Simplifying AWS Global Connectivity with Transit Gateways

 

Simplifying AWS Global Connectivity with Transit Gateways

Amazon Virtual Private Clouds (VPC) are private network spaces or separate isolated regions within the AWS cloud that let you launch resources within a virtual network similar to an on-premises network, but with the benefits of AWS’ scalable infrastructure.  Each VPC is logically separated from all other AWS virtual networks. VPC offers connectivity options such as VPC peering connections, Security Groups and Network Access Control Lists, which function similar to firewalls, and connectivity from non-AWS infrastructure to AWS VPCs.

Core elements of a VPC include:

  • The VPC itself, the logically isolated virtual network in the AWS cloud where VPC IP address spaces are defined from selected ranges.
  • Subnets that segment VPC IP address ranges for groups of isolated resources.
  • Internet Gateways for public Internet access.
  • Virtual private gateways or the private AWS VPC side of a VPN connection.
  • Highly available managed Network Address Translation (NAT) services for a private subnet providing cloud resource access to the Internet.
  • Peering Connections that enable traffic routing via private IP addresses between two peered VPCs.
  • VPC Endpoints that enable private connectivity to services hosted in AWS.
  • Egress-only Internet Gateways that provide egress only access for IPv6 traffic from the VPC to the Internet.

 

AWS Transit Gateways

A common method for efficiently connecting multiple VPCs with cloud and public networks is to create a “hub-and-spoke” network topology separated by region that routes all traffic through a virtual network transit center. This is known as an AWS Transit Gateways, a managed service, make connectivity easier, provide better visibility and control over cloud resources and enable network and bandwidth expansion on demand. You can also create a meshed network with separate connections between all virtual networks thereby creating a transit network.

This is a good option available to companies that require resources at a global level due to a very large infrastructure or cross-continental infrastructure. One example would be a company who runs their software in one region that needs the same capabilities and performance of the application delivered to the other side of the world.  AWS allows companies that require global support the ability to take advantage of capabilities with AWS Regions on a global scale.

When managing multiple VPCs combined with public internet access, AWS Transit Gateways can help simplify your networking model as well. When building applications across multiple VPCs, Transit Gateways enable network service sharing across VPCs to reduce network complexity. AWS evangelist Jeff Barr has a very detailed blog post on how implement Transit Gateways in the AWS cloud to reduce network complexity here.

Barr shares the following diagram showing the before and after state of Transit Gateways to streamline VPC deployments. The following diagram show VPC without the use of a Transit Gateway:

Screenshot 2019-09-20 at 12.07.55 PM

Using transit gateway, a more efficient model looks like this:

Screenshot 2019-09-20 at 12.08.06 PM

Traffic stays on the global AWS backbone and does not touch the public internet thereby reducing cyber threats from malicious actors and malware, for example. With Transit Gateways you can attach up to 5000 VPCs to each gateway with every attachment able to handle up to 50 Gbits/second of traffic.

AWS Direct Connect and Transit Gateways

Amazon also recently announced AWS Direct Connect support for AWS Transit Gateway as can be seen in the diagram above. AWS Direct Connect creates a secure, dedicated connection from on-premises infrastructure to AWS.

According to AWS, Direct Connect lets customers connect thousands of Amazon Virtual Private Clouds (Amazon VPCs) across multiple AWS Regions to on-premises networks using 1/2/5/10 Gbps AWS Direct Connect connections. In the past AWS Transit Gateway only supported AWS Site-to-Site VPN and Amazon VPC attachments but now supports Direct Connect.

AWS Direct Connect gateways allow you to access any AWS Region using your AWS Direct Connect connections where you can associate up to three Transit Gateways from any AWS Region with each Direct Connect gateway.

AWS Direct Connect’s virtual interface, called a transit virtual interface, supports connectivity to AWS Transit Gateway. For increased network and connectivity resiliency, Amazon recommends attaching at least two transit virtual interfaces from different AWS Direct Connect locations to the Direct Connect gateway. 

 

Learn your best cloud practices and get in touch now