AWS VPC Peering vs Transit Gateway Comparison for Exams

Navigating AWS's networking services is a critical skill for architects and engineers, and choosing the correct connectivity solution is a frequent exam topic. Your decision between VPC Peering and Transit Gateway directly impacts cost, complexity, and scalability. On exams, you must quickly identify scenario-specific requirements—like the number of VPCs, routing needs, and geographical spread—to select the most appropriate and cost-effective service.

Defining the Core Services: Point-to-Point vs. Hub-and-Spoke

VPC Peering is a networking connection between two Virtual Private Clouds (VPCs) that allows you to route traffic between them using private IPv4 or IPv6 addresses. Think of it as a dedicated, point-to-point cable directly linking two private networks. Once peered, instances in either VPC can communicate as if they are on the same network, provided route tables are correctly configured. This service is designed for simple, static connections.

Transit Gateway acts as a regional hub or a central router that can connect thousands of VPCs, VPN connections, and AWS Direct Connect gateways. It operates on a hub-and-spoke model. Instead of creating a mesh of direct connections, each VPC (the "spoke") attaches once to the central Transit Gateway (the "hub"). This architecture simplifies management and scaling dramatically.

Architectural and Routing Differences

The architectural difference dictates their routing behavior, a key exam distinction. With VPC Peering, routing is non-transitive. If VPC A is peered with VPC B, and VPC B is peered with VPC C, VPC A cannot communicate with VPC C through VPC B. You would need a separate, direct VPC peering connection between VPC A and VPC C, leading to a complex mesh as the number of VPCs grows.

Transit Gateway introduces transitive routing. When VPC A, B, and C are all attached to the same Transit Gateway, the hub can route traffic between any of them, provided the route tables permit it. This eliminates the need for a full mesh of connections. The Transit Gateway uses route tables to control the flow of traffic. You can create multiple route tables to segment network traffic, enabling sophisticated designs like network isolation for shared services.

Cross-Region and Scalability Considerations

For multi-region architectures, both services offer solutions but with different operational models. VPC Peering connections are always intra-region; you cannot peer two VPCs in different AWS regions. To connect VPCs across regions, you must use Inter-Region VPC Peering, which is a distinct, globally routable service.

Transit Gateway can be interconnected globally using Transit Gateway Inter-Region Peering. This allows a Transit Gateway in one region to peer with a Transit Gateway in another, enabling a global hub-and-spoke network. For exam scenarios involving a company with VPCs in North America and Europe needing centralized management, Transit Gateway with inter-region peering is often the correct choice over managing multiple inter-region VPC peering connections.

Decision Framework for Exam Scenarios

When faced with an exam question, apply this logical framework to choose between VPC Peering and Transit Gateway.

1. Count the VPCs and Assess Future Growth: The "many VPCs" keyword is a strong indicator. For 2-3 VPCs with a simple connection, VPC peering is suitable. For 4 or more VPCs, or any mention of scaling, future growth, or a hub-and-spoke design, Transit Gateway is almost always correct. Exam questions often present a scenario where a company starts with 3 VPCs but plans to add 10 more—Transit Gateway is the scalable answer.
2. Analyze Routing Complexity: If the scenario describes a need for a central VPC (e.g., hosting shared services or a firewall) that many other VPCs must access, this requires transitive routing. VPC peering cannot solve this elegantly; you would need a full mesh or complex routing workarounds. Transit Gateway is built for this pattern.
3. Evaluate Cross-Region Needs: For multi-region connectivity, compare the management overhead. A few cross-region VPC pairs might use Inter-Region VPC Peering. However, a need for centralized routing control or connecting multiple VPCs across two regions tips the scale toward Transit Gateway with Inter-Region Peering.
4. Consider Cost Implications (Indirectly): While detailed cost calculations won't be on the exam, the principle of cost-effectiveness is tested. A full mesh of VPC peering connections (n*(n-1)/2 connections) becomes expensive and operationally heavy. Transit Gateway has per-attachment and data processing charges, but it consolidates connections, often becoming more cost-effective at scale.

Common Pitfalls

1. Assuming Transitive Routing with VPC Peering: This is the most common exam trap. You see VPCs A, B, and C, and see that A is peered to B, and B is peered to C. The incorrect answer choice will suggest that A can talk to C. Always remember: VPC Peering is strictly non-transitive.
2. Overlooking Route Table Configuration: Both services require proper route table updates. For VPC Peering, you must add a route in each VPC's route table pointing to the peering connection for the peer VPC's CIDR block. For Transit Gateway, you must ensure the VPC's route table points to the Transit Gateway attachment and that the Transit Gateway route table has routes to the attached VPCs. Exam questions often test on connectivity failures due to missing routes.
3. Choosing Peering for Clearly Complex Hub-and-Spoke Scenarios: When a question describes a "central inspection VPC," "shared services," or a "hub," your mind should immediately go to Transit Gateway. Choosing VPC peering here, even if it seems possible with a complex mesh, is incorrect because it ignores the operational and scaling benefits of the purpose-built service.
4. Misunderstanding Cross-Region Capabilities: Remember that standard VPC Peering is intra-region only. If a question asks about connecting VPCs in us-east-1 and eu-west-1, you cannot use a regular VPC peering connection. The viable options are Inter-Region VPC Peering or Transit Gateway Inter-Region Peering.

Summary

• VPC Peering is a point-to-point connection between two VPCs. It is simple and cost-effective for a small, fixed number of connections but suffers from non-transitive routing and becomes an unmanageable mesh as you scale.
• Transit Gateway is a regional hub that enables transitive routing in a hub-and-spoke model. It scales to thousands of attachments (VPCs, VPNs) and simplifies routing management through dedicated route tables.
• For cross-region connectivity, use Inter-Region VPC Peering for specific point-to-point links, or Transit Gateway Inter-Region Peering to connect global hub networks.
• On exams, let scenario keywords guide you: "many VPCs," "future growth," "central hub," or "shared services" point to Transit Gateway. "Simple connection between two VPCs" points to VPC Peering.
• Always verify that route tables are configured correctly for either service to establish connectivity, as this is a frequent source of exam questions.