Transit gateways#

General information#

Transit gateways enable interaction between the resources in different VPCs. Since other projects can be granted access to a transit gateway, transit gateways can interconnect VPCs in different projects, including those belonging to other companies.

A transit gateway operates as a virtual router between VPCs. It receives IP packets from one VPC via its gateway attachment and forwards them to another VPC’s attachment depending on the recipient’s IP address.

In order to define the attachment to which the traffic should be forwarded, the transit gateway uses its own route tables, which specify VPC attachments as gateways.

Key concepts#

Attachments — They are used to attach VPCs to a transit gateway Every attachment of a transit gateway is both packet source and packet destination.

Transit gateway route table — Route tables relate to a specific transit gateway and can be associated only with attachments of that gateway. A transit gateway attachment is specified as a gateway in the route table. Optionally, a blackhole route can be specified.

Default transit gateway route table — If a default route table is specified for a transit gateway, it is associated with its attachments by default when they are created.

Association — Every transit gateway attachment can be associated with one transit gateway route table only. However, a route table can be associated with an arbitrary number of attachments.

Transit gateway quotas#

The following transit gateway quotas are established:

  • up to 5 transit gateways per project;

  • up to 5 attachments of different gateways per VPC;

  • up to 50 routes per transit gateway route table;

  • up to 20 route tables per transit gateway;

  • up to 20 attachments of all transit gateways per project.

If necessary, you can increase quotas. To do this, contact the support service.

The use of transit gateways#

To enable the interaction among VPCs, create transit gateway attachments in each of the VPCs you want to connect. Attachments are associated with certain subnets in VPC, when they are created.

To run transit gateways, create all its resources first, including transit gateway itself, transit gateway route table, and transit gateway attachments in VPCs you connect, as well as specify routes in the transit gateway route tables that are associated with the attachments.

Moreover, to transmit traffic from a subnet to another VPC via a transit gateway, add a route where this transit gateway is specified as a gateway, to the route table associated with this subnet.

For details on how to interconnect VPCs using a transit gateway, see the instruction.

Operations with transit gateways#

Create a transit gateway#

To create a transit gateway:

  1. Go to the Transit gateways section and open the corresponding subsection.

  2. Click Create.

  3. In the dialog window, you can set the Name tag and gateway description.

    The Set route table as default option is enabled by default. If it is selected, a blank route table will be created and set as default for the transit gateway. You can disable the option and set default route table later.

    In addition, you can grant access to the transit gateway from other projects. To do so, specify the projects in the Access to transit gateway filed as follows: project@customer. If necessary, you can grant access later.

  4. If additional tags are required, click Add tags to go to the next step and assign the tags.

  5. Click Create to create the gateway.

Set a default route table#

If you want to set a default table for a transit gateway or disassociate the existing one, do the following:

Note

If a transit gateway was earlier associated with a default route table, associating a new default table as well as disassociating the existing one will not impact associations you created earlier.

The new default table will be automatically associated only with new attachments. If you want to associate the new default table with the existing attachments, do it manually.

  1. Go to the Transit gateways section and open the corresponding subsection.

  2. Select the transit gateway in the resource table.

  3. Click Set default route table.

  4. In the dialog window, select the transit gateway route table from the list. To disassociate the default route table, click beside the table ID.

  5. Click Set to confirm the selection.

Besides, to set another default route table, you can go to the transit gateway page and edit the Default route table field in the Information tab.

Grant access to a transit gateway#

If you need to attach VPCs from other projects, including those of other companies, you can grant access from these projects to a transit gateway. Granted such access, users of other projects can add and delete attachments to your transit gateway in their projects. All other operations with the transit gateway and its resources can be performed only by the transit gateway owner.

  1. Go to the Transit gateways section and open the corresponding subsection.

  2. Select the transit gateway in the resource table.

  3. Click Set access.

  4. In the dialog window, specify the projects in the Grant access for projects field as follows: project@customer.

  5. Click Apply.

Set tags for a transit gateway#

To add, edit or delete transit gateway tags:

  1. Go to the Transit gateways section and open the corresponding subsection.

  2. In the resource table, select the transit gateway for which the tags should be set and click on the gateway ID to go to its page.

