Dev.to

Setting Up Inter-Region VPC Communication Using AWS Transit Gateway

As cloud environments grow across multiple AWS regions and accounts, managing a scalable and secure network architecture becomes essential. AWS Transit Gateway (TGW) offers a hub-and-spoke model that consolidates routing between VPCs and on-prem networks. Unlike traditional VPC peering (point-to-point), TGW enables centralized routing, dynamic scalability, and BGP-based routing for efficient inter-region communication. In this article, we’ll build a Transit Gateway-based Inter-Region VPC architecture, walk through step-by-step GUI and CLI setup. Architecture for this Setup A Transit Gateway in each region (us-east-1, us-west-2) Two VPCs (VPC-East, VPC-West) with non-overlapping CIDRs Attach VPCs to their local TGWs Peer both TGWs across regions Create TGW Route Tables to enable traffic flow Simulate a blackhole scenario Step 1: Create VPCs and Subnets GUI: Go to the AWS Console for both regions (us-east-1 and us-west-2) Navigate to VPC → Create VPC Select “VPC only” For Region A: CIDR block: 10.10.0.0/16, name: VPC-East For Region B: CIDR block: 10.20.0.0/16, name: VPC-West On the left-hand menu, click “Subnets”. Click “Create subnet”. Select the VPC you want to attach the subnet to. Add the following: For Region A: Name tag: Subnet-East Availability Zone: us-east-1a IPv4 CIDR block: 10.10.1.0/24 For Region B: Name tag: Subnet-West Availability Zone: us-west-2a IPv4 CIDR block: 10.20.1.0/24 CLI: # VPC-East aws ec2 create-vpc --cidr-block 10.10.0.0/16 --region us-east-1 --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=VPC-East}]' # Subnet-East (in VPC-East) aws ec2 create-subnet \ --vpc-id \ --cidr-block 10.10.1.0/24 \ --availability-zone us-east-1a \ --region us-east-1 \ --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=Subnet-East}]' # VPC-West aws ec2 create-vpc --cidr-block 10.20.0.0/16 --region us-west-2 --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=VPC-West}]' # Subnet-West (in VPC-West) aws ec2 create-subnet \ --vpc-id \ --cidr-block 10.20.1.0/24 \ --availability-zone us-west-2a \ --region us-west-2 \ --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=Subnet-West}]' Step 2: Create Transit Gateways GUI: Navigate to VPC Console in Region A (us-east-1) Select “Transit Gateways” from the left menu Click “Create Transit Gateway” Configure settings: Note: Repeat the same process in region B (us-west-2) CLI: # Create Transit Gateway in Region A aws ec2 create-transit-gateway \ — description “Transit Gateway for Region A” \ — region us-east-1 \ — tag-specifications ‘ResourceType=transit-gateway,Tags=[{Key=Name,Value=TGW-Region-A}]’ # Create Transit Gateway in Region B aws ec2 create-transit-gateway \ — description “Transit Gateway for Region B” \ — region us-west-2 \ — tag-specifications ‘ResourceType=transit-gateway,Tags=[{Key=Name,Value=TGW-Region-B}]’ Step 3: Attach VPCs to Transit Gateways GUI: In VPC Console, select “Transit Gateway Attachments” Click “Create Transit Gateway Attachment” Configure settings: CLI: # Attach VPC to Transit Gateway in Region A aws ec2 create-transit-gateway-vpc-attachment \ - transit-gateway-id tgw-xxxxx \ - vpc-id vpc-xxxxx \ - subnet-ids subnet-xxxxx subnet-yyyyy \ - region us-east-1 # Attach VPC to Transit Gateway in Region B aws ec2 create-transit-gateway-vpc-attachment \ - transit-gateway-id tgw-yyyyy \ - vpc-id vpc-yyyyy \ - subnet-ids subnet-aaaaa subnet-bbbbb \ - region us-west-2 Step 4: Create Transit Gateway Peering Attachment GUI: In Region A’s VPC Console Select “Transit Gateway Attachments” Click “Create Transit Gateway Attachment” Configure settings: Attachment type: Peering Connection Transit Gateway (Accepter): Select Region B’s TGW ID Region: Select Region B CLI: # Create peering attachment aws ec2 create-transit-gateway-peering-attachment \ - transit-gateway-id tgw-xxxxx \ - peer-transit-gateway-id tgw-yyyyy \ - peer-region us-west-2 \ - region us-east-1 Step 5: Accept Peering Attachment GUI: Switch to Region B’s VPC Console Select “Transit Gateway Attachments” Select the pending peering attachment Click “Accept” CLI: # Accept peering attachment aws ec2 accept-transit-gateway-peering-attachment \ - transit-gateway-attachment-id tgw-attach-xxxxx \ - region us-west-2 Step 6: Configure Route Tables GUI: In each region’s VPC Console: Go to “Transit Gateway Route Tables” Add routes pointing to the peered TGW Update VPC route tables to route inter-region traffic through TGW CLI: # Add route to Transit Gateway route table in Region A aws ec2 create-transit-gateway-route \ - destination-cidr-block 10.20.0.0/16 \ - transit-gateway-route-table-id tgw-rtb-xxxxx \ - transit-gateway-attachment-id tgw-attach-xxxxx \ - region us-east-1 # Add route to VPC route table in Region A aws

