# Transit gateways in AWS Transit Gateway Transit gateways A transit gateway enables you to attach VPCs and VPN connections and route traffic between them. A transit gateway works across AWS accounts, and you can use AWS RAM to share your transit gateway with other accounts. After you share a transit gateway with another AWS account, the account owner can attach their VPCs to your transit gateway. A user from either account can delete the attachment at any time. You can enable multicast on a transit gateway, and then create a transit gateway multicast domain that allows multicast traffic to be sent from your multicast source to multicast group members over VPC attachments that you associate with the domain. Each VPC or VPN attachment is associated with a single route table. That route table decides the next hop for the traffic coming from that resource attachment. A route table inside the transit gateway allows for both IPv4 or IPv6 CIDRs and targets. The targets are VPCs and VPN connections. When you attach a VPC or create a VPN connection on a transit gateway, the attachment is associated with the default route table of the transit gateway. You can create additional route tables inside the transit gateway, and change the VPC or VPN association to these route tables. This enables you to segment your network. For example, you can associate development VPCs with one route table and production VPCs with a different route table. This enables you to create isolated networks inside a transit gateway similar to virtual routing and forwarding (VRFs) in traditional networks. Transit gateways support dynamic and static routing between attached VPCs and VPN connections. You can enable or disable route propagation for each attachment. VPN Concentrator attachments support BGP (dynamic) routing only. Transit gateway peering attachments support static routing only. You can point routes in transit gateway route tables to the peering attachment for routing traffic between the peered transit gateways. You can optionally associate one or more IPv4 or IPv6 CIDR blocks with your transit gateway. You specify an IP address from the CIDR block when you establish a Transit Gateway Connect peer for a [Transit Gateway Connect attachment](tgw-connect.md). You can associate any public or private IP address range, except for addresses in the `169.254.0.0/16` range, and ranges that overlap with addresses for your VPC attachments and on-premises networks. For more information about IPv4 and IPv6 CIDR blocks, see [IP addressing](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-ip-addressing.html) in the *Amazon VPC User Guide*. **Topics** + [Create a transit gateway](create-tgw.md) + [View a transit gateway](view-tgws.md) + [Manage transit gateway tags](tgw-tagging.md) + [Modify a transit gateway](tgw-modifying.md) + [Accept a resource share](share-accept-tgw.md) + [Accept a shared attachment](acccept-tgw-attach.md) + [Delete a transit gateway](delete-tgw.md) + [Encryption Support](tgw-encryption-support.md) # Create a transit gateway in AWS Transit Gateway Create a transit gateway When you create a transit gateway, we create a default transit gateway route table and use it as the default association route table and the default propagation route table. If you choose not to create the default transit gateway route table, you can create one later on. For more information about routes and route tables, see [Routing](how-transit-gateways-work.md#tgw-routing-overview). **Note** If you want to enable Encryption support on a transit gateway, you can’t enable it while creating the gateway. After you create the transit gateway, and it’s in the available state, you can then modify it to enable Encryption support. For more information, see [Encryption Support for AWS Transit Gateway](tgw-encryption-support.md). **To create a transit gateway using the console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. On the navigation pane, choose **Transit Gateways**. 1. Choose **Create transit gateway**. 1. For **Name tag**, optionally enter a name for the transit gateway. A name tag can make it easier to identify a specific gateway from the list of gateways. When you add a **Name tag**, a tag is created with a key of **Name** and with a value equal to the value you enter. 1. For **Description**, optionally enter a description for the transit gateway. 1. For **Amazon side Autonomous System Number (ASN)**, either leave the default value to use the default ASN or enter the private ASN for your transit gateway. This should be the ASN for the AWS side of a Border Gateway Protocol (BGP) session. The range is 64512 to 65534 for 16-bit ASNs. The range is 4200000000 to 4294967294 for 32-bit ASNs. If you have a multi-Region deployment, we recommend that you use a unique ASN for each of your transit gateways. 1. For **DNS support**, select this option if you need the VPC to resolve public IPv4 DNS host names to private IPv4 addresses when queried from instances in another VPC attached to the transit gateway. 1. For **Security Group Referencing support**, enable this feature to reference a security group across VPCs attached to a transit gateway. For more information about security group referencing see [Security group referencing](tgw-vpc-attachments.md#vpc-attachment-security). 