When creating VPC attachment in TGW, one step is:
For Subnet IDs, select one subnet for each Availability Zone to be used by the transit gateway to route traffic. You must select at least one subnet. You can select only one subnet per Availability Zone.
AWS autoselect 3 random subnets (like DMZ-A+ APP-B+ DATA-C)
I always change to select: APP-A + APP-B + APP-C
Is there any recommendation ? best practice ?
using different subnet types (dmz and/or app and/or data) seems the worst choice.
AWS best practice is to create a separate subnet in each AZ for the transit gateway attachments.
Use a separate subnet for each transit gateway VPC attachment. For each subnet, use a small CIDR, for example /28, so that you have more addresses for EC2 resources. When you use a separate subnet, you can configure the following:
Keep the inbound and outbound NACL associated with the transit gateway subnets open.
Depending on your traffic flow, you can apply NACLs to your workload subnets.
I can tell you from experience that if you don't do this routing and NACLs can get fiddly and work in ways you don't expect. For example from here:
NACL rules are applied in the following way for traffic from individual EC2 instances to the transit gateway:
- Outbound rules use the destination IP address for evaluation.
- Inbound rules use the source IP address for evaluation.
