REPEAT 1 AWS Transit Gateway Reference Architectures For Many VPCs NET406-R1 PDF

NET406
AWS Transit Gateway

reference architectures for many VPCs
Nick Matthews
Principal Solutions Architect
Amazon Web Services
© 2019, Amazon Web services, Inc. or its affiliates. All rights reserved.
What to expect
How Transit Gateway works
Let’s build an architecture:
Account Segmentation Connectivity Network Multi-Region Cost

Strategy services
VPC management differences
Ease of creation Access models Diverse ownership

Dev Prod
Dev Prod
Dev Prod
VPC Peering
Dev Prod
Dev Prod
Shared
services
VPC Peering
Dev Prod
Dev Prod
Shared
services
Dev Prod
Disaster Recovery Region
Dev? Dev? Dev? Dev? Dev? Dev?
API
Also
Dev
Prod Prod New Dev Dev Prod
Dev Prod
Shared Shared Dev Prod

services services
Dev Prod
Disaster Recovery Region
Dev? Dev? Dev? Dev? Dev? Dev?
API
Also Prod Prod New Dev Dev Prod
Dev Prod Transit

Gateway
Shared Shared Dev Prod
services services
Transit
Gateway
Dev Prod
Wh a t is A WS
Tr a n sit Ga te w a y?
AWS Transit Gateway
Regional service
AWS Region
Scalable
ENIs
Routing domain
Routing domain
Flexible routing AWS Transit Gateway
VPN AWS Direct

Connect (DX)
AWS HyperPlane and AWS Transit Gateway
AWS Region Attachments
VPC A VPC B VPC A VPC B VPC A VPC B
Transit Gateway
AWS HyperPlane
Transit Gateway example time!
Flat: Every VPC should talk to every VPC!
Isolated: Don’t let anything talk! Send everything back over VPN!
Flat: Transit Gateway route domains (route tables)
Per VPC
Route Destination
10.1.0.0/16 Local
10.0.0.0/8 tgw-xxxxxxxxx
Route Destination
10.1.0.0/16 vpc-att-1xxxxxxx
Default
Transit Gateway routing domain 10.3.0.0/16 vpc-att-3xxxxxxx
Flat: Transit Gateway route domains (route tables)
Per VPC
Route Destination
10.1.0.0/16 Local
Route Destination
Default
Isolated: Transit Gateway route domains
Per VPC
Route Destination
10.1.0.0/16 Local
Route Destination
Routing domain for VPCs
0.0.0.0/0 VPN
Route Destination Route Destination

Transit Gateway Routing domain 10.1.0.0/16 vpc-att-1xxxx 10.3.0.0/16 vpc-att-3xxxx
for VPN 10.2.0.0/16 vpc-att-2xxxx 10.4.0.0/16 vpc-att-4xxxx
VPN
Per VPC
Route Destination
10.1.0.0/16 Local
Route Destination
0.0.0.0/0 VPN

Transit Gateway Routing domain 10.1.0.0/16 vpc-att-1xxxx 10.3.0.0/16 vpc-att-3xxxx
VPN
Per VPC
Route Destination
10.1.0.0/16 Local
Attach
go
Route Destination
0.0.0.0/0 VPN
You need mutual
routes for connectivity Routing domain
Transit Gateway 10.1.0.0/16 vpc-att-1xxxx 10.3.0.0/16 vpc-att-3xxxx
Propagate routes
can reach
VPN
Reference
Network Account Account Account Account IAM, cross-account roles
Architecture
Account Account Account Account Account Account
Route Route
tables tables
Transit Gateway
DX
VPN
Account
Strategy
A cco u n t a n d VP C se gm e n ta tio n
Larger VPCs or accounts Smaller VPCs or accounts
AWS Identity and Access Management Automation of infrastructure

