Transit Gateway Patterns

Hub-and-spoke.

What Transit Gateway solves

Hub-and-spoke connectivity for many VPCs. Replaces N×N VPC peering with a single hub.

Cross-region connectivity via TGW peering. Multi-region architectures simplify.

On-prem connectivity through Direct Connect or VPN attached to TGW. One hub for all the spokes.

When to adopt

Five or more VPCs. N×N peering becomes unmanageable around five VPCs; TGW pays back.

Multi-account organisation. RAM share TGW across accounts; spoke accounts attach.

Complex routing requirements. Per-route-table policies, transitive routing patterns.

Cost model

Per-attachment per-hour: about $36/month per attachment.

Per-GB processed: $0.02 per GB. At meaningful scale, this is the dominant cost.

Compare to NAT: TGW often cheaper at high cross-VPC volume, more expensive at low volume.

Design patterns

Per-environment route tables (prod, non-prod, shared). Limits blast radius of routing mistakes.

Inspection VPC pattern: traffic between VPCs flows through a firewall VPC for inspection.

Spoke isolation: spokes can reach hub services but not each other directly. Reduces lateral risk.

Operating Transit Gateway

Per-attachment owner. Each attachment has a team responsible. Orphaned attachments are debt.

Quarterly review. Attachments with no traffic, route tables with stale entries, drift from intent.

Monitoring: per-attachment bytes, packet drops, attachment health. Anomalies flag for investigation.