VPC Peering and Transit Gateway

As organisations grow on AWS, they typically run multiple VPCs — for different applications, environments (dev/staging/prod), teams, or even separate AWS accounts. Connecting these VPCs securely and efficiently is critical. AWS provides two primary mechanisms: VPC Peering for simple point-to-point connections and Transit Gateway for hub-and-spoke architectures at scale.

---

VPC Peering

A VPC peering connection is a networking link between two VPCs that enables traffic to flow between them using private IPv4 or IPv6 addresses. Instances in either VPC can communicate as if they were in the same network.

Key Properties

Property	Detail
Scope	Same Region or cross-Region (inter-Region peering)
Accounts	Same account or different accounts
Transitivity	Non-transitive — traffic does not pass through a peered VPC to reach a third
CIDR overlap	VPCs with overlapping CIDR blocks cannot be peered
Cost	No hourly charge; standard data transfer rates apply (cross-AZ / cross-Region)
Bandwidth	No aggregate bandwidth limit
Encryption	Traffic is encrypted when crossing Regions; within a Region it stays on the AWS backbone

How VPC Peering Works

1. VPC-A (requester) sends a peering request to VPC-B (accepter).
2. The owner of VPC-B accepts the request.
3. Both VPCs update their route tables to point traffic destined for the other VPC's CIDR to the peering connection.
4. Both VPCs update security groups / NACLs to allow the desired traffic.

VPC-A (10.0.0.0/16)                   VPC-B (172.16.0.0/16)
┌───────────────────┐   pcx-xxxx    ┌───────────────────┐
│ Route table:      │◄────────────►│ Route table:      │
│ 172.16.0.0/16     │               │ 10.0.0.0/16       │
│   → pcx-xxxx      │               │   → pcx-xxxx      │
└───────────────────┘               └───────────────────┘

Non-Transitive Nature

VPC peering is strictly point-to-point. Consider three VPCs:

VPC-A ←→ VPC-B ←→ VPC-C

VPC-A CANNOT reach VPC-C through VPC-B

To connect A to C, you need a separate peering connection between A and C. This creates a full mesh, which works for a few VPCs but becomes unmanageable at scale.

Number of Peering Connections

With n VPCs, a full mesh requires n × (n − 1) / 2 peering connections:

VPCs	Peering Connections
3	3
5	10
10	45
20	190

This is where Transit Gateway becomes essential.

---

AWS Transit Gateway

AWS Transit Gateway is a regional network hub that connects VPCs, VPN connections, Direct Connect gateways, and even other Transit Gateways (via peering) through a single, centrally managed gateway.

Key Properties

Property	Detail
Architecture	Hub-and-spoke
Scale	Up to 5,000 VPC attachments per Transit Gateway
Routing	Supports multiple route tables for segmentation
Transitivity	Transitive — any attached network can reach any other (unless you restrict it)
Cross-Region	Transit Gateway peering connects TGWs in different Regions
Cross-Account	Share via AWS RAM (Resource Access Manager)
Cost	Hourly charge per attachment + per-GB data processing fee

How Transit Gateway Works

1. Create a Transit Gateway in a Region.
2. Attach each VPC (and/or VPN / Direct Connect) to the Transit Gateway.
3. Configure route tables on the Transit Gateway to control which attachments can communicate.

            ┌───────────────────┐
            │  Transit Gateway  │
            │   (hub)           │
            └──┬────┬────┬─────┘
               │    │    │
       ┌───────┘    │    └───────┐
       ▼            ▼            ▼
   VPC-A         VPC-B        VPC-C
  (10.0.0.0)   (10.1.0.0)  (10.2.0.0)

All three VPCs can communicate through the Transit Gateway without any peering connections between them.

Transit Gateway Route Tables

Transit Gateway supports multiple route tables, enabling network segmentation: