By using AWS re:Post, you agree to the Terms of Use
/AWS Transit Gateway/

Questions tagged with AWS Transit Gateway

Sort by most recent
  • 1
  • 90 / page

Browse through the questions and answers listed below or filter and sort to narrow down your results.

AWS Transit Gateway isolated routing with Shared Services

Hello, We are working with a client that has the following setup: 1 TGW that has 5 VPC attachments - non-prod a attachment - non-prod b attachment - prod-a attachment - prod-b attachment - shared-services attachment **Requirements:** The client would like to allow only for inter-communication of both the non-prod VPCs, as well as the prod VPCs. Additionally, the client would like for shared-services to be able to reach any of the VPCs. **My initial approach and the problem:** Initially, my thought was to create 3 isolated routing domains, which were represented by 3 separate TGW route tables. I was unable to achieve this because there is a limitation of only being able to associate 1 attachment with 1 TGW route table. If we were able to make more than one attachment for the same VPC, we could get around this issue, but unfortunately that is not possible. **Looking for recommendations on the best way to address the above requirements.** The only other option I can think of to accomplish these requirements is to use 1 TGW route table, associate all of the attachments with it, and then ultimately use NACLs in the individual VPCs to restrict traffic. To me, this seems like a pain to maintain, so I wanted to see if there are any other ways to address this problem. ---------- **More Information on what I've already tried** My initial idea was to have 3 TGW route tables (one for each "routing domain"): - non-prod (associated with the non-prod-* attachments) - prod (associated with the prod-* attachments) - shared (associated with all attachments) The problem with this approach is the **shared** TGW route table because as I mentioned above, you can't associate an attachment with more than one route table. In essence this is a "flat" routing architecture rather than isolated and directly contradicts with what I'm trying to do causing this problem. Thanks in advance!
1
answers
0
votes
1
views
Chris_S
asked 2 years ago

Data Transfer OUT Charges Through TGW in Another Account

Who is responsible for data transfer OUT charges when the transfer is originated by a VPC in one account, and that data passes through a Transit Gateway in another account on its way out through a Direct Connect (DX and TGW owned by the same account)? ***Details*** With the recent announcement on Direct Connect granular cost allocation (https://aws.amazon.com/about-aws/whats-new/2019/10/aws-direct-connect-aws-direct-connect-announces-the-support-for-granular-cost-allocation-and-removal-of-payer-id-restriction-for-direct-connect-gateway-association/), it is stated that we now "allocate Data Transfer Out charges to the AWS account responsible for the Data Transfer." I have a customer who acts as a transport service provider, and they own multiple DX connections that they plan to connect to Transit Gateways via a Transit VIF and DX-GW. The customers of my customer have VPCs in separate accounts that will be connected to my customer's TGW. With my customer owning the TGW, I am unclear on whether the cost allocation per the above announcement will consider the owner of the TGW responsible for the data transfer OUT, or whether that responsibility will be attributed to the owner of the VPC that originated the transfer. Also, if traffic routes through a firewall or IPS in Transit VPC owned by the DX an TGW owner on the way out of AWS, will that change the consideration of cost allocation?
1
answers
0
votes
5
views
AWS-User-5964206
asked 2 years ago
  • 1
  • 90 / page