Strict security groups and routing DX and VPN standards
Identifying resources with tags Subnet and routing standards
Infrastructure and
Policy and IAM
Networking
both?
Provide granular account control

with centralized infrastructure
VPC Sharing and Resource Access Manager
Share subnets between accounts in an AWS Organization
Infrastructure
account
Account
Resource Share External
application
Account
accounts
Account
Internal
Resource Share application
Account
accounts
Account owners only see subnets and their resources
Account External
accounts
Internal
Account
accounts
Account owners only see subnets and their resources
Account External
accounts
Internal
Account
accounts
Why not use VPC sharing?
Advantages of separate VPCs
Separate VPCs reduce blast radius and VPC limits
Compliance for applications in individual VPCs
De-merges and spinoffs are easy
If distributed teams manage their own environments
Caveats
New: Participants can now use NLB
Participants can’t create Amazon FSx or AWS CloudHSM Classic endpoints
VPC owner cannot eject running participant’s resources
Session on shared VPCs
NET322-R
Shared VPC: Simplify your AWS Cloud scale network with VPC sharing
Wednesday, Dec 4, 3:15 PM - 4:15 PM
Thursday, Dec 5, 1:00 PM - 2:00 PM
Segmentation
Segmentation: Decision inputs
Relationship between accounts, VPCs, and tenants?

• Do accounts and tenants trust each other?
• Is the current network segmentation intentional or a side effect?
Who owns security and networking?

• Each team or a centralized team?
Compliance and governance requirements?

• Scope can be reduced at an account or a VPC level
Segmentation options: Layers
Inside the account
Account Account
Account Account
At the VPC
Account Account
Account Account
ACLs
Baseline security
Tenant
configuration IAM
Security groups
Tenant and infrastructure
shared security line
Network security
Infrastructure Route tables
configuration
Network ACLs
Separate VPCs
Segmentation options: Layers
Inside the account
Account Account
Account Account
At the VPC
Account Account
Account Account
Transit Gateway
Route Route
tables tables
Security services Transit Gateway
DX
VPN
Let’s do some examples
Flat: Transit Gateway route domains
All routes and attachments

are in a single route table
Route Destination
Default 10.2.0.0/16 vpc-att-2xxxxxxx
10.0.0.0/8 VPN
Building a routing policy: Isolated VPCs and shared services
Route table setup
VPN and Shared services
propagation
VPC propagation
Route Destination
VPC 10.0.0.0/8 VPN
10.4.0.0/16 vpc-att-4xxxx
Transit Gateway
Route Destination
VPN + Route Destination
10.1.0.0/16 vpc-att-1xxxx 10.3.0.0/16 vpc-att-3xxxx
shared
services
VPN
Route table setup
propagation
VPC propagation
Route Destination
VPC 10.0.0.0/8 VPN
Transit Gateway
Route Destination
shared
services
VPN
Routing policy: Flat shared services with on-premises
Route table setup
propagation
VPC and Shared

services propagation
Route Destination
VPC 10.0.0.0/8 VPN
Transit Gateway
Route Destination
shared 10.4.0.0/16 vpc-att-4xxxx
services 10.0.0.0/8 VPN
VPN
Segmentation considerations: Where to start
Security groups and IAM are effective and proven
• Encourage IAM and security group use and monitor security configuration
Shared VPCs
• Enforce controls between tenants (security groups, NACLs) and the internet
• Peered VPCs are likely to benefit from Shared VPCs
Separate VPCs
• Often the best security decision is the simplest
• Strong network segmentation and resource isolation
• Transit Gateway removes the scaling issues with many VPCs (peering, VPN, routes)
Use Transit Gateway route tables to define policy for groups of VPCs
How to handle exceptions?
API
Route Destination
VPC 10.0.0.0/8 VPN
Transit Gateway
Route Destination
services
VPN
How to handle exceptions? Shared services
API
Route Destination
VPC 10.0.0.0/8 VPN
Transit Gateway
Route Destination
services
VPN
How to handle exceptions? PrivateLink
API API
Route Destination
VPC 10.0.0.0/8 VPN
Transit Gateway
Route Destination
services
VPN
PrivateLink versus Transit Gateway
AWS PrivateLink AWS Transit Gateway
• One-to-many connectivity Development Testing Production
• Many-to-Many or one-to-many
with route tables
Shared services
• Supports overlapping CIDRs