May 7, 2025 - 14:27
 0
Setting Up Inter-Region VPC Communication Using AWS Transit Gateway

As cloud environments grow across multiple AWS regions and accounts, managing a scalable and secure network architecture becomes essential. AWS Transit Gateway (TGW) offers a hub-and-spoke model that consolidates routing between VPCs and on-prem networks. Unlike traditional VPC peering (point-to-point), TGW enables centralized routing, dynamic scalability, and BGP-based routing for efficient inter-region communication.

In this article, we’ll build a Transit Gateway-based Inter-Region VPC architecture, walk through step-by-step GUI and CLI setup.

Architecture for this Setup

Image description

  • A Transit Gateway in each region (us-east-1, us-west-2)
  • Two VPCs (VPC-East, VPC-West) with non-overlapping CIDRs
  • Attach VPCs to their local TGWs
  • Peer both TGWs across regions
  • Create TGW Route Tables to enable traffic flow
  • Simulate a blackhole scenario

Step 1: Create VPCs and Subnets

GUI:

  • Go to the AWS Console for both regions (us-east-1 and us-west-2)
  • Navigate to VPC → Create VPC
  • Select “VPC only”

For Region A: CIDR block: 10.10.0.0/16, name: VPC-East

For Region B: CIDR block: 10.20.0.0/16, name: VPC-West

  • On the left-hand menu, click “Subnets”.
  • Click “Create subnet”.
  • Select the VPC you want to attach the subnet to.
  • Add the following:

For Region A:

  • Name tag: Subnet-East
  • Availability Zone: us-east-1a
  • IPv4 CIDR block: 10.10.1.0/24

For Region B:

  • Name tag: Subnet-West
  • Availability Zone: us-west-2a
  • IPv4 CIDR block: 10.20.1.0/24

CLI:

# VPC-East
aws ec2 create-vpc --cidr-block 10.10.0.0/16 --region us-east-1 --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=VPC-East}]'

# Subnet-East (in VPC-East)
aws ec2 create-subnet \
--vpc-id  \
--cidr-block 10.10.1.0/24 \
--availability-zone us-east-1a \
--region us-east-1 \
--tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=Subnet-East}]'


# VPC-West
aws ec2 create-vpc --cidr-block 10.20.0.0/16 --region us-west-2 --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=VPC-West}]'

# Subnet-West (in VPC-West)
aws ec2 create-subnet \
--vpc-id  \
--cidr-block 10.20.1.0/24 \
--availability-zone us-west-2a \
--region us-west-2 \
--tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=Subnet-West}]'

