Transit Gateway data encryption

Question

Hi, can anybody tell me if and how data is protected while it passes through a Transit Gateway? Consider following setup:

A <-----> TGW <-----> B
   IPSec  ???  IPSec

Traffic is encrypted between A and TGW and between TGW and B, but what about "within" TGW? Pointers to any documentation about what happens there highly appreciated...

Thanks,

Marc

Accepted Answer

There's some detail missing here - how are the IPSEC tunnels being created? Are A and B instances or sites?

If I assume that you're using the AWS VPN service and that A and B are sites: The traffic within Transit Gateway is **not** encrypted. Think of Transit Gateway as a cloud-scale router. If you had a router that terminated two IPSEC tunnels and routed between them the traffic on the router is not encrypted as it passes through that device. That's because the router must decrypt the packet from (say) A, determine the appropriate destination (B in this case) and then encrypt it again before sending it onto B.

In general, there are many places in every network where (at least) the IP (and perhaps TCP) headers of a packet need to be visible in order to route the packet(s) correctly. For the payload to remain encrypted at that point requires application-layer security such as TLS. It's the only way to achieve end-to-end encryption between two hosts.

Transit Gateway data encryption

Relevant questions

AWS Transit Gateway monitoring with Cloudwatch

Transit Gateway data encryption

AWS Transit Gateway attachment pricing

Data Transfer OUT Charges Through TGW in Another Account

Transit Gateway to AWS Instance Encryption

Modify Transit Gateway Properties After Creation

Transit Gateway to Direct Connect Gateway to Transit Gateway

AWS Transit Gateway peering encryption

AWS Transit Gateway through BGP propagation and routing behavior

Migration from Transit VPC to AWS Transit Gateway