A central hub that connects all your VPCs, VPN connections, and Direct Connect links in one place — instead of managing dozens of individual connections.
Think of it like a traffic roundabout: everything connects to the center, and the hub handles routing.
Without Transit Gateway, connecting many VPCs and offices gets messy fast:
Without TGW: With TGW:
VPC-A ──── VPC-B VPC-A ──┐
| ╲ / | VPC-B ──┤
| ╲╱ | VPC-C ──┼──→ Transit Gateway
| ╱╲ | Office ─┤
| ╱ ╲ | DX ─────┘
VPC-C ──── Office
(separate peering/VPN per pair) (one central hub)
| Feature | Description |
|---|---|
| Hub-and-Spoke Model | TGW is the hub; VPCs, VPN, and Direct Connect are the spokes |
| Regional Resource | Operates within one AWS region; can peer with TGWs in other regions |
| Cross-Account Sharing | Share one TGW across multiple AWS accounts using Resource Access Manager (RAM) |
| Route Tables | Control which VPCs can communicate with each other |
| IP Multicast | The only AWS service that supports IP Multicast |
ECMP (Equal-Cost Multi-Path) lets you run multiple VPN connections in parallel and combine their bandwidth automatically.
Each VPN connection has 2 tunnels. With ECMP, traffic is load-balanced across all tunnels.
Problem: Multiple AWS accounts each need access to your corporate network via Direct Connect — buying a separate connection per account is expensive.
Solution: One Direct Connect connection shared through a Transit Gateway.
Account A VPCs ──┐
Account B VPCs ──┼──→ Transit Gateway ──→ DX Gateway ──→ Direct Connect ──→ Corporate Office
Account C VPCs ──┘
(shared via RAM)