In a multi-account network design, what is the primary role of Transit Gateway?

Transit Gateway acts as a central hub that connects many VPCs and on‑prem networks across AWS accounts, enabling scalable routing between them. In a multi‑account design, each VPC or on‑prem site attaches to the Transit Gateway, and routing is managed through centralized route tables. This hub‑and‑spoke model simplifies connectivity, avoids the complexity of many VPC peering connections, and supports a large number of attachments with scalable routing decisions, including VPN and Direct Connect connections to on‑prem environments. It doesn’t encrypt data in transit by default—the actual encryption is provided by VPN/IPsec, TLS, or other security mechanisms at the endpoints. It also doesn’t manage IAM credentials, nor is it a firewall service (though firewall appliances can be used in conjunction with it or managed centrally via Firewall Manager).