• Uses Network Load Balancer Route Route

Tables Tables
Transit Gateway
Scope: Scope
Trust model: Trust model
Dependencies: Dependencies
Scale: Scale
Cost: Cost
How to handle exceptions?
Route Destination
VPC 10.0.0.0/8 VPN
Transit Gateway
Route Destination
services
VPN
How to handle exceptions? VPC peering
Route Destination
VPC 10.0.0.0/8 VPN
Transit Gateway
Route Destination
services
VPN
How to handle exceptions? VPC peering
Route Destination
VPC 10.0.0.0/8 VPN
Transit Gateway
Route Destination
services
VPN
Exceptions: Route tables for DB and consumer VPCs
Exceptions: Route tables for DB and consumer VPCs
How to handle connectivity exceptions
• Ask them to move it to Shared services
• Use PrivateLink when possible
• Use VPC peering or shared VPCs for clusters of

connected VPCs
• Build new policies for groups of VPCs

Serverless Transit Network Orchestrator (STNO)
Centralized and automated Transit Gateway management
• Spoke VPC route tables (default, RFC1918, custom)
• TGW attachments within the AWS Organization or pre-approved accounts
Includes a Transit Network Management console

• Approval and audit workflow for additional security
Spoke accounts only need to tag their VPC and subnets
No servers to manage using AWS Lambda and AWS Step Functions

STNO route tables
Subnet tags: Spoke account
VPC
Attach-to-tgw <blank> Subnet Subnet
tag
VPC tags: Amazon
tag tag
CloudWatch
Associate-with Isolated Rule
Propagate-to Hybrid, Infrastructure

Network account
Network Admin
Role AWS Transit Gateway
Amazon
EventBridge (4 pre-built route tables)
AWS
Lambda
AWS Resource Manager
Amazon STNO State

DynamoDB Machine
Spoke account
VPC
VPC Route Destination Subnet Subnet
10.0.0.0/16 Local tag

Amazon
10.0.0.0/8 tgw-xxxxxxxx tag tag
CloudWatch
Rule
Network account
Network Admin
Role AWS Transit Gateway
Amazon
EventBridge (4 pre-built route tables)
Transit Network
Management console
AWS
Lambda
Amazon STNO State

DynamoDB Machine
Spoke account
VPC
Transit Gateway route table tags: Subnet Subnet
tag
ApprovalRequired Yes Amazon
tag tag
CloudWatch
Rule
Network account
tag
Network Admin
Amazon Simple Role AWS Transit Gateway
Amazon
Notification Service EventBridge (4 pre-built route tables)
Transit Network
Management console
AWS
Approval
Lambda required
Amazon STNO State

DynamoDB Machine
Try STNO
https://amzn.to/37KQMzD
Connectivity
Connecting to on-premises
Virtual Private Gateway VPN DX
• Per VPC • Per VPC (50-500 per port)
• 1.25 gbps per tunnel • Multiple VPCs with DX gateway
• Encrypted in transit • No bandwidth restraint
VPN WAN
Amazon EC2 customer VPN AWS Transit Gateway VPN / DX

• Per VPC or multiple (Transit VPC) • Multiple VPCs
• Bandwidths vary by instance type • Add VPNs as needed
• AWS Marketplace options • 1.25 gbps per tunnel
• Scalability is generally limited by • Native DX support
VPN management complexity
VPN or DX
Connecting to On-premises at Scale
Virtual Private Gateway VPN DX
• Per VPC • Per VPC (50-500 per port)
• 1.25 gbps per tunnel • Multiple VPCs with DX gateway
• Encrypted in transit • No bandwidth restraint
VPN WAN
Amazon EC2 Customer VPN AWS Transit Gateway VPN / DX