1. For **VPN ECMP support**, select this option if you need Equal Cost Multipath (ECMP) routing support between VPN tunnels. If connections advertise the same CIDRs, the traffic is distributed equally between them. When you select this option, the advertised BGP ASN, then the BGP attributes such as the AS-path, must be the same. **Note** To use ECMP, you must create a VPN connection that uses dynamic routing. VPN connections that use static routing do not support ECMP. 1. For **Default route table association**, select this option to automatically associate transit gateway attachments with the default route table for the transit gateway. 1. For **Default route table propagation**, select this option to automatically propagate transit gateway attachments to the default route table for the transit gateway. 1. (Optional) To use the transit gateway as a router for multicast traffic, select **Multicast support**. 1. (Optional) In the **Configure-cross-account sharing options** section, choose whether to **Auto accept shared attachments**. If enabled, attachments are automatically accepted. Otherwise, you must accept or reject attachment requests. For **Auto accept shared attachments**, select this option to automatically accept cross-account attachments. 1. (Optional) For **Transit gateway CIDR blocks**, specify one or more IPv4 or IPv6 CIDR blocks for your transit gateway. You can specify a size /24 CIDR block or larger (for example, /23 or /22) for IPv4, or a size /64 CIDR block or larger (for example, /63 or /62) for IPv6. You can associate any public or private IP address range, except for addresses in the 169.254.0.0/16 range, and ranges that overlap with the addresses for your VPC attachments and on-premises networks. **Note** Transit gateway CIDR blocks are used if you are configuring Connect (GRE) attachments or PrivateIP VPNs. Transit Gateway assigns IPs for the Tunnel endpoints (GRE/PrivateIP VPN) from this range. 1. Choose **Create transit gateway**. **To create a transit gateway using the AWS CLI** Use the [create-transit-gateway](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-transit-gateway.html) command. # View transit gateway information in AWS Transit Gateway View a transit gateway View any of your transit gateways. **To view a transit gateway using the console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. On the navigation pane, choose **Transit Gateways**. Details for the transit gateway are displayed below the list of gateways on the page. **To view a transit gateway using the AWS CLI** Use the [describe-transit-gateways](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-transit-gateways.html) command. # Manage transit gateway tags in AWS Transit Gateway Manage transit gateway tags Add tags to your resources to help organize and identify them, such as by purpose, owner, or environment. You can add multiple tags to each transit gateway. Tag keys must be unique for each transit gateway. If you add a tag with a key that is already associated with the transit gateway, it updates the value of that tag. For more information, see [Tagging your Amazon EC2 Resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html). **Add tags to a transit gateway using the console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. On the navigation pane, choose **Transit Gateways**. 1. Choose the transit gateway that you want to add or edit tags for. 1. Choose the **Tags** tab in the lower part of the page. 1. Choose **Manage tags**. 1. Choose **Add new tag**. 1. Enter a **Key** and **Value** for the tag. 1. Choose **Save**. # Modify a transit gateway in AWS Transit Gateway Modify a transit gateway You can modify the configuration options for a transit gateway. When you modify a transit gateway, any existing transit gateway attachments don't experience any service interruptions. You cannot modify a transit gateway that has been shared with you. You cannot remove a CIDR block for the transit gateway if any of the IP addresses are currently used for a [Connect peer](tgw-connect.md). **Note** Transit gateways that have Encryption Support enabled can be attached to VPCs with Encryption Controls in monitor or Enforce mode, or to VPCs that don’t have Encryption Controls enabled. VPCs that have Encryption Controls in Enforce mode can ONLY be attached to Transit Gateways that have Encryption Support enabled. For more detailed information, see [Encryption Support for AWS Transit Gateway](tgw-encryption-support.md). **To modify a transit gateway** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. On the navigation pane, choose **Transit Gateways**. 1. Choose the transit gateway to modify. 1. Choose **Actions**, **Modify transit gateway**. 1. Modify the options as needed, and choose **Modify transit gateway**. **To modify your transit gateway using the AWS CLI** Use the [modify-transit-gateway](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-transit-gateway.html) command. # Accept an AWS Transit Gateway resource share using the AWS Resource Access Manager console Accept a resource share If you were added to a resource share, you receive an invitation to join the resource share. You must accept the resource share through the AWS Resource Access Manager (AWS RAM) console before you can access the shared resources. **To accept a resource share** 1. Open the AWS RAM console at [https://console.aws.amazon.com/ram/](https://console.aws.amazon.com/ram/). 1. In the navigation pane, choose **Shared with me**, **Resource shares**. 1. Select the resource share. 1. Choose **Accept resource share**. 