Scale Securely with Transit Gateway

AWS Transit Gateway is an under-appreciated service providing secure, scalable, and maintainable connectivity between distributed services and on-premise networks.

Thomas Barrasso
Dec 2, 2019 · 5 min read
Unifi 16Xg switch by Thomas Jensen on Unsplash

Supporting Scale

As software company offerings expand, so do their teams. When startups get acquired or go public, the engineering team grows into a full engineering organization. That engineering organization then needs to scale to support more customers and in the process, monolithic architectures make way to service-oriented designs.

Connectivity Options

Each option has a set of trade-offs associated with it, but the main ones used for service-to-service communication are Internet Gateways, VPC Peering, PrivateLink, and Transit Gateway. Here is a vastly oversimplified use case for each of these resources:

  • PrivateLink: use for secure, single service-to-service integration with one of the supported services. Not ideal for shared services as each consumer network requires a VPC Endpoint.
  • VPC Peering: use for single, VPC-to-VPC service sharing. Not ideal for mesh networks because peering connections are not transitive and Edge-to-Edge Gateway/ VPN Connections cannot be shared.
  • Transit Gateway: use for general purpose, secure, centrally-managed shared services and internal, on-premise applications. Combine with private Hosted Zones and a Route53 Resolver to support private DNS.

Transit Gateway vs. VPC Peering — Limitations

As a network-level utility that enables the sharing of multiple resources, VPC Peering is the closest analog to Transit Gateway. As such, the two also share similar limitations including the inability to have overlapping IP address ranges (CIDR blocks).

VPC Peering does not support transitive peering

This restriction is so important, it is actually the reason behind the name Transit Gateway. Transitive networks greatly simplify full, multi-VPC mesh networks where every node is connected to every other node in the network.

VPC Peering (left) vs. Transit Gateway (right)
VPC Peering does not support Edge-to-Edge VPN Connections

Internal & Shared Services

Although Transit Gateway enables many advanced network topologies, at a high-level, it is especially useful in provisioning internal & shared services.

Internal Services

Cloud-hosted internal services are valuable because they combine the scalability and cost-effectiveness of cloud infrastructure with the privacy, security, and control of on-premise systems.

Without Transit Gateway (multiple S2S VPN connections) vs. with Transit Gateway (single connection)

Shared Services

Monolithic architecture is by its nature centralized. This means that communication between components and sharing dependencies is trivial. Yet, monoliths are an example of tightly-coupled software that has well-known issues related to scalability, security, and stability.

Accessing shared services using Transit Gateway

The Startup

Medium's largest active publication, followed by +562K people. Follow to join our community.

Thomas Barrasso

Written by

Writing to learn, writing to share. Science, Software & Sarcasm —

The Startup

Medium's largest active publication, followed by +562K people. Follow to join our community.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade