44 lines
1.8 KiB
Markdown
44 lines
1.8 KiB
Markdown
---
|
||
title: "Transit Gateway"
|
||
type: concept
|
||
tags: [AWS, Networking, Multi-Account]
|
||
sources: [ctp-topic-7-saas-landing-zone-design]
|
||
last_updated: 2026-05-06
|
||
---
|
||
|
||
## Transit Gateway
|
||
|
||
AWS Transit Gateway 是区域级网络中枢,用于简化多个 VPCs 和账户之间的网络互联互通。
|
||
|
||
## Definition
|
||
|
||
Transit Gateway 在 AWS Landing Zone 架构中扮演网络互联的核心角色:
|
||
- **范围**:区域级(Regional),连接同一区域内所有账户的 VPCs
|
||
- **功能**:Hub-and-Spoke 架构的中心节点,所有跨账户流量经由 Transit Gateway 路由
|
||
- **与 Checkpoint 集成**:Transit Gateway 的流量通过 Checkpoint Appliance 进行安全监控
|
||
|
||
## Role in SAS Landing Zone
|
||
|
||
在 [[ctp-topic-7-saas-landing-zone-design]] 定义的 Network 账户中:
|
||
- **部署位置**:Network Account
|
||
- **连接范围**:连接 Core/Baseline/Shared Services/Product 所有账户的 VPCs
|
||
- **安全监控**:Checkpoint Appliance 部署于 Transit Gateway 层面,按标签(Tagging Approach)监控跨账户流量
|
||
- **访问控制**:资源必须携带特定标签(如 `internet-access=true`)才能访问互联网或 On-prem 网络
|
||
|
||
## Key Properties
|
||
- **Type**: Network Hub
|
||
- **Scope**: Regional
|
||
- **Architecture**: Hub-and-Spoke
|
||
- **In SAS LZ**: Network Account 核心组件
|
||
- **Inter-Regional**: 各区域 Hub 通过 [[TGW-Peering]] Full Mesh 互联
|
||
|
||
## Relationship to Checkpoint
|
||
- Transit Gateway 负责路由
|
||
- Checkpoint Appliance 负责流量安全检查(按标签策略)
|
||
- 两者协同:路由 + 安全监控
|
||
|
||
## Connections
|
||
- [[ctp-topic-7-saas-landing-zone-design]] — SAS LZ Network 账户核心组件
|
||
- [[ctp-topic-18-wide-area-networking-in-aws-cloud]] — 广域网(WAN)连接设计
|
||
- [[ctp-topic-31-network-segregation-and-secure-access-to-the-new-aws-landing-zones]] — 网络分段与安全访问
|