1. To view the shared transit gateway, open the **Transit Gateways** page in the Amazon VPC console. # Accept a shared attachment in AWS Transit Gateway Accept a shared attachment If you didn't enable the **Auto accept shared attachments** functionality when you created your transit gateway, you must manually accept cross-account (shared) attachment using either the Amazon VPC Console or the AWS CLI. **To manually accept a shared attachment** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. On the navigation pane, choose **Transit Gateway Attachments**. 1. Select the transit gateway attachment that's pending acceptance. 1. Choose **Actions**, **Accept transit gateway attachment**. **To accept a shared attachment using the AWS CLI** Use the [accept-transit-gateway-vpc-attachment](https://docs.aws.amazon.com/cli/latest/reference/ec2/accept-transit-gateway-vpc-attachment.html) command. # Delete a transit gateway in AWS Transit Gateway Delete a transit gateway You can't delete a transit gateway with existing attachments. You need to delete all attachments before you can delete a transit gateway. **To delete a transit gateway using the console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. Choose the transit gateway to delete. 1. Choose **Actions**, **Delete transit gateway**. Enter **delete** and choose **Delete** to confirm the deletion. **To delete a transit gateway using the AWS CLI** Use the [delete-transit-gateway](https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-transit-gateway.html) command. # Encryption Support for AWS Transit Gateway Encryption Support Encryption Controls allows you to audit the encryption status of the traffic flows in your VPC and then enforce encryption-in-transit for all traffic within the VPC. When VPC Encryption Control is in enforce mode, all Elastic Network Interfaces (ENI) in that VPC will be restricted to attach only to AWS Nitro encryption capable instances; and only AWS services that encrypt data in transit will be allowed to attach to Encryption Controls enforced VPC. For more information on VPC Encryption Controls, please refer to this [documentation](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-encryption-controls.html). ## Transit Gateway Encryption Support and VPC Encryption Control Encryption Support on Transit Gateway allows you to enforce encryption-in-transit for traffic between VPCs attached to a Transit Gateway. You will need to manually activate Encryption Support on the Transit Gateway using the [modify-transit-gateway](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-transit-gateway.html) command to encrypt traffic between the VPCs. Once enabled, all traffic will traverse 100% encrypted links between VPCs that are in Enforce mode (without exclusions) through the Transit Gateway. You can also connect VPCs that don’t have Encryption Controls turned on, or are in Monitor mode through a Transit Gateway that has Encryption Support enabled. In this scenario Transit Gateway is guaranteed to encrypt traffic up to the Transit Gateway attachment in the VPC not running in enforce mode. Beyond that, it depends on the instance the traffic is being sent to in the VPC not running in enforce mode. You can only add encryption support to an existing transit gateway and not while you're creating one. As the Transit Gateway transitions to Encryption Support Enabled state, there will be no downtime on the Transit Gateway or the attachments. The migration is seamless and transparent with no traffic being dropped. For the steps to modify a transit gateway to add Encryption Support, see [Modify a transit gateway](tgw-modifying.md#tgw-modifying.title). ### Requirements Before enabling encryption support on a transit gateway, ensure that: + The transit gateway doesn't have Connect attachments + The transit gateway doesn't have Peering attachments + The transit gateway doesn't have Network Firewall attachments + The transit gateway doesn't have VPN Concentrator attachments + The transit gateway doesn't have security group references enabled + The transit gateway doesn't have Multicast features enabled ### Encryption Support states A transit gateway can have one of the following encryption states: + **enabling** - The transit gateway is in the process of enabling encryption support. This process can take up to 14 days to complete. + **enabled** - Encryption support is enabled on the transit gateway. You can create VPC attachments with Encryption Control enforced. + **disabling** - The transit gateway is in the process of disabling Encryption support. + **disabled** - Encryption support is disabled on the transit gateway. ### Transit Gateway attachment rules When a transit gateway has Encryption support enabled, the following attachment rules apply: + When the transit gateway encryption state is **enabling** or **disabling**, you can create Direct Connect attachments, VPN attachments, and VPC attachment not in Encryption Control enforced or enforcing mode. + When the transit gateway encryption state is **enabled**, you can create VPC, Direct Connect attachments, VPN attachments, and VPC attachments in any Encryption Control mode. + When the transit gateway encryption state is **disabling**, you cannot create new VPC attachments with Encryption control enforced. + Connect attachments, peering attachments, security group references, and multicast features are not supported with Encryption Support. Attempting to create incompatible attachments will fail with an API error.