1

Does it matter if I had created my transit gateway attachment for VPC or Peering or even VPN in either public or private subnets? Are there any differences or scenarios that I need to take note of when creating them in either public or private subnets?

It seems like they still work in any of the subnets.

As a best practice, should the transit gateway attachments be created in public or private subnets?

Carven
  • 14,988
  • 29
  • 118
  • 161

1 Answers1

0

"Does it matter to have created a transit gateway attachment in public or private subnets?"

Yes, it matters a lot where you create your VPC attachment ENIs (see below).

"As a best practice, should the transit gateway attachments be created in public or private subnets?"

The answer is: neither. For Transit Gateway the best practice is to put the resulting ENIs in dedicated connectivity subnets, for anything but very trivial routing requirements.

To know why you can watch NET331 from re:Invent 2018.
The short version is: it opens up a lot of possibilities to do neat routing tricks.

There is plenty of material on the subject (i.e., every re:Invent has several sessions on networking and TGW).

st.huber
  • 1,481
  • 2
  • 24
  • 45
Martin J
  • 71
  • 3
  • By dedicated connectivity subnets, are these subnets going to be private or public then? My understanding is subnets are ultimately going to be either public or private, aren’t they? – Carven Jan 20 '22 at 06:58
  • "My understanding is subnets are ultimately going to be either public or private, aren’t they?" My short answer would be: **No**. But that depends on your definition of the terms "public" and "private". If you by public/private mean "Do I have a default route to/from the Internet via an IGW". then it is binary, you either have the route or not. But if you discuss subnet types in terms of "Can it talk to the (public) Internet, my internal (private) resources, or a variation of both", then it is no longer binary. I'd recommend the NET3xx/4xx and ARCxxx talks from re:Invent on the topic. – Martin J Jan 25 '22 at 18:12
  • [SubnetType](https://github.com/aws/aws-cdk/blob/v2.82.0/packages/aws-cdk-lib/aws-ec2/lib/vpc.ts#L165) in the CDK explicitly enumerates the types of Subnet, and each of them (except one deprecated one) is exactly-one of Private or Public, but the Subnet Types section [here](https://docs.aws.amazon.com/vpc/latest/userguide/configure-subnets.html) lists two alternative types - "Isolated" and "VPN-only" (though, in the CDK code, "Isolated" is explicitly called `PRIVATE_ISOLATED`) – scubbo Jun 06 '23 at 00:29