- Newest
- Most votes
- Most comments
Yes, you can only select one subnet per AZ, but all subnets in that Availability Zone can send traffic to the transit gateway
Thanks Matt! Please correct me if I understand this right. Since I have 6 subnets, I should create two separate attachments for both Private and Public to send traffic to the transit gateway?
No, you only need one attachment and in that attachment you're selecting one subnet per AZ (either private or public), the connectivity to that single subnet will establish a connectivity to both the private and the public subnet in the same AZ.
For instance, if you had all 6 subnets in the same AZ (say 1a), then you will only be able to select one subnet out of the 6, and you will be establishing a connectivity to all 6 subnets.
In the given instance, there are 3 private subnets located in different Availability Zones (AZs) - specifically AZ 1a, AZ 1b, and AZ 1c. Additionally, there are 3 public subnets also spread across different AZs - AZ 1a, AZ 1b, and AZ 1c.
The question is whether connectivity can be established by creating only one attachment.
Yes, all you going to need is one attachment. The three subnets you're choosing in the three different AZs is what's going to establish the connectivity.
Best practice is to create a dedicated subnet in each AZ with a /28 cidr range.
Attach TGW in each of the subnet. You then configure the routes in your subnets/VPC to route traffic for other CIDRs to the TGW connection.
As the TGW is attached to 3 private subnets the traffic arriving via TGW will then route accordingly via the subnets route table.
See below from the TGW best practices guidance. It is recommended to create /28 dedicated subnets (1 per AZ) for TGW attachment. In your case if you are using 3 AZ VPC then you would create 3 x /28 subnets for TGW attachments, this will then allow connectivity to all the rest of the subnets within that VPC.
-
Use a separate subnet for each transit gateway VPC attachment. For each subnet, use a small CIDR, for example /28, so that you have more addresses for EC2 resources. When you use a separate subnet, you can configure the following:
-
Keep the inbound and outbound network ACLs associated with the transit gateway subnets open.
-
Depending on your traffic flow, you can apply network ACLs to your workload subnets.
-
Should I assign a specific route table for the subnet for transit gateway attachment? or the route table is irrelevant for the transit gateway attachment?
Relevant content
- Accepted Answerasked a year ago
- asked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 months ago
Should I assign a specific route table for the subnet for transit gateway attachment? or the route table is irrelevant for the transit gateway attachment.