One of the key properties of this implementation is the simplification of the network connectivity: Instead of multiple VPN connections for each of the accounts/VPC’s we use only one VPN connected to the Transit Gateway and manage all the traffic through the Transit Gateway.
Isolation is key to ensure security, especially when connecting the company’s network infrastructure with external/3rd party datacenters. By using AWS Transit Gateway it’s easy to control the network routing in a centralized routing table, having therefore a better overlook and making the security policies easier to enforce and manage.
As Transit Gateway it’s an AWS Managed Service, it integrates seamlessly with other AWS Tools, like CloudTrail, CloudWatch, IAM, making it easier for operation and security teams to monitor and automate the deployments. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to the AWS Transit Gateway. AWS Transit Gateway provides statistics and logs that are then used by services such as Amazon CloudWatch and Amazon VPC Flow Logs. You can use Amazon CloudWatch to get bandwidth usage between Amazon VPCs and a VPN connection, packet flow count, and packet drop count. You can also enable Amazon VPC Flow Logs on AWS Transit Gateway so you can capture information on the IP traffic routed through the AWS Transit Gateway. AWS Transit Gateway Network Manager includes events and metrics to monitor the quality of your global network, both in AWS and on premises. Event alerts specify changes in the topology, routing, and connection status. Usage metrics provide information on up/down connection, bytes in/out, packets in/out, and packets dropped.
Transit Gateway is the key for multi-account multi-VPC connectivity scenarios, simplifying the connectivity in complex networks, offering a superior manageability, scalability and security than other solutions. In the modern IT environments, where automation is key, once you’ve registered existing AWS Transit Gateways, the Network Manager automatically identifies the Site-to-Site VPN connections and the on-premises resources with which they are associated. The SD-WAN consoles from vendors that have integrated AWS Transit Gateway, such as Cisco, Aruba, Silver Peak, or Aviatrix, automatically provision new AWS Site-to-Site VPN connections in Transit Gateway Network Manager and automate the definition of your on-premises network in Transit Gateway Network Manager. You can also manually define your on-premises network in Transit Gateway Network Manager.