Free AWS Security Whitepaper
    Toc Consulting Logo
    comparetransit-gateway-vs-vpc-peering-vs-privatelink
    NETWORKINGPublished 2025-09-01Updated 2025-11-15
    AWS Transit GatewayAWS Transit Gateway
    vs
    VPC PeeringVPC Peering
    vs
    AWS PrivateLinkAWS PrivateLink

    Transit Gateway vs VPC Peering vs PrivateLink

    How to connect VPCs without exposing your network

    Three ways to connect VPCs on AWS - each with different tradeoffs for cost, complexity, and security. VPC Peering is simple and cheap, Transit Gateway scales to thousands of VPCs, and PrivateLink exposes specific services without network-level access.

    Service Overview

    AWS Transit Gateway

    AWS Transit Gateway

    Hub-and-spoke network

    Centralized routing for up to 5,000 VPCs with 50 Gbps per attachment

    TypeCentralized VPC router
    Pricing$0.05/hr per attachment + $0.02/GB processed
    VPC Peering

    VPC Peering

    Point-to-point connection

    Simplest option - no additional infrastructure, no transitive routing

    TypeDirect VPC-to-VPC link
    PricingFree (same region) / standard data transfer (cross-region)
    AWS PrivateLink

    AWS PrivateLink

    Service-level access

    Exposes one service, not the entire network - zero trust by design

    TypePrivate service endpoint
    Pricing$0.01/hr per AZ + $0.01/GB processed

    Side-by-Side Comparison

    $ diff --side-by-side
    CriteriaTransit GatewayVPC PeeringPrivateLink
    Connectivity ModelHub-and-spoke (any-to-any)1-to-1 (non-transitive)Service endpoint (unidirectional)
    Max Connections5,000 attachments125 peering per VPCUnlimited endpoints
    Transitive RoutingYesNoN/A
    Cross-RegionYes (inter-region peering)YesYes (since late 2024)
    Cross-AccountYesYesYes
    Network ExposureFull VPC routing (configurable)Full VPC routingSingle service only
    Bandwidth50 Gbps per VPC attachmentNo aggregate limit (per-flow limited by instance type)Scales with NLB behind the endpoint
    Centralized InspectionYes (with GWLB)NoNo

    When to Use What

    $ cat DECISION_GUIDE.md
    IFYou have 3+ VPCs that all need to talk to each other
    THENTransit Gateway
    WHYWithout TGW, you need N*(N-1)/2 peering connections. With TGW, each VPC connects once to the hub.
    IFYou have exactly 2 VPCs that need full network access
    THENVPC Peering
    WHYSimpler, free (same region), and sufficient for simple topologies. No additional infrastructure to manage.
    IFYou want to expose an internal API to another VPC without network access
    THENPrivateLink
    WHYPrivateLink is zero-trust by design - the consumer can only access the specific service behind the endpoint. No VPC routing, no security group sprawl.
    IFYou need centralized traffic inspection (IDS/IPS) for all inter-VPC traffic
    THENTransit Gateway + Gateway Load Balancer
    WHYRoute all traffic through a centralized inspection VPC with Network Firewall or third-party appliances via GWLB.
    IFYou are building a SaaS product accessed by customer VPCs
    THENPrivateLink
    WHYPrivateLink lets customers access your service privately without exposing either network. Standard pattern for SaaS on AWS.

    Security Insights

    PrivateLink is the most secure option

    PrivateLink never exposes your VPC CIDR, routing tables, or security groups to the consumer. Traffic flows through the AWS backbone, never the public internet. It is zero-trust networking by default.

    VPC Peering is NOT transitive - and that is a feature

    If VPC A peers with B, and B peers with C, A cannot reach C through B. This limits blast radius. But it also means you need Transit Gateway if you want any-to-any connectivity.

    Transit Gateway enables centralized traffic inspection

    Route all inter-VPC traffic through a centralized inspection VPC running Network Firewall or a third-party IDS. This is the recommended architecture for regulated environments.

    Transit Gateway costs add up fast

    At $0.05/hr per attachment, 20 VPCs cost ~$730/month in attachment fees alone, before data processing. Budget carefully for large multi-account deployments.

    Key Takeaways

    $ cat SUMMARY.md
    1.PrivateLink = most secure (single service, no network exposure). Use for SaaS and service-to-service.
    2.VPC Peering = simplest and cheapest (free same-region). Use for 2-VPC topologies.
    3.Transit Gateway = scalable hub-and-spoke. Use for 3+ VPCs or centralized inspection.
    4.VPC Peering is not transitive - that limits blast radius but requires more connections
    5.For centralized IDS/IPS, pair Transit Gateway with Gateway Load Balancer + Network Firewall
    VPCNetwork SecurityMulti-AccountZero Trust

    Need Architecture Guidance?

    These comparisons are a starting point. Every architecture is different. Contact us for tailored AWS security assessments and architectural guidance.

    All ComparisonsGet in Touch