Ends in
00
days
00
hrs
00
mins
00
secs
ENROLL NOW

💪 25% OFF on ALL Reviewers to Start Your 2026 Strong with our New Year, New Skills Sale!

AWS Transit Gateway

Home » AWS Cheat Sheets » AWS Networking & Content Delivery » AWS Transit Gateway

AWS Transit Gateway

Last updated on December 26, 2025

AWS Transit Gateway Cheat Sheet

  • A networking service that uses a hub and spoke model to enable customers to connect their on-premises data centers and their Amazon Virtual Private Clouds (VPCs) to a single gateway.
  • With this service, customers only have to create and manage a single connection from the central gateway into each on-premises data center, remote office, or VPC across your network.
  • If a new VPC is created, you simply attach it to the Transit Gateway, making it available to every other connected network (subject to route table rules).

Features

Inter-region Peering

  • Transit Gateway leverages the AWS global network to allow customers to route traffic across AWS Regions.

  • Inter-region peering provides an easy and cost-effective way to replicate data for geographic redundancy or to share resources between AWS Regions.

  • Transit Gateway also supports peering attachments within the same AWS Region, enabling scalable connectivity between multiple transit gateways.

Multicast

  • Enables customers to have fine-grained control over who can consume and produce multicast traffic.

  • Allows customers to create and manage multicast groups in the cloud without deploying or maintaining legacy multicast hardware on premises.

  • This solution is scalable and supports simultaneous distribution of content streams to multiple subscribers.

Tutorials dojo strip

Transit Gateway Connect (SD-WAN Integration)

  • Provides a native way to connect SD-WAN (Software-Defined Wide Area Network) appliances and third-party virtual appliances running in a VPC to AWS.

  • Uses GRE (Generic Routing Encapsulation) tunnels instead of IPsec VPNs, enabling higher bandwidth and improved performance.

  • Removes the need to configure public IP addresses or manually manage IPsec VPN tunnels for SD-WAN appliances.

AWS Transit Gateway Network Manager

  • Provides a unified dashboard to visualize and monitor global networks across AWS and on-premises environments.

  • Includes Route Analyzer to analyze and debug routing paths between resources, helping identify connectivity issues such as unreachable VPCs or VPN connections.

  • Automatically identifies Site-to-Site VPN connections and their associated on-premises resources.

Routing and Policy Control

  • Supports transit gateway policy tables that enable dynamic routing and automatic exchange of routing and reachability information between connected and peered transit gateways.

  • Allows prefix list references to be used in transit gateway route tables, simplifying route management at scale.

Enhanced Metrics and Flow Logs

  • Supports CloudWatch metrics for individual transit gateway attachments, including availability zone–level visibility, enabling detailed monitoring and troubleshooting.

  • Supports Transit Gateway Flow Logs, allowing network traffic between transit gateways and attached resources to be logged and analyzed.

Appliance Mode Enhancements

  • Supports appliance mode on VPC attachments to ensure bidirectional traffic flows through the same Availability Zone.

  • Improves routing predictability and performance for firewall, intrusion detection, and traffic inspection appliances.

Security and Encryption

  • Supports encryption in transit, allowing organizations to enforce encrypted traffic across transit gateway attachments.

  • Supports security group referencing across VPCs attached to a transit gateway, enabling simplified and centralized security policy management.

  • Supports traffic mirroring on transit gateway attachments to send copies of network traffic to security appliances for inspection and threat monitoring.

Network Function Attachments

  • Supports network function attachments that allow a transit gateway to connect directly to AWS Network Firewall.

  • Enables simplified deployment of centralized traffic inspection architectures without complex routing configurations.

Cost Management and Quotas

  • Supports flexible cost allocation policies to control how data processing and data transfer costs are allocated across an organization.

  • Supports cost allocation tagging to help track and allocate transit gateway networking costs across teams and environments.

  • Enforces bandwidth quotas to control and manage transit gateway throughput limits.

AWS Transit Gateway Pricing

  • Attachment: You are charged an hourly rate for each attachment (VPC, VPN, or Connect attachment) associated with your Transit Gateway.

  • Data Processing: You are charged per GB for data processed by the Transit Gateway.

  • Data Transfer: Standard AWS data transfer charges apply for traffic leaving AWS.

Note: If you are studying for the AWS Certified Advanced Networking Specialty exam, we highly recommend that you take our AWS Certified Advanced Networking – Specialty Practice Exams and read our Advanced Networking Specialty exam study guide.

AWS Certified Advanced Networking Specialty Practice Exams

Validate Your Knowledge

Question 1

A multinational bank has two data centers that are 60 miles (96.56 kilometers) from each other. The bank also has a single transit gateway that has multiple VPC and VPN attachments.

The Network team recently established two AWS Direct Connect connections from the company’s on-premises data centers to a Direct Connect location with the help of a local Direct Connect Partner. Afterward, they provisioned an AWS Direct Connect Gateway that connects to the AWS Direct Connect location via a transit virtual interface.

With this setup, what other network connections can be implemented? (Select TWO.)

  1. Connect multiple VPCs in the same or different AWS account using the Direct Connect connection.
  2. Associate multiple transit gateways in different AWS Regions to the Direct Connect Gateway and use the same ASNs for each transit gateway. Enable the Appliance mode for all transit gateways.
  3. Allow on-premises servers to connect to AWS resources that are reachable via public IP addresses such as AWS public endpoints and S3 buckets. Configure the Appliance mode on the existing transit gateway.
    4. Free AWS Courses
  4. Use equal-cost multi-path routing (ECMP) to get higher VPN bandwidth by aggregating multiple VPN connections in different AWS Regions.
  5. Associate multiple transit gateways in the same AWS Region.

