Migrating from VPC Peering to AWS Transit Gateway

As an organization scales its AWS footprint, managing point-to-point VPC peering connections becomes an operational nightmare. The complexity grows exponentially, making routing tables difficult to maintain and increasing the risk of misconfigurations. AWS Transit Gateway solves this by acting as a highly scalable cloud router.

Instead of establishing individual peering links between every single VPC, you connect each VPC to a central Transit Gateway. This hub-and-spoke architecture radically simplifies network topology. It also allows for centralized security inspections, as you can route all outbound traffic through an egress VPC containing network firewalls before it reaches the internet.

From a Terraform perspective, implementing Transit Gateway requires defining the gateway itself and then attaching the respective VPCs. You must also update the route tables in each VPC to point intra-cloud traffic towards the Transit Gateway attachment. Below is the infrastructure-as-code required to provision the central gateway and attach a production VPC.

resource "aws_ec2_transit_gateway" "main" {
  description                     = "Central Hub for Multi-VPC Routing"
  auto_accept_shared_attachments  = "enable"
}

resource "aws_ec2_transit_gateway_vpc_attachment" "prod" {
  subnet_ids         = aws_subnet.private[*].id
  transit_gateway_id = aws_ec2_transit_gateway.main.id
  vpc_id             = aws_vpc.prod.id
}