway is designed to bridge the gap between the two types of infrastructure. In fact, it is designed to act as a router that connects Virtual Private Clouds (AWS VPCs) and on-premise networks. The use of AWS Transit Gateway enables applications to leverage the power of cloud computing. Transit Gateway enables the connection between one or more VPCs, VPN connections, and AWS Direct Connect gateways (as long as they are in the same region as the Transit Gateway).

Why AWS Transit Gateway?

AWS Transit Gateway is a service that connects VPCs and on-premise solutions. It basically eliminates the time-consuming task of connecting individual VPCs to each other via the VPC peering feature as well as establishing VPN tunnels between on-prem and each VPC to enable on-premise connectivity.

These tasks aren’t difficult to handle when you only have a couple of VPCs and on-premise networks, but they can be a substantial challenge when there are hundreds of VPCs and networks that need to be integrated. AWS Transit Gateway, as the name suggests, acts as the universal gateway for all of them.

Of course, AWS Transit Gateway does more than create a gateway for different networks and infrastructures. It offers a number of features that are appealing to certain applications

Complex routing is also made simpler. Whether you are connecting multiple VPCs or enabling routing to groups of them, you can configure Transit Gateway instead of individual networks. AWS even adds support for interoperability by integrating DNS translation.

That brings us to the biggest advantage offered by AWS Transit Gateway: seamless integration with critical AWS services. You have access to everything from AWS PrivateLink to Elastic File System and NAT gateway with a single Transit Gateway instance.

Security is a big part of AWS Transit Gateway. Similar to other Amazon services, Transit Gateway works out of the box with IAM, allowing you to control access to the gateway specifically. 

To top it all off, AWS Transit Gateway can be integrated with monitoring tools provided by Amazon, including CloudWatch. As an added bonus, there is a built-in Amazon VPC Flow Logs support for in-depth IP and routing monitoring.

If you are managing multiple networks and infrastructures, AWS Transit Gateway is a handy service to use. It eliminates the hassle of integrating cloud infrastructure with on-premise solutions, including edge devices and local (office) networks.

Automating Transit Gateway with Terraform

Just because you are integrating multiple VPCs and on-premise networks, it doesn’t mean you cannot enjoy the benefits of true cloud mesh. It is still possible to create a robust and scalable ecosystem for your applications with Transit Gateway handling the necessary routing.

A way to do this is by utilizing Terraform, which immediately transforms building, updating, and versioning infrastructure-related elements into lines of codes. Terraform, when used alongside Transit Gateway, completely automates the creation of routing rules—and the entire Transit Gateway hub—without making the whole process too complicated.

First, you need to define how you want the Route Tables to be configured. Depending on how your infrastructure is configured, there are several ways to configure a routing hub for your VPCs. You can, for instance, separate development Route Tables with deployment Route Tables. With this approach, you also have the ability to separate VPCs depending on their functions.

To complete the set, configure a Shared Route Table that handles all requests. The VPC that handles external requests should direct those requests to a Shared Route Table within Transit Gateway. Shared components such as common tools, logging services, proxies, and others can also be placed in the same shared environment.

Sounds complex? Not really. Terraform actually makes defining VPC sections and Route Table associations easy. 

Each VPC has its own name,, CIDR range, subnets, and other details. Routing Tables and their associations are just as simple to set up. Keep in mind that AWS automatically creates and assigns Route Tables based on the default configuration, but you can customize how routes are established within Terraform.

The last piece of the puzzle is Transit Gateway itself. This is where you configure how VPCs and other network components interact with each other. You can have development VPCs connect to a closed network of dev VPCs by setting the route_table_propagation and route_table_association to false.

Everything else, from ingress and egress to security groups and access control, can be configured within Terraform too. AWS will use the configuration defined in your main.tf instead of the default values, giving you complete control over your infrastructure.

Problem-Free Implementation

There are still issues with using Transit Gateway, particularly issues related to integrating Transit Gateway with Terraform. In many cases, you will run into problems trying to debug your infrastructure due to the lack of clarity in error messages. Terraform also relies on AWS APIs to fully function, and we all know that those APIs don’t always play well with complex routines.

Other common limitations can also be the causes of further issues. AWS Transit Gateway gets frequent updates and Terraform may take a while to keep up. You also have common problems like the need to declare variables and manage secrets possibly hampering the rapid deployment of cloud infrastructure. 

The good news is, you don’t have to make sacrifices to automate AWS Transit Gateway and use it alongside Terraform. In its present form, both Transit Gateway and Terraform are easy to integrate. As long as you define the variables correctly, you can rapidly deploy and maintain your cloud infrastructure with a simple terraform apply command.

Get more out of your use of these two powerhouse platforms with our article, Terraform and AWS.


Caylent provides a critical DevOps-as-a-Service function to high growth companies looking for expert support with Kubernetes, cloud security, cloud infrastructure, and CI/CD pipelines. Our managed and consulting services are a more cost-effective option than hiring in-house, and we scale as your team and company grow. Check out some of the use cases, learn how we work with clients, and read more about our DevOps-as-a-Service offering.