 

 

Correct Answers: 1,5

A transit gateway enables you to attach VPCs and VPN connections in the same Region and route traffic between them. A transit gateway works across AWS accounts, and you can use AWS Resource Access Manager to share your transit gateway with other accounts. After you share a transit gateway with another AWS account, the account owner can attach their VPCs to your transit gateway. A user from either account can delete the attachment at any time.

You can enable multicast on a transit gateway, and then create a transit gateway multicast domain that allows multicast traffic to be sent from your multicast source to multicast group members over VPC attachments that you associate with the domain.

A transit virtual interface should be used to access one or more Amazon VPC Transit Gateways associated with Direct Connect gateways. You can use transit virtual interfaces with 1/2/5/10 Gbps AWS Direct Connect connections.

To connect to your resources hosted in an Amazon VPC (using their private IP addresses) through a transit gateway, use a transit virtual interface. With a transit virtual interface, you can:

– Connect multiple VPCs in the same or different AWS account using DX.

– Associate up to three transit gateways in the same AWS Region when you use a transit virtual interface to connect to a DX gateway.

– Attach VPCs in the same AWS Region to the transit gateway. Then, access multiple VPCs in different AWS accounts in the same AWS Region using a transit virtual interface.

You can also create a peering connection attachment between transit gateways in different AWS Regions. This enables you to route traffic between the transit gateways’ attachments across different Regions.

You can use equal-cost multi-path routing (ECMP) to get higher VPN bandwidth by aggregating multiple VPN connections. However, you can only aggregate connections in the same AWS Region only. Alternatively, you can create a peering connection attachment between transit gateways in different AWS Regions to enable you to route traffic between the transit gateways’ attachments across different Regions.

Hence, the correct answers are:

– Connect multiple VPCs in the same or different AWS account using the Direct Connect connection.

– Associate multiple transit gateways in the same AWS Region.

The option that says: Associate multiple transit gateways in different AWS Regions to the Direct Connect Gateway and use the same ASNs for each transit gateway. Enable the Appliance mode for all transit gateways is incorrect. Although this is possible, you have to use unique ASNs for each transit gateway. Enabling the Application mode for the transit gateways serves no purpose as well. The Application mode simply ensures that the bidirectional traffic is routed symmetrically, whereby a request is routed through the same Availability Zone in the VPC attachment for the life of the flow.

The option that says: Allow on-premises servers to connect to AWS resources that are reachable via public IP addresses such as AWS public endpoints and S3 buckets. Configure the Appliance mode on the existing transit gateway is incorrect because this is only possible with a public virtual interface and not with a transit virtual interface. Just as explained in the previous option, the use of the Application mode for the Transit Gateway is not warranted in this scenario.

The option that says: Use equal-cost multi-path routing (ECMP) to get higher VPN bandwidth by aggregating multiple VPN connections in different AWS Regions is incorrect. Although you can use ECMP and aggregate multiple VPNs with Transit Gateway, these resources should be in the same AWS Region. An alternative solution is to establish a peering connection between two transit gateways in different AWS Regions, however, the scenario clearly mentioned that there is only a single transit gateway.

References:
https://aws.amazon.com/premiumsupport/knowledge-center/public-private-interface-dx/
https://docs.aws.amazon.com/vpc/latest/tgw/tgw-transit-gateways.html
https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-gateways-intro.html

Note: This question was extracted from our AWS Certified Advanced Networking Specialty Practice Exams.

 

For more AWS practice exam questions with detailed explanations, visit the Tutorials Dojo Portal:

Tutorials Dojo AWS Practice Tests

AWS Transit Gateway Cheat Sheet Reference:
https://aws.amazon.com/transit-gateway/

Learn AWS with our PlayCloud Hands-On Labs

$2.99 AWS and Azure Exam Study Guide eBooks

tutorials dojo study guide eBook

New AWS Generative AI Developer Professional Course AIP-C01

AIP-C01 Exam Guide AIP-C01 examtopics AWS Certified Generative AI Developer Professional Exam Domains AIP-C01

Learn GCP By Doing! Try Our GCP PlayCloud

Learn Azure with our Azure PlayCloud

FREE AI and AWS Digital Courses

FREE AWS, Azure, GCP Practice Test Samplers

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

Follow Us On Linkedin

Written by: Jon Bonso

Jon Bonso is the co-founder of Tutorials Dojo, an EdTech startup and an AWS Digital Training Partner that provides high-quality educational materials in the cloud computing space. He graduated from Mapúa Institute of Technology in 2007 with a bachelor's degree in Information Technology. Jon holds 10 AWS Certifications and is also an active AWS Community Builder since 2020.

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?

All products - Video Courses,
Practice Exams and eBooks
NON-PROMO
PERIOD
25% OFF Sale
eBooks as low as $6.99 $2.99
AWS Associate-Level Video Courses $12.99 $9.74
AZ-900, AI-900, KCNA Practice Exams $12.99 $9.74
AWS Foundational, Associate & Pro-Level Mock Exams $14.99 $11.24
AZ-104, AZ-305, AZ-400 & AZ-500 Mock Exams  $14.99 $11.24
AWS Specialty Practice Exams  $17.99 $13.49
AWS CCP Triple Bundle $29.97 $21.72
AWS Associate-Level Triple Bundle  $34.97 $24.97