Transit gateway peering attachments in Amazon VPC Transit Gateways - Amazon VPC
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Transit gateway peering attachments in Amazon VPC Transit Gateways

You can peer both intra-Region and inter-Region transit gateways, and route traffic between them, which includes IPv4 and IPv6 traffic. To do this, create a peering attachment on your transit gateway, and specify a transit gateway. The peer transit gateway must be in your account. Peering attachments are not available in transit gateways that might be shared with you.

After you create a peering attachment request, the owner of the peer transit gateway (also referred to as the accepter transit gateway) must accept the request. To route traffic between the transit gateways, add a static route to the transit gateway route table that points to the transit gateway peering attachment.

We recommend using unique ASNs for each peered transit gateway to take advantage of future route propagation capabilities.

Transit gateway peering does not support resolving public or private IPv4 DNS host names to private IPv4 addresses across VPCs on either side of the transit gateway peering attachment using the Amazon Route 53 Resolver in another Region. For more information about the Route 53 Resolver, see What is Route 53 Resolver? in the Amazon Route 53 Developer Guide.

Inter-Region gateway peering uses the same network infrastructure as VPC peering. Therefore traffic is encrypted using AES-256 encryption at the virtual network layer as it travels between Regions. Traffic is also encrypted using AES-256 encryption at the physical layer when it traverses network links that are outside of the physical control of Amazon. As a result, traffic is double encrypted on network links outside the physical control of Amazon. Within the same Region, traffic is encrypted at the physical layer only when it traverses network links that are outside of the physical control of Amazon.

For information about which Regions support transit gateway peering attachments, see Amazon Transit Gateways FAQs.

Opt-in Amazon Region considerations

You can peer transit gateways across opt-in Region boundaries. For information about these Regions, and how to opt in, see Managing Amazon Regions in the Amazon Web Services General Reference. Take the following into consideration when you use transit gateway peering in these Regions:

  • You can peer into an opt-in Region as long as the account that accepts the peering attachment has opted into that Region.

  • Regardless of the Region opt-in status, Amazon shares the following account data with the account that accepts the peering attachment:

    • Amazon Web Services account ID

    • Transit gateway ID

    • Region code

  • When you delete the transit gateway attachment, the above account data is deleted.

  • We recommend that you delete the transit gateway peering attachment before you opt out of the Region. If you do not delete the peering attachment, traffic might continue to go over the attachment and you continue to incur charges. If you do not delete the attachment, you can opt back in, and then delete the attachment.

  • In general, the transit gateway has a sender pays model. By using a transit gateway peering attachment across an opt in boundary, you might incur charges in a Region accepting the attachment, including those Regions you have not opted into. For more information, see Amazon Transit Gateway Pricing.