Step 2: Create Transit Gateways

GUI:

  • Navigate to VPC Console in Region A (us-east-1)
  • Select “Transit Gateways” from the left menu
  • Click “Create Transit Gateway”
  • Configure settings:

Image description

Image description

Note: Repeat the same process in region B (us-west-2)

CLI:

# Create Transit Gateway in Region A
aws ec2 create-transit-gateway \
 — description “Transit Gateway for Region A” \
 — region us-east-1 \
 — tag-specifications ‘ResourceType=transit-gateway,Tags=[{Key=Name,Value=TGW-Region-A}]’

# Create Transit Gateway in Region B
aws ec2 create-transit-gateway \
 — description “Transit Gateway for Region B” \
 — region us-west-2 \
 — tag-specifications ‘ResourceType=transit-gateway,Tags=[{Key=Name,Value=TGW-Region-B}]’

Step 3: Attach VPCs to Transit Gateways

GUI:

  • In VPC Console, select “Transit Gateway Attachments”
  • Click “Create Transit Gateway Attachment”
  • Configure settings:

Image description

CLI:

# Attach VPC to Transit Gateway in Region A

aws ec2 create-transit-gateway-vpc-attachment \
 - transit-gateway-id tgw-xxxxx \
 - vpc-id vpc-xxxxx \
 - subnet-ids subnet-xxxxx subnet-yyyyy \
 - region us-east-1

# Attach VPC to Transit Gateway in Region B

aws ec2 create-transit-gateway-vpc-attachment \
 - transit-gateway-id tgw-yyyyy \
 - vpc-id vpc-yyyyy \
 - subnet-ids subnet-aaaaa subnet-bbbbb \
 - region us-west-2

Step 4: Create Transit Gateway Peering Attachment

GUI:

  • In Region A’s VPC Console
  • Select “Transit Gateway Attachments”
  • Click “Create Transit Gateway Attachment”
  • Configure settings:
  1. Attachment type: Peering Connection
  2. Transit Gateway (Accepter): Select Region B’s TGW ID
  3. Region: Select Region B

CLI:

# Create peering attachment
aws ec2 create-transit-gateway-peering-attachment \
 - transit-gateway-id tgw-xxxxx \
 - peer-transit-gateway-id tgw-yyyyy \
 - peer-region us-west-2 \
 - region us-east-1

Step 5: Accept Peering Attachment

GUI:

  • Switch to Region B’s VPC Console
  • Select “Transit Gateway Attachments”
  • Select the pending peering attachment
  • Click “Accept”

CLI:

# Accept peering attachment
aws ec2 accept-transit-gateway-peering-attachment \
 - transit-gateway-attachment-id tgw-attach-xxxxx \
 - region us-west-2

Step 6: Configure Route Tables

GUI:

In each region’s VPC Console:

  • Go to “Transit Gateway Route Tables”
  • Add routes pointing to the peered TGW
  • Update VPC route tables to route inter-region traffic through TGW

CLI:

# Add route to Transit Gateway route table in Region A
aws ec2 create-transit-gateway-route \
 - destination-cidr-block 10.20.0.0/16 \
 - transit-gateway-route-table-id tgw-rtb-xxxxx \
 - transit-gateway-attachment-id tgw-attach-xxxxx \
 - region us-east-1

# Add route to VPC route table in Region A
aws ec2 create-route \
 - route-table-id rtb-xxxxx \
 - destination-cidr-block 10.20.0.0/16 \
 - transit-gateway-id tgw-xxxxx \
 - region us-east-1

Step 7: Implementing Blackhole Routes

What Are Blackhole Routes?

