AWS Transit Gateway

Correct Answers: 1,5

A transit gateway enables you to attach VPCs and VPN connections in the same Region and route traffic between them. A transit gateway works across AWS accounts, and you can use AWS Resource Access Manager to share your transit gateway with other accounts. After you share a transit gateway with another AWS account, the account owner can attach their VPCs to your transit gateway. A user from either account can delete the attachment at any time.

You can enable multicast on a transit gateway, and then create a transit gateway multicast domain that allows multicast traffic to be sent from your multicast source to multicast group members over VPC attachments that you associate with the domain.

A transit virtual interface should be used to access one or more Amazon VPC Transit Gateways associated with Direct Connect gateways. You can use transit virtual interfaces with 1/2/5/10 Gbps AWS Direct Connect connections.

To connect to your resources hosted in an Amazon VPC (using their private IP addresses) through a transit gateway, use a transit virtual interface. With a transit virtual interface, you can:

• Connect multiple VPCs in the same or different AWS account using DX.
• Associate up to three transit gateways in the same AWS Region when you use a transit virtual interface to connect to a DX gateway.
• Attach VPCs in the same AWS Region to the transit gateway. Then, access multiple VPCs in different AWS accounts in the same AWS Region using a transit virtual interface.

You can also create a peering connection attachment between transit gateways in different AWS Regions. This enables you to route traffic between the transit gateways’ attachments across different Regions.

You can use equal-cost multi-path routing (ECMP) to get higher VPN bandwidth by aggregating multiple VPN connections. However, you can only aggregate connections in the same AWS Region only. Alternatively, you can create a peering connection attachment between transit gateways in different AWS Regions to enable you to route traffic between the transit gateways’ attachments across different Regions.

Hence, the correct answers are:

• Connect multiple VPCs in the same or different AWS account using the Direct Connect connection.
• Associate multiple transit gateways in the same AWS Region.

The option that says: Associate multiple transit gateways in different AWS Regions to the Direct Connect Gateway and use the same ASNs for each transit gateway is incorrect. Although this is possible, you have to use unique ASNs for each transit gateway.

The option that says: Allow on-premises servers to connect to AWS resources that are reachable via public IP addresses such as AWS public endpoints and S3 buckets is incorrect because this is only possible with a public virtual interface and not with a transit virtual interface.

The option that says: Use equal-cost multi-path routing (ECMP) to get higher VPN bandwidth by aggregating multiple VPN connections in different AWS Regions is incorrect. Although you can use ECMP and aggregate multiple VPNs with Transit Gateway, these resources should be in the same AWS Region. An alternative solution is to establish a peering connection between two transit gateways in different AWS Regions, however, the scenario clearly mentioned that there is only a single transit gateway.

References:
https://aws.amazon.com/premiumsupport/knowledge-center/public-private-interface-dx/
https://docs.aws.amazon.com/vpc/latest/tgw/tgw-transit-gateways.html
https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-gateways-intro.html

Note: This question was extracted from our AWS Certified Advanced Networking Specialty Practice Exams.