• Per VPC or multiple (Transit VPC) • Multiple VPCs
• Bandwidths vary by instance type • Add VPNs as needed
• AWS Marketplace options • 1.25 gbps per tunnel
• Scalability is generally limited by • Native DX support
VPN management complexity
VPN or DX
DX direct to VPCs
Private virtual interface (VIF) AWS Region
AWS DX
location 10.1.0.0/16
Customer AWS
router router
WAN
10.2.0.0/16
On-premises
AWS DX
location 2
Customer AWS
router router
Up to 50 VIFs per port

DX gateway: Multiple Regions and accounts AWS Region
Account
10.1.0.0/16
VIFs x50 DX gateway

500 VPCs across x10 VPCs Account
10.2.0.0/16
AWS Region
Account
accounts and Regions

10.1.0.0/16
Private virtual
interface (VIF) Account
10.2.0.0/16
x10 VPCs
AWS Region
Account
10.1.0.0/16
AWS Region
Account
10.2.0.0/16 Account
10.1.0.0/16
WAN
Account
10.2.0.0/16
Customer AWS x10 VPCs AWS Region
router router
Account
On-premises
10.1.0.0/16
AWS Region
Account
10.1.0.0/16
AWS DX location
Account
10.2.0.0/16
Account
10.2.0.0/16
x10 VPCs
Transit virtual interface
Account Account Account Account Account Account Account Account Account Account Account Account Account Account Account Account Account Account
Account Account Account Account Account Account Account Account Account Account Account Account Account Account Account Account Account Account
Route Route Route Route Route Route

Tables Tables Tables Tables Tables Tables
Transit Gateway Transit Gateway Transit Gateway
20 routes 20 routes 20 routes

Peering
DX-GW 100 routes Route

Tables
Route
Tables
Route
Tables
Route
Tables
Transit Gateway Transit Gateway
Transit VIF 1 per port

(except hosted VIFs)
3 Transit Gateways AWS
router
per port Customer

router
DX location
Other DX and Transit Gateway options
Use DX in parallel VPN over a public virtual interface
AWS Cloud
Route Route
Tables Tables
Transit Gateway
Receive AWS
public IP addresses
Route
Tables
Route
Tables Private virtual VPN Public virtual
Transit Gateway
interfaces interface
DX
VPN
DX
Use cases: Use cases:

VPN with Transit Gateway: Add more bandwidth
Support for spreading traffic across up to 50 gbps

• Equal Cost Multi-Path (ECMP) support with BGP multi- Route Route
path tables tables
• 1.25 gbps flow limits, so split traffic into smaller flows Transit Gateway
and use multi-part uploads
VPN
Check your on-premises support
• Multi-path BGP required
• ECMP support, amount of equal paths, reverse-path Customer Gateway
forwarding/spoofing checks
Accelerated VPN
Leverage Amazon’s Global

Network
• Combine Amazon Global
Route Route Accelerator with VPN
tables tables • Lower latency
Transit Gateway • Ideal for branch
connectivity
Network
services
Reference
Optional network services
Network
Architecture Development Testing Production Shared services

Authentication, Monitoring
Route Route
tables tables
Transit Gateway
DX
VPN
Method one: Interface attachment
Spoke route table
Route Destination
Outbound VPC route table
Route Destination
Create return route to VPCs 10.0.0.0/8 tgw-xxxxxxxxx
0.0.0.0/0 igw-xxxxxxxxx
Control egress behavior with a ‘public’ subnet
Create dedicated attachment subnets and route tables to control traffic Apply SNAT
outbound to the
internet
SNAT
0.0.0.0/0 vpc-att-outbound 10.1.0.0/16 vpc-att-a Service VPC
SNAT
VPC route domain Service route domain

