Lab: Implementing Multi-VPC Hub-and-Spoke Connectivity with AWS Transit Gateway
Implement routing and connectivity across multiple AWS accounts, Regions, and VPCs to support different connectivity patterns
Lab: Implementing Multi-VPC Hub-and-Spoke Connectivity with AWS Transit Gateway
This hands-on lab guides you through implementing a scalable hub-and-spoke network architecture using AWS Transit Gateway (TGW). You will connect two VPCs and ensure they can communicate via the TGW hub, simulating a common enterprise multi-VPC pattern.
[!IMPORTANT] This lab assumes you have basic familiarity with Amazon VPCs, Subnets, and EC2 instances.
Prerequisites
- AWS Account: An active AWS account with administrative permissions.
- AWS CLI: Installed and configured with a profile (e.g.,
aws configure). - Resources: Two VPCs in the same region with non-overlapping CIDR blocks:
- VPC-A (Spoke 1):
10.0.0.0/16 - VPC-B (Spoke 2):
10.1.0.0/16
- VPC-A (Spoke 1):
- IAM Permissions: Ensure your user has
ec2:*TransitGateway*andec2:*VpcAttachment*permissions.
Learning Objectives
- Create and configure an AWS Transit Gateway.
- Implement Transit Gateway Attachments for multiple VPCs.
- Configure VPC Route Tables to direct traffic through the TGW hub.
- Validate connectivity between private subnets using the AWS CLI or Console.
Architecture Overview
Step-by-Step Instructions
Step 1: Create the Transit Gateway
The Transit Gateway acts as the central router for your VPCs.
aws ec2 create-transit-gateway \
--description "Hub-Gateway-Lab" \
--options AmazonSideAsn=64512,AutoAcceptSharedAttachments=enable,DefaultRouteTableAssociation=enable,DefaultRouteTablePropagation=enable▶Console Alternative
- Navigate to VPC Console > Transit Gateways.
- Click Create Transit Gateway.
- Name Tag:
brainybee-tgw. - Amazon Side ASN:
64512. - Keep Default route table association/propagation checked.
- Click Create Transit Gateway.
Step 2: Attach VPC-A to the Transit Gateway
You must create an attachment for each VPC. Replace <TGW_ID>, <VPC_A_ID>, and <SUBNET_IDS> with your actual values.
aws ec2 create-transit-gateway-vpc-attachment \
--transit-gateway-id <TGW_ID> \
--vpc-id <VPC_A_ID> \
--subnet-ids <SUBNET_ID_1> <SUBNET_ID_2>[!TIP] In a production environment, you should select subnets in at least two Availability Zones for high availability.
Step 3: Attach VPC-B to the Transit Gateway
Repeat the process for the second spoke VPC.
aws ec2 create-transit-gateway-vpc-attachment \
--transit-gateway-id <TGW_ID> \
--vpc-id <VPC_B_ID> \
--subnet-ids <SUBNET_ID_3> <SUBNET_ID_4>▶Console Alternative (Steps 2-3)
- Go to Transit Gateway Attachments > Create Transit Gateway Attachment.
- Transit Gateway ID: Select your TGW.
- Attachment Type: VPC.
- VPC ID: Select
VPC-A. - Subnets: Select your private subnets.
- Repeat for
VPC-B.
Step 4: Update VPC Route Tables
While TGW handles internal routing, the VPC route tables must point traffic destined for other VPCs to the TGW.
For VPC-A (Route to 10.1.0.0/16):
aws ec2 create-route \
--route-table-id <VPC_A_RTB_ID> \
--destination-cidr-block 10.1.0.0/16 \
--transit-gateway-id <TGW_ID>For VPC-B (Route to 10.0.0.0/16):
aws ec2 create-route \
--route-table-id <VPC_B_RTB_ID> \
--destination-cidr-block 10.0.0.0/16 \
--transit-gateway-id <TGW_ID>Checkpoints
- Attachment State: Run
aws ec2 describe-transit-gateway-vpc-attachments. Verify both attachments are in theavailablestate. - TGW Route Table: View the default TGW route table in the console. You should see both VPC CIDRs (
10.0.0.0/16and10.1.0.0/16) as propagated routes. - Connectivity Test: Launch a micro EC2 instance in VPC-A and another in VPC-B. Use VPC Reachability Analyzer to test a path between their private IPs over port 22 (SSH).
Clean-Up / Teardown
[!WARNING] Transit Gateways incur an hourly charge per attachment. Delete these resources immediately after finishing the lab.
- Delete Attachments:
bash
aws ec2 delete-transit-gateway-vpc-attachment --transit-gateway-attachment-id <ATTACH_A_ID> aws ec2 delete-transit-gateway-vpc-attachment --transit-gateway-attachment-id <ATTACH_B_ID> - Wait until attachments are fully deleted (status:
deleted). - Delete Transit Gateway:
bash
aws ec2 delete-transit-gateway --transit-gateway-id <TGW_ID>
Troubleshooting
| Problem | Common Cause | Fix |
|---|---|---|
| Traffic not flowing | Missing VPC routes | Check that both VPC route tables have a route to the remote CIDR via TGW. |
| Pings failing | Security Group (SG) rules | Ensure SGs on target instances allow ICMP or TCP/UDP from the source VPC CIDR. |
| Attachment stuck | Pending acceptance | If using multi-account, ensure the resource share is accepted via AWS RAM. |
Stretch Challenge
Inter-Region Peering:
- Create a second Transit Gateway in a different AWS Region (e.g.,
us-west-2). - Establish a Transit Gateway Peering Attachment between the two TGWs.
- Add a static route in your TGW route tables to point to the peered TGW for the remote region's CIDR ranges.
Cost Estimate
| Service component | Price (Estimated) | Note |
|---|---|---|
| Transit Gateway | $0.05 / hour | Per TGW in us-east-1 |
| TGW Attachments | $0.05 / hour / attachment | For 2 VPCs = $0.10/hr |
| Data Processing | $0.02 / GB | Only charged for traffic sent through TGW |
| Total for 1 Hour | ~$0.15 | Plus standard EC2 costs if applicable |
Concept Review
| Feature | VPC Peering | Transit Gateway | PrivateLink |
|---|---|---|---|
| Topology | Mesh (Point-to-Point) | Hub-and-Spoke | One-to-Many (Service) |
| Transitive | No | Yes | No |
| Management | Hard at scale | Easy to scale | Managed Service |
| Overlapping IPs | Not supported | Managed via NAT/TGW routes | Supported (Interface Endpoints) |
[!NOTE] Transit Gateway is the preferred choice for connecting hundreds of VPCs or integrating SD-WAN/VPN connections into a central hub.