...
Resource | Filtering | Notes | |
---|---|---|---|
Source | EC2 Instance Elastic Network Interface | — | |
↓ | EC2 Instance Security Group | outbound rules of SG | |
↓ | NACL of Subnet containing EC2 instance | outbound rules of NACL for source subnet | |
↓ | Route Table of Subnet containing EC2 instance | — | |
↓ | NACL of Subnet attached to TGW | inbound rules of NACL attached to utility subnet | The NACL bound to the utility subnets allow all traffic in and out. |
↓ | TGW Attachment Elastic Network Interface | — | |
↓ | TGW Attachment | — | |
Destination | TGW | — |
Multi-Region Transit Gateway Architecture
The 2023 Direct Connect architecture supports DC connectivity in multiple, but limited AWS regions. Transit Gateways are are regional, but TGWs in different regions can be peered. We use the TGW in us-east-1 as a "hub" and consider the TGWs in other regions as "spokes". This allows any VPC connected to any TGW to reach any other connected VPC. The TGWs in each region receive Direct Connect connectivity by connecting to a single Direct Connect Gateway (DCGW) which has a global footprint and can support TGW connections in any region.
The cost to Cornell of supporting TGWs in each region is about $864 region/yr.
As of January 2023, this multi-region capability exists primarily because of Cornell Apps on Demand requirements. No other Cornell AWS accounts have expressed the need to utilize Direct Connect in regions other than us-east-1.
draw.io source: tgw-peering.v2.drawio