Amazon Web Services (AWS) Transit Gateway acts as a Regional virtual router for traffic flowing between your virtual private cloud(s) (VPCs) and on-premises networks. You can attach different resources to your Transit Gateway which include:

  • One or more VPCs
  • One or more virtual private network (VPN) connections
  • One or more AWS Direct Connect gateways
  • One or more Transit Gateway Connect attachments
  • One or more transit gateway peering connections

You can connect your Redis flexible subscription to a Transit Gateway which is attached to the VPC of your application. This lets your application connect securely to your Redis Cloud database while optimizing performance.

Note:
Transit Gateway is available only with Flexible or Annual subscriptions. It is not supported for Fixed or Free subscriptions.

Considerations

You can use Transit Gateway as an alternative to VPC peering, or you can enable both for your subscription.

Compared to VPC peering, Transit Gateway:

  • Supports complex network topologies, such as multiple VPCs or site-to-site VPNs.

  • Uses security groups and network ACLs to control traffic between VPCs.

  • Has a higher network latency and cost than VPC peering due to Transit Gateway infrastructure costs.

Consider using VPC peering and Transit Gateway in parallel for the following situations:

  • When migrating from one connectivity solution to the other.

  • If different applications need to connect to the same database but have different latency or security requirements.

Prerequisites

Before you can set up Transit Gateway:

  1. Create a flexible subscription from the Redis cloud admin console.

  2. Create a transit gateway from the AWS VPC console.

  3. Share the transit gateway from the AWS resource access manager.

Note:
If you have a self-managed AWS account, you will need to set its IAM Instance Policy to include Transit Gateway. See Create IAM resources using the AWS console (deprecated) for more information.

AWS Transit Gateway

To set up Transit Gateway:

  1. Associate your resource share with the Redis AWS account.

  2. Accept the resource share and create an attachment.

  3. Add consumer CIDRs to the attachment.

  4. Update AWS route tables with the Redis Cloud producer CIDRs.

Associate resource share with Redis Cloud

In this step, you will associate your resource share with your subscription’s AWS account. You can do this either in the AWS console or with the AWS CLI.

AWS Console

To use the AWS console to set up the resource share:

  1. From the Redis Cloud admin console, select the Subscriptions menu and then select your subscription from the list.

  2. Select Connectivity > Transit Gateway to view the transit gateway settings.

  3. In the Share Transit Gateway section, select Copy under AWS console to copy the Redis AWS Account number.

    The Share Transit Gateway section.
  4. Follow the guide to Update a resource share in the AWS resource access manager.

    During the Grant access to principals step, select AWS Account in the Select principal type field. Enter the copied AWS account number in the Enter an AWS Account ID field.

    The AWS Add principal field.

    After the principal is added, it may take some time before it is associated. You can see the status of the principals under Shared Principals in the resource share page.

AWS CLI

To use the AWS CLI to set up the resource share:

  1. From the Redis Cloud admin console, select the Subscriptions menu and then select your subscription from the list.

  2. Select Connectivity > Transit Gateway to view the transit gateway settings.

  3. In the Share Transit Gateway section, select Copy under AWS CLI Command to copy the Redis AWS Account number.

    The Share Transit Gateway section.
  4. Enter the copied CLI command into a terminal shell. Replace <TGW ARN> with the Amazon resource name of your transit gateway.

Accept resource share and create attachment

After you’ve associated the Redis AWS account with your resource share, you must accept the resource share in the admin console.

  1. In your Redis Cloud subscription’s Transit Gateway settings, you should now see that a Resource Share is available. Select Resource Shares to view the resource share you initiated.

    The Share Transit Gateway section.
  2. Select Accept to associate the Resource Share with your admin console account.

    The Accept resource shares section.
  3. Select Close to close the Accept resource shares section.

  4. You will now see your transit gateway in the Transit Gateways section. After the TGW status is Available, select Create Attachment under Attachment status.

    The Create attachment button.

    This will request a peering attachment representing Redis’s AWS account to the Transit Gateway.

  5. If your transit gateway does not automatically accept peering attachment requests, the attachment will be in Pending acceptance status. Follow the guide to Accept a peering attachment request from the AWS VPC console.

Add consumer CIDRs

  1. In your Redis Cloud subscription’s Transit Gateway settings, in the Transit Gateways section, select Add CIDRs under Consumer CIDRs.

    The Add CIDRs button.
  2. Enter the IPv4 CIDR of the VPC you want to connect to that is also connected to your transit gateway. To find this, go to the AWS VPC console and select Your VPCs.

    Select Add to add another CIDR if needed.

    The Add button for adding additional CIDRs.

    Select Save to save your changes.

Update AWS route tables

To finish Transit gateway setup, update your route tables for the peering connection with the following details:

  1. In the Destination field, enter the producer deployment CIDRs.

    You can find the producer deployment CIDRs on the Redis Cloud console in the Transit Gateway settings by selecting More actions > View Attachment in the Transit Gateway section.

    The More actions menu. The Producer deployment CIDRs in the Attachment settings.
  2. In the Target field, select Transit Gateway and select the relevant Transit gateway ID.

After Transit gateway is established, we recommend switching your application connection string to the private endpoint.