  3. Open the Tags tab.

  4. To add a tag, click Add tag and specify the Key and Value fields.

    To modify a tag, edit the required fields (Value and/or Key) of the respective tag.

    To delete a tag, click the icon next to the tag you no longer need.

    Note

    If no tags have been set earlier, you can add the Name tag by clicking Add Name tag.

  5. Click Apply to save the changes.

Delete a transit gateway#

Note

If you are granted access to a gateway from another project, you cannot delete this gateway if you are not its owner.

If you want to delete a transit gateway, delete all its attachments first.

  1. Go to the Transit gateways section and open the corresponding subsection.

  2. Select the transit gateway in the resource table. You can select multiple gateways at once for deletion.

  3. Click Delete.

  4. In the dialog window, confirm the action.

Operations with transit gateway route tables#

A transit gateway route tables is always associated with a specific gateway and cannot be created separately.

Create a transit gateway route table#

If you have no transit gateways, create it first.

If necessary, you can create both a default route table and additional ones. To create a transit gateway route table:

  1. Go to the Transit gateways section Route tables.

  2. Click Create.

  3. In the dialog window, select the transit gateway, for which you want to create a route table. Specify the Name tag to make the table easy to identify.

  4. If additional tags are required, click Add tags to go to the next step and assign the tags.

  5. Click Create to create a transit gateway route table.

Add a route#

Routes in a transit gateway route table are specified the same way as for common route tables. The only difference ist that a transit gateway attachment is specified as a gateway for traffic. In addition, you can select blackhole route, in which case all the traffic targeted for the specified network is discarded.

To set a route:

  1. Go to the Transit gateways section Route tables.

  2. In the resource table, select the route table for which the route should be created and click on the table ID to go to its page.

  3. Open the Routes tab and click Add.

  4. In the dialog window, specify:

    Note

    The Blackhole and Attachment options are mutually exclusive.

    • Network specifies the destination subnet in CIDR notation.

    • Blackhole, if the traffic targeted for this network should be discarded.

    • Attachment to which the VPC with the destination network is attached.

  5. Click Create.

Associate a route table with an attachment#

In the Route tables section, you can only associate the attachment with a route table, if the attachment has none. Otherwise, to use this instruction, you should delete the association first. If the attachment is already associated with a transit gateway route table, it is better to modify it on the attachment page.

To associate a route table with an attachment:

  1. Go to the Transit gateways section Route tables.

  2. Select transit gateway route table in the resource table.

  3. Click Create associations.

  4. In the dialog window, select from the list one or more attachments with which you want to associate this table.

  5. Click Create.

You can also associate a transit gateway route table with an attachment in the Associations tab, on the page of this route table.

Specify tags for a route table#

To add, modify or delete tags for a route table:

  1. Go to the Transit gateways section Route tables.

  2. In the resource table, select the route table for which tags should be specified and click on the table ID to go to its page.

  3. Open the Tags tab.

  4. To add a tag, click Add tag and specify the Key and Value fields.

    To modify a tag, edit the required fields (Value and/or Key) of the respective tag.

    To delete a tag, click the icon next to the tag you no longer need.

    Note

    If no tags have been set earlier, you can add the Name tag by clicking Add Name tag.

  5. Click Apply to save the changes.

Delete a route#

To delete one or more routes:

  1. Go to the Transit gateways section Route tables.

  2. In the resource table, select the route table from which the route should be deleted and click on the table ID to go to its page.

  3. Open the Routes tab.

  4. Select routes to be deleted and click Delete.

  5. Confirm deletion.

Delete associations#

If you want to delete associations for a transit gateway route table, do the following:

  1. Go to the Transit gateways section Route tables.

  2. In the resource table, select the transit gateway route table for which an association should be deleted.

  3. Click Delete the associations.

  4. In the dialog window, select from the list one or more attachments with which this table is associated.

  5. Click Delete to cancel the associations.

You can cancel associations in the Associations tab, on the page of the transit gateway route table.