SNAT
Transit Gateway Route Destination

0.0.0.0/0 eni-xxxxxxx
Method one: NAT gateway
Spoke route table
Route Destination
Route Destination
Create return route to VPCs 10.0.0.0/8 tgw-xxxxxxxxx
Control egress behavior with a ‘public’ subnet
Create dedicated attachment subnets and route tables to control traffic Apply SNAT
outbound to the
internet
NGW
0.0.0.0/0 vpc-att-outbound 10.1.0.0/16 vpc-att-a Service VPC

NGW
VPC route domain Service route domain NGW

0.0.0.0/0 ngw-xxxxxxx
Interface insertion design notes
Simpler pattern, DIY health
Instance must SNAT or use NAT gateway checks
Performance Potentially limited to performance of a single
instance (worst-case scenario). Configure your
• No overhead (8500 MTU) own high availability checks.
• Limited to one Transit Gateway attachment per Availability Zone, so one route table
• Traffic is forwarded within the same Availability Zone if possible
• Likely that traffic isn’t evenly distributed across instances
High availability
• There are no built-in health checks for the VPC routes, requires monitoring and management
• Optionally place instances in Amazon EC2 automatic recovery
Stateful services
• Use Source NAT or active-standby to guarantee the return flow to the same instance
Method two: VPN attachment
Spoke route table
Route Destination
Route Destination
Load balance traffic across many VPN tunnels
VPC routes will be advertised over BGP

ECMP Apply SNAT
VPN outbound to the
internet
SNAT
0.0.0.0/0 Outbound VPC VPN 10.1.0.0/16 vpc-att-a Service VPC
SNAT
VPC route domain Service route domain

SNAT
Transit Gateway BGP prefix Next hop

0.0.0.0/0 Local IP
BGP advertisement
VPN insertion design notes
Instance must be able to support: Horizontally scalable service pattern,
more overhead
• VPN to the Transit Gateway
Preferred method if the service supports BGP, VPN,
• BGP to the Transit Gateway (ECMP requirement) and NAT.
• Source NAT
Performance
• IPsec overhead
• Compatible with auto-scaling architectures
• No cumulative bandwidth limit, each tunnel ~1.25 gbps
High availability
• BGP and VPN Dead Peer Detection handle failover
• No API calls required for fault tolerance
Stateful services
• Use Source NAT or active-standby to guarantee the return flow to the same instance
Outbound services: Interface Use cases:
VPC A VPC B
10.1.0.0/16 10.2.0.0/16 Spoke route table Outbound VPC route table
10.2.0.0/16 Local 10.0.0.0/8 tgw-xxxxxxxxx
0.0.0.0/0 tgw-xxxxxxxxx 0.0.0.0/0 igw-xxxxxxxxx
NGW
0.0.0.0/0 vpc-att-outbound 10.1.0.0/16 vpc-att-a Outbound VPC

NGW
10.0.0.0/8 Blackhole 10.2.0.0/16 vpc-att-b 100.64.0.0/16
VPC route domain Outbound route domain NGW

VPC Attachment route table, per AZ

Outbound services: VPN Use cases:
VPC A VPC B
10.1.0.0/16 10.2.0.0/16 Spoke route table Outbound VPC route table
10.2.0.0/16 Local 100.64.0.0/16 Local
ECMP
VPN
SNAT
0.0.0.0/0 Outbound VPC VPN 10.1.0.0/16 vpc-att-a Outbound VPC

10.0.0.0/8 Blackhole 10.2.0.0/16 vpc-att-b 100.64.0.0/16
SNAT
VPC route domain Outbound route domain

SNAT

0.0.0.0/0 Local IP
BGP advertisement
Ingress services Use cases:
VPC A
10.1.0.0/16
Edge VPC route table
Spoke route table
Route Destination
Route Destination
100.64.0.0/16 Local
10.1.0.0/16 Local
ECMP
VPN
Edge VPC
100.64.0.0/16 Edge VPC VPN 10.1.0.0/16 vpc-att-a SNAT
100.64.0.0/16
100.64.1.9/32 Edge VPC VPN
Optional ELB
100.64.2.7/32 Edge VPC VPN
100.64.3.8/32 Edge VPC VPN SNAT
Edge route domain
VPC route domain
Transit Gateway SNAT
BGP prefix Next hop

