AWS Transit Gateway: What it is, benefits, and limitations

November 29, 2018 | min

Among the announcements, AWS re:Invent 2018 attendees are buzzing about is the AWS Transit Gateway designed to simplify network management. IT fraternity seems to love the number 1 (one click, one view), and this new tool continues that theme, merging cloud resources and on-prem datacenters into one network topology.

Why is this important? According to Amazon, their Virtual Private Cloud (VPC) is one of the most popular and essential features of Amazon Web Services. Highly configurable and controllable, customers tend to create many — even hundreds– of VPCs. And this can lead to connectivity chaos.

Enter the Transit Gateway which can create connections between VPCs beyond the abilities of the peering solutions previously used. With a single set of controls, you can connect VPCs you already have in play, worldwide offices, and datacenters—even across multiple AWS accounts.

Essentially, Transit Gateways give you a way to simplify network architecture, reduce operational overhead, and centrally manage external connectivity.


  1. Simplified connectivity – AWS resources in geographically dispersed VPCs need access to a wide variety of on-prem or remote infrastructure. Now,  you can connect all of your VPCs across thousands of AWS accounts and merge everything into a centrally-managed gateway.
  2. Simplified visibility and network control – For large enterprises, VPCs are located in different AWS regions based on their business use cases. Complex network-routing is required to implement a hybrid network architecture. With centralized monitoring and controls you can easily manage all of your Amazon VPCs and edge connections in a single console. Developers and SREs can quickly identify issues and react to events on your network. AWS Transit Gateway provides statistics and logs that are then used by services such as Amazon CloudWatch and Amazon VPC Flow Logs to capture information on the IP traffic routed through the AWS Transit Gateway. You can use Amazon CloudWatch to get bandwidth usage between Amazon VPCs and a VPN connection, packet flow count, and packet drop count.
  3. On-demand bandwidth – You can expand your network quickly to get the bandwidth requirements in order to transfer large amounts of data for your applications, to scale edge devices, or to enable your migration to the cloud.


  1. CIDRs – AWS Transit Gateway doesn’t support routing between Amazon VPCs with overlapping CIDRs. If you attach a new Amazon VPC that has a CIDR which overlaps with an already attached Amazon VPC, AWS Transit Gateway will not propagate the new Amazon VPC route into the AWS Transit Gateway route table.
  2. Security Group Referencing on Amazon VPC is not supported at launch. Spoke Amazon VPCs cannot reference security groups in other spokes connected to the same AWS Transit Gateway. Also, right now, maximum bandwidth per connection in the transit mesh is limited to 1.25gps.

You can use the command-line interface (CLI), AWS Management Console, or AWS CloudFormation to create and manage your AWS Transit Gateway. AWS Transit Gateway is integrated with Identity and Access Management (IAM), enabling you to manage access to AWS Transit Gateway securely.

AWS Transit Gateway is available in US East (Virginia), US East (Ohio), US West (Oregon), US West (Northern California), EU (Ireland), and AsiaPacific (Mumbai) AWS Regions. Support for other AWS Regions should be coming soon. Pricing details can be found here.

You can also use Nutanix Beam to centralize cloud governance controls across multiple teams to track entire cloud spend and map consumption to business units. Beam visualizes resources by groups and departments, empowering cloud operators to manage their usage. Try it free