Delete a transit gateway route table#

You can delete a transit gateway route table, only if it is not default and not associated with any attachment.

To delete a transit gateway route table:

  1. Go to the Transit gateways section Route tables.

  2. Select one or more transit gateway route tables you want to delete, in the resource table. You can delete route tables of different transit gateways at once.

  3. Click Delete.

  4. In the dialog window, confirm the action.

You can also delete a specific route table on its page in the Information tab.

Operations with attachments of transit gateways#

Attachments are always associated with a specific gateway and cannot be created separately.

Create a transit gateway attachment#

If you have no transit gateways, create it first.

When you create an attachment, it suffices to select one subnet to be attached in any availability zone, so that the traffic from/to all other subnets and availability zones could be routed via a transit gateway to/from other VPCs. However, if you need to send the traffic via a transit gateway to/from subnets in other availability zones, it is better to specify a subnet to be attached in each availability zone. This will reduce traffic delivery latency due to eliminating intermediate hops and improve availability of the transit gateway in general. In case of problems with attachment in any of the availability zones, the connectivity will be ensured via attached subnets in other availability zones.

Attachment subnets are subject to the following constraints:

  • CIDR blocks of subnets attached to a transit gateway should not overlap.

  • If an attachment is already created for the selected gateway, subnets of any new attachment of this gateway to other VPCs should be in the same availability zones.

  • In each availability zone, no more than one subnet can be attached.

After an attachment is created, the attached subnets cannot be changed. To change them, you have to delete the attachment and create it again.

If a transit gateway has a default route table, it will be associated with the attachment when it is created. If necessary, you can later associate the attachment with another route table.

  1. Go to the Transit gateways section Attachments.

  2. Click Create.

  3. In the dialog window, set the following parameters:

    • Name tag to identify the attachment (optionally).

    • Transit gateway for which the attachment is to be created.

    • Resource type. You cannot modify it yet, a transit gateway can be attached only to VPC.

    • VPC to which the transit gateway will be attached.

    • VPC’s subnets to which the transit gateway will be attached.

  4. If additional tags are required, click Add tags to go to the next step and assign the tags.

  5. Click Create to create the attachment.

Modify the associated route table#

To associate the attachment with another transit gateway route table:

  1. Go to the Transit gateways section Attachments.

  2. In the resource table, select the attachment with which another route table should be associated and click on the attachment ID to go to its page.

  3. Edit the Route table field in the Information tab.

    Note

    Editing is unavailable if the gateway is created in a different project. If you have the necessary privileges in it, go to the attachment page in the project where the gateway was created, and edit it there. Click Edit in owner project.

Set tags for фт attachment#

To add, modify or delete tags for an attachment:

  1. Go to the Transit gateways section Attachments.

  2. In the resource table, select the attachment for which the tags should be set and click on the attachment ID to go to its page.

  3. Open the Tags tab.

  4. To add a tag, click Add tag and specify the Key and Value fields.

    To modify a tag, edit the required fields (Value and/or Key) of the respective tag.

    To delete a tag, click the icon next to the tag you no longer need.

    Note

    If no tags have been set earlier, you can add the Name tag by clicking Add Name tag.

  5. Click Apply to save the changes.

Delete a transit gateway attachment#

If you are the transit gateway owner, you can delete any of its attachments from the project where this gateway was created. If you are not the transit gateway owner, you can delete only attachments of your projects.

Note

If transit gateway route tables associated with other attachments have routes via the attachment you want to delete, this route becomes “blackhole” after the attachment is deleted. If a VPC route table contains the attachment you want to delete, its routes via this attachment to other VPCs will become “blackhole” as well.

To delete one or more attachments:

  1. Go to the Transit gateways section Attachments.

  2. Select the attachment(s) in resource table.

  3. Click Delete.

  4. Confirm deletion.

An individual attachment can be also deleted in the Information tab on its page.