</>Học Dev
Bài học

Tuần 4 - Ngày 2: Transit Gateway Deep Dive

Tuần 4 – Ngày 2

Tuần 4 - Ngày 2: Transit Gateway Deep Dive

Mục tiêu học tập

  • Hiểu kiến trúc và components của Transit Gateway
  • Nắm vững routing concepts và route tables
  • Biết cách implement network segmentation

1. Transit Gateway Overview

Định nghĩa

AWS Transit Gateway là regional network transit hub cho phép kết nối:

  • VPCs (same or different accounts)
  • VPN connections
  • AWS Direct Connect gateways
  • Transit Gateway peering (cross-region)

Architecture

TRANSITGATEWAYRouteTablesDefaultRTProdRTAttachmentsVPC1VPC2VPC3VPNDX

2. Attachments

Types of Attachments

ATTACHMENTTYPES1.VPCAttachment-ConnectVPCtoTransitGateway-CreatesENIinspecifiedsubnets-OneattachmentperVPC2.VPNAttachment-Site-to-SiteVPNconnection-Upto1.25Gbpspertunnel-ECMPforhigherbandwidth3.DirectConnectGatewayAttachment-ConnecttoDirectConnect-TransitVIFrequired4.TransitGatewayPeeringAttachment-ConnectTransitGatewayscross-region-Staticroutingonly5.ConnectAttachment(GRE/SD-WAN)-Third-partyappliances-Upto5GbpsperConnectpeer

VPC Attachment Details

VPCSubnetAZ-aSubnetAZ-bTGWENITGWENI10.0.1.1010.0.2.10VPCRouteTable:0.0.0.0/0tgw-xxxxx(TransitGateway)BestPractice:CreateTGWattachmentsubnetineachAZ

3. Route Tables

Default vs Custom Route Tables

TransitGatewayRouteTables:DefaultRouteTable(Auto-created)-Allattachmentsassociatedbydefault-Allattachmentspropagateroutesbydefault-FullmeshconnectivityRoutes:CIDRAttachment10.0.0.0/16vpc-prod(propagated)10.1.0.0/16vpc-dev(propagated)192.168.0.0/16vpn-onprem(propagated)CustomRouteTable(Segmentation)-Manuallycreateandconfigure-Choosewhichattachmentsassociate-Choosewhichroutespropagate-Enablenetworkisolation

Route Types

TypeDescription
StaticManually added, highest priority
PropagatedAutomatically learned from attachments
BlackholeDrop traffic matching this route

4. Network Segmentation

Isolation Pattern

Requirement:ProductioncannottalktoDevelopmentTransitGatewayProdRouteTableDevRouteTableAssociated:Associated:-VPC-Prod-VPC-Dev-VPC-Shared-VPC-SharedPropagations:Propagations:-VPC-Prod-VPC-Dev-VPC-Shared-VPC-Shared(NOTVPC-Dev)(NOTVPC-Prod)Attachments:VPC-ProdVPC-DevVPC-SharedAssociateAssociateAssociatetoBOTHtoProdtoDevroutetablesResult:-ProdShared:-DevShared:-ProdDev:(isolated)

Shared Services Pattern

SharedServicesVPC-ActiveDirectory-CI/CDtools-Monitoring-DNS(Route53Resolver)TGWAttachmentTransitGatewayProdDevTestVPCsVPCsVPCs

5. Hybrid Connectivity

VPN with Transit Gateway

On-PremisesDataCenterCustomerGateway(192.168.1.1)IPsecVPNTunnels(2tunnelsforHA)TransitGatewayVPNAttachment(Site-to-SiteVPN)RoutingtoallconnectedVPCs

ECMP for Higher VPN Bandwidth

WithoutECMP:1.25Gbps(singletunnel)WithECMP(Equal-CostMulti-Path):On-PremisesRouterVPN1VPN21.25Gbps1.25GbpsTransitGatewayECMP:2.5GbpsCanscaleupto50GbpswithmultipleVPNs

6. Transit Gateway Peering

Cross-Region Peering

Region:ap-southeast-1TransitGatewayAVPC1VPC2VPC3TransitGatewayPeering(Cross-Region)Region:us-east-1TransitGatewayBVPC4VPC5VPC6Note:Staticroutesonly(noBGPpropagationacrosspeering)

7. Costs

Pricing Model

ComponentCost (varies by region)
Attachment~$0.05/hour
Data processed~$0.02/GB
VPN AttachmentStandard VPN pricing
Peering dataStandard data transfer

Cost Optimization

1. Consolidate VPCs where possible
   - Fewer attachments = lower cost

2. Use VPC Peering for high-bandwidth pairs
   - No per-GB charge

3. Monitor data transfer
   - CloudWatch metrics for TGW

8. Câu hỏi ôn tập

  1. Transit Gateway attachment types là gì?

    Xem đáp án

    VPC attachment, VPN attachment (Site-to-Site VPN), Direct Connect Gateway attachment, Transit Gateway Peering (cross-region), Connect attachment (SD-WAN via GRE tunnel), Peering attachment (cross-account TGW peering). Mỗi attachment có thể associate với route table riêng trong TGW để control routing. Tất cả các kết nối đều route qua TGW — không cần direct connections between them.

  2. Làm sao để isolate Prod và Dev traffic?

    Xem đáp án

    Multiple route tables trong TGW: tạo "Prod route table" và "Dev route table". Prod VPC attachments associate với Prod route table; Dev VPC attachments associate với Dev route table. Prod route table không có routes đến Dev VPCs → Prod không thể reach Dev. Dev route table có thể include Shared Services routes (logging, CI/CD) nhưng không Prod routes. Elegant network segmentation mà không cần separate TGW.

  3. ECMP giúp gì cho VPN bandwidth?

    Xem đáp án

    Equal-Cost Multi-Path routing với TGW cho phép load balance traffic qua nhiều VPN tunnels hoặc connections đồng thời. Mỗi Site-to-Site VPN có 2 tunnels, mỗi tunnel ~1.25 Gbps. Với ECMP trên TGW: multiple VPN connections cùng tuyến → aggregate bandwidth. Ví dụ: 4 VPN connections × 2 tunnels × 1.25 Gbps = ~10 Gbps effective bandwidth. Cần BGP với route propagation để ECMP hoạt động.

  4. Transit Gateway Peering có hỗ trợ BGP không?

    Xem đáp án

    Không — TGW Peering (cross-region TGW to TGW) dùng static routes, không BGP. Cần manually add static routes cho cross-region prefixes trong TGW route tables. Khác với VPN attachments và DX attachments (hỗ trợ BGP). TGW Peering là Layer 3 connection — có bandwidth limits và latency của cross-region connectivity. Phù hợp cho global architectures cần inter-region connectivity.

  5. Chi phí Transit Gateway tính như thế nào?

    Xem đáp án

    Hai thành phần: (1) Attachment fee ($0.05/giờ per attachment) — mỗi VPC, VPN, DX connection gắn vào TGW tính phí theo giờ, (2) Data processing fee ($0.02/GB) — mỗi GB đi qua TGW. So sánh VPC Peering: không có attachment fee, không có processing fee — chỉ cross-AZ data transfer. TGW đắt hơn nhưng scalable. Plan cost: với 20 VPCs: 20 × $0.05 × 730h ≈ $730/tháng chỉ attachment fees.

9. Bài tập thực hành

  • Create Transit Gateway
  • Attach 2 VPCs
  • Configure route tables for segmentation
  • Setup VPN attachment (optional)

Tài liệu tham khảo chính thức

Ngày tiếp theo: Direct Connect