AWS VGW vs DGW vs TGW
Exploring the evolution of the AWS network gateway and choosing the best option for your business.
AWS launched the newest version of their native network routing service, Transit Gateway (TGW), in November 2018. The cloud-based network gateway, that allows customers to connect Virtual Private Clouds (VPCs) across different accounts in a hub and spoke topology, is the third evolution in this feature set. The release was preceded by Direct Connect Gateway (DGW) which was announced in 2017, and prior to that came Virtual Private Gateway (VGW).
Navigating these options and figuring out which fits your use case can be tricky. We’re demystifying each service so you can more easily determine which solution is right for your business. Firstly, it’s best to consider the requirements of your workloads as each service offers certain features and doesn’t offer others. Take a look at the table below for a quick overview.
Now, let’s break down the specific benefits of each service and explore how the AWS network gateway has changed over time.
Virtual Private Gateway – VGW
The introduction of the VGW introduced the ability to let multiple VPCs, in the same region, on the same account, share a Direct Connect. Prior to this, you’d need a Direct Connect Private Virtual Interface (VIF) for each VPC, establishing a 1:1 correlation, which didn’t scale well both in terms of cost and administrative overhead. VGW became a solution that reduced the expense of requiring new Direct Connect circuits for each VPC as long as both VPCs were in the same region, on the same account. This construct can be used with either Direct Connect or the Site-to-Site VPN.
Multiple VPCs in the same region sharing the same Direct Connect.
Direct Connect Gateway – DGW
DGW builds upon VGW capabilities adding the ability to connect VPCs in one region to a Direct Connect in another region. CIDR addresses cannot overlap. In addition, traffic will not route from VPC-A to the Direct Connect Gateway and to VPC-B. Traffic will have to route from the VPC-A —> Direct Connect —-> Data Centre Router —-> Direct Connect —> VPC-B.
Multiple VPCs spread across multiple regions sharing the same Direct Connect.
Transit Gateway – TGW
Transit Gateway provides enhanced routing services over the previous offerings from AWS. The initial launch of Transit Gateway doesn’t support Direct Connect and requires Site-to-Site VPN. Each VPN session is limited to 1.25Gbps of throughput. If you want to scale beyond this, you’ll need to add multiple VPN connections to reach your desired aggregate bandwidth and then leverage ECMP to multipath traffic across all VPN connections. Even with ECMP, a single flow would be limited to 1.25Gbps.
TGW coupled with AWS Resource Access Manager will allow you to use a single Transit Gateway across multiple AWS accounts, however, it’s still limited to a single region. In addition, CIDR overlap is permitted with the addition of multiple route tables. Being able to leverage multiple route tables on TGW delivers a VRF type of capability that allows you to isolate routing domains to enforce traffic segmentation. A significant advantage of the TGW is you can route between VPCs without your data having to hairpin over the VPN to your on-premises router and back in to AWS as observed with VGW and DGW. A list of supported regions is available via the AWS FAQs.
Multiple VPCs in the same region, spread across different AWS accounts using the same Direct Connect.