- Newest
- Most votes
- Most comments
After insisting in the searches, I think I found the answer to my own question: No. According to https://www.aviatrix.com/answers/does-aws-transit-gateway-allow-only-a-single-subnet-to-be-connected/ AWS explicitly states "you can only select one subnet per Availability Zone"..
Sad.. Seems to make it difficult to have a transit VPC with scalable inline appliances...
Not clear on what it is, exactly, that you are trying to do. Are you trying to route all your outbound traffic from multiple VPCs through single VPC? If not, please provide some more detail about the problem you are trying to solve.
Yes. Implement a transit VPC for a large company that requires 3rd party inline appliances for egress (instead of "the open" NAT Gateway). As per proposal of https://aws.amazon.com/answers/networking/controlling-vpc-egress-traffic/ the solution to scale is having multiple subnets so that default route can point to multiple appliances.
So far my conclusions is that with Transit Gateway one has to scale attachments to multiple "transit vpcs"...
For reference found a better solution on NET402 re:invent session. Deploy the inline appliances on separate VPC, but connect those VPCs to TGW with IPSec attachments, so that with ECMP the different "default routes" of each are aggregated and fault tolerant... Not simple, not cheap, but does the job I guess.
Relevant content
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 6 months ago
