Transit gateway peering attachments - Amazon VPC
Create a peering attachmentAccept or reject a peering attachment requestAdd a route to the transit gateway route tableView your transit gateway peering connection attachmentsDelete a peering attachmentOpt-in Amazon Region considerations
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Transit gateway peering attachments

You can peer both intra-Region and inter-Region transit gateways, and route traffic between them, which includes IPv4 and IPv6 traffic. To do this, create a peering attachment on your transit gateway, and specify a transit gateway. The peer transit gateway can be in your account or a different Amazon Web Services account.

After you create a peering attachment request, the owner of the peer transit gateway (also referred to as the accepter transit gateway) must accept the request. To route traffic between the transit gateways, add a static route to the transit gateway route table that points to the transit gateway peering attachment.

We recommend using unique ASNs for each peered transit gateway to take advantage of future route propagation capabilities.

Transit gateway peering does not support resolving public or private IPv4 DNS host names to private IPv4 addresses across VPCs on either side of the transit gateway peering attachment using the Amazon Route 53 Resolver in another Region. For more information about the Route 53 Resolver, see What is Route 53 Resolver? in the Amazon Route 53 Developer Guide.

Inter-Region gateway peering uses the same network infrastructure as VPC peering. Therefore traffic is encrypted using AES-256 encryption at the virtual network layer as it travels between Regions. Traffic is also encrypted using AES-256 encryption at the physical layer when it traverses network links that are outside of the physical control of Amazon. As a result, traffic is double encrypted on network links outside the physical control of Amazon. Within the same Region, traffic is encrypted at the physical layer only when it traverses network links that are outside of the physical control of Amazon.

For information about which Regions support transit gateway peering attachments, see Amazon Transit Gateways FAQs.

Create a peering attachment

Before you begin, ensure that you have the ID of the transit gateway that you want to attach. If the transit gateway is in another Amazon Web Services account, ensure that you have the Amazon Web Services account ID of the owner of the transit gateway.

After you create the peering attachment, the owner of the accepter transit gateway must accept the attachment request.

To create a peering attachment using the console

  1. Open the Amazon VPC console at https://console.amazonaws.cn/vpc/.

  2. On the navigation pane, choose Transit Gateway Attachments.

  3. Choose Create transit gateway attachment.

  4. For Transit gateway ID, choose the transit gateway for the attachment. You can choose a transit gateway that you own or a transit gateway that was shared with you.

  5. For Attachment type, choose Peering Connection.

  6. Optionally enter a name tag for the attachment.

  7. For Account, do one of the following:

    • If the transit gateway is in your account, choose My account.

    • If the transit gateway is in different Amazon Web Services account, choose Other account. For Account ID, enter the Amazon Web Services account ID.

  8. For Region, choose the Region that the transit gateway is located in.

  9. For Transit gateway (accepter), enter the ID of the transit gateway that you want to attach.

  10. Choose Create transit gateway attachment.

To create a peering attachment using the Amazon CLI

Use the create-transit-gateway-peering-attachment command.

Accept or reject a peering attachment request

To activate the peering attachment, the owner of the accepter transit gateway must accept the peering attachment request. This is required even if both transit gateways are in the same account. The peering attachment must be in the pendingAcceptance state. Accept the peering attachment request from the Region that the accepter transit gateway is located in.

Alternatively, you can reject any peering connection request that you've received that's in the pendingAcceptance state. You must reject the request from the Region that the accepter transit gateway is located in.

To accept a peering attachment request using the console

  1. Open the Amazon VPC console at https://console.amazonaws.cn/vpc/.

  2. On the navigation pane, choose Transit Gateway Attachments.

  3. Select the transit gateway peering attachment that's pending acceptance.

  4. Choose Actions, Accept transit gateway attachment.

  5. Add the static route to the transit gateway route table. For more information, see Create a static route.

To reject a peering attachment request using the console

  1. Open the Amazon VPC console at https://console.amazonaws.cn/vpc/.

  2. On the navigation pane, choose Transit Gateway Attachments.

  3. Select the transit gateway peering attachment that's pending acceptance.

  4. Choose Actions, Reject transit gateway attachment.

To accept or reject a peering attachment using the Amazon CLI

Use the accept-transit-gateway-peering-attachment and reject-transit-gateway-peering-attachment commands.

Add a route to the transit gateway route table

To route traffic between the peered transit gateways, you must add a static route to the transit gateway route table that points to the transit gateway peering attachment. The owner of the accepter transit gateway must also add a static route to their transit gateway's route table.

To create a static route using the console

  1. Open the Amazon VPC console at https://console.amazonaws.cn/vpc/.

  2. On the navigation pane, choose Transit Gateway Route Tables.

  3. Select the route table for which to create a route.

  4. Choose Actions, Create static route.

  5. On the Create static route page, enter the CIDR block for which to create the route. For example, specify the CIDR block of a VPC that's attached to the peer transit gateway.

  6. Choose the peering attachment for the route.

  7. Choose Create static route.

To create a static route using the Amazon CLI

Use the create-transit-gateway-route command.

Important

After you create the route, associate the transit gateway route table with the transit gateway peering attachment. For more information, see Associate a transit gateway route table.

View your transit gateway peering connection attachments

You can view your transit gateway peering attachments and information about them.

To view your peering attachments using the console

  1. Open the Amazon VPC console at https://console.amazonaws.cn/vpc/.

  2. On the navigation pane, choose Transit Gateway Attachments.

  3. In the Resource type column, look for Peering. These are the peering attachments.

  4. Choose an attachment to view its details.

To view your transit gateway peering attachments using the Amazon CLI

Use the describe-transit-gateway-peering-attachments command.

Delete a peering attachment

You can delete a transit gateway peering attachment. The owner of either of the transit gateways can delete the attachment.

To delete a peering attachment using the console

  1. Open the Amazon VPC console at https://console.amazonaws.cn/vpc/.

  2. On the navigation pane, choose Transit Gateway Attachments.

  3. Select the transit gateway peering attachment.

  4. Choose Actions, Delete transit gateway attachment.

  5. Enter delete and choose Delete.

To delete a peering attachment using the Amazon CLI

Use the delete-transit-gateway-peering-attachment command.

Opt-in Amazon Region considerations

You can peer transit gateways across opt-in Region boundaries. For information about these Regions, and how to opt in, see Managing Amazon Regions in the Amazon Web Services General Reference. Take the following into consideration when you use transit gateway peering in these Regions:

  • You can peer into an opt-in Region as long as the account that accepts the peering attachment has opted into that Region.

  • Regardless of the Region opt-in status, Amazon shares the following account data with the account that accepts the peering attachment:

    • Amazon Web Services account ID

    • Transit gateway ID

    • Region code

  • When you delete the transit gateway attachment, the above account data is deleted.

  • We recommend that you delete the transit gateway peering attachment before you opt out of the Region. If you do not delete the peering attachment, traffic might continue to go over the attachment and you continue to incur charges. If you do not delete the attachment, you can opt back in, and then delete the attachment.

  • In general, the transit gateway has a sender pays model. By using a transit gateway peering attachment across an opt in boundary, you might incur charges in a Region accepting the attachment, including those Regions you have not opted into. For more information, see Amazon Transit Gateway Pricing.