A blackhole route drops traffic that matches a destination CIDR. It’s useful for:

  • Blocking specific IP ranges
  • Preventing unauthorized access
  • Implementing security controls
  • Avoiding routing loops
  • Isolating problematic traffic

GUI:

  • Navigate to VPC Console
  • Select “Transit Gateway Route Tables”
  • Select the appropriate route table
  • Choose “Actions” → “Create static route”
  • Configure the blackhole route:
  1. CIDR block: (specify the IP range to block)
  2. Choose “Blackhole”

CLI:

# Create a blackhole route in Region A
aws ec2 create-transit-gateway-route \
    --destination-cidr-block 10.0.0.0/16 \
    --blackhole \
    --transit-gateway-route-table-id tgw-rtb-xxxxx \
    --region us-east-1

# Create a blackhole route in Region B
aws ec2 create-transit-gateway-route \
    --destination-cidr-block 172.16.0.0/16 \
    --blackhole \
    --transit-gateway-route-table-id tgw-rtb-yyyyy \
    --region us-west-2

Common Blackhole Route Use Cases:

  • Blocking Non-Routable Address Spaces: 
# Block RFC 1918 private addresses
aws ec2 create-transit-gateway-route \
 - destination-cidr-block 192.168.0.0/16 \
 - blackhole \
 - transit-gateway-route-table-id tgw-rtb-xxxxx

aws ec2 create-transit-gateway-route \
 - destination-cidr-block 172.16.0.0/12 \
 - blackhole \
 - transit-gateway-route-table-id tgw-rtb-xxxxx

aws ec2 create-transit-gateway-route \
 - destination-cidr-block 10.0.0.0/8 \
 - blackhole \
 - transit-gateway-route-table-id tgw-rtb-xxxxx
  • Implementing Network Segmentation: 
# Block access to specific environment
aws ec2 create-transit-gateway-route \
 - destination-cidr-block 10.100.0.0/16 \
 - blackhole \
 - transit-gateway-route-table-id tgw-rtb-xxxxx

Best Practices for Blackhole Routes:

Documentation

  • Maintain a list of all blackhole routes
  • Document the purpose of each blackhole route
  • Include expiration dates if temporary

Implementation Strategy

  • Start with more specific routes (/32, /24) before broader ones
  • Test in non-production environment first
  • Implement gradually to minimize impact

Monitoring

  • Monitor dropped packet metrics
  • Set up CloudWatch alarms for blocked traffic
  • Regular review of blackhole routes

Step 8: Verify Connectivity

Monitor dropped packet metrics

  • Launch EC2 instances in both VPCs
  • Test connectivity using ping or other network tools
  • Check Transit Gateway route tables for proper route propagation

Best Practices

  • Monitor dropped packet metrics
  • Use unique ASNs for each Transit Gateway
  • Implement proper security groups and NACLs
  • Monitor TGW CloudWatch metrics
  • Use resource tagging for better management
  • Document CIDR ranges and routing configurations

Troubleshooting Tips

  • Verify route table configurations
  • Check security group rules
  • Ensure CIDR ranges don’t overlap
  • Validate TGW attachment states
  • Review VPC route tables

Cost Considerations

  • Data transfer charges apply for inter-region traffic
  • TGW attachment hours are billed
  • Consider using AWS Cost Explorer for monitoring

Conclusion

With AWS Transit Gateway, you unlock a scalable and resilient inter-region communication framework. Integrating blackhole routes enhances your network control and stability. Whether you’re working in a multi-account, global setup, or building DR strategies, this architecture sets you up for long-term success.

Read More

Tags:

Previous Article

Everything You Should Know About Arbitrum: The Ethereum Scaling Giant

Next Article

The Role of Data Integration in Healthcare Research and Precision Medicine

Related Posts

Why Is AWS CLI Ignoring Includes When Running in Bash?

Why Is AWS CLI Ignoring Includes When Running in Bash?

May 4, 2025  0

Innovative Strategies for Open Source Project Funding: A Comprehensive Guide

Innovative Strategies for Open Source Project Funding: ...

May 8, 2025  0

Claiming Custody: A Real-World, Hands-On Guide to Linux File & Directory Ownership and Permissions

Claiming Custody: A Real-World, Hands-On Guide to Linux...

Apr 29, 2025  0