100.64.0.0/16 Local IP
BGP advertisement 100.64.1.9/32 Local IP
Edge services: SDWAN, VPN, Firewalls
VPC A VPC B
10.1.0.0/16 10.2.0.0/16
Use an edge services VPC in front of Edge VPC

Transit Gateway
AWS Transit
Gateway
• Encryption over DX or the internet
• Scalable VPN access for third-party VPN, SDWAN VPN
• Also how used to migrate or extend existing
Transit VPCs
• Helpful for hosted VIF (<1 Gbps) DX
Private virtual Tunnels
• Ingress firewall inspection use case interface
DX
Reminder:
Existing network services or DMZs

may be convenient, but they may
also be the problem.
Remember to evaluate operational processes, alternatives, and automation
Inline service: VPN Use cases:
VPC A VPC B
10.1.0.0/16 10.2.0.0/16 Spoke route table Inline VPC route table
10.2.0.0/16 Local 100.64.0.0/16 Local
VPCs will traffic as originated
from the inline VPC CIDR Apply SNAT
between VPCs for
ECMP flow affinity
VPN
SNAT
10.0.0.0/8 Inline VPC VPN 10.1.0.0/16 vpc-att-a Inline VPC

100.64.1.9/32 Inline VPC VPN 10.2.0.0/16 vpc-att-b 100.64.0.0/16
100.64.2.7/32 Inline VPC VPN SNAT
100.64.3.8/32 Inline VPC VPN
Inline route domain
VPC route domain SNAT

10.0.0.0/8 Local IP
100.64.3.9/32 Local IP
BGP advertisement
Transit Gateway partners
Centralizing PrivateLink with Transit Gateway
Region
Private Hosted Zones Association
VPC 1 VPC 2 VPC 3

Shared
Services
VPC Private Hosted Zones
VPC Interface Endpoints
For more: Wednesday, Dec 4, 1:00 PM - 2:00 PM

Let’s go to NAT school
VPC
0.0.0.0/8 ngw-xxxxxxx 0.0.0.0/0 igw-xxxxxxx
10.1.13.100
54.1.1.100
Dest: 3.3.3.3 Dest: 3.3.3.3 Dest: 3.3.3.3

Source: 10.1.13.13 Source: 10.1.13.100 Source: 54.1.1.100
Let’s go to NAT school
VPC
0.0.0.0/8 ngw-xxxxxxx 0.0.0.0/0 vgw-xxxxxxx
10.1.13.100
54.1.1.100
Dest: 3.3.3.3 Dest: 3.3.3.3 Dest: 3.3.3.3

Source: 10.1.13. 13 Source: 10.1.13.100 Source: 10.1.13.100
Centralized IP address preservation
Routable route table
Route Destination Outbound VPC route table
10.1.0.0/16 100.64.0.0/16 0.0.0.0/0 tgw-normal Route Destination
10.100.0.0/16 Local
Non-routable route table 0.0.0.0/0 tgw-xxxxxxxxx
Route Destination
0.0.0.0/0 tgw-nat
Unused IGW
NGW
0.0.0.0/0 VPN
0.0.0.0/0 VPN 0.0.0.0/0 NAT
100.64.0.0/16 VPC
VPC route domain VPC route domain NGW
NAT VPC
NAT route domain
10.100.0.0/16
Transit Gateway Transit Gateway (routable)
NGW
Filter 100.64/12 Route Destination

VPC Attachment route table, per AZ

Multicast on AWS Transit Gateway
VPC A VPC B
10.1.0.0/16 10.2.0.0/16
Use cases:
10.1.0.0/16 vpc-att-a
10.2.0.0/16 vpc-att-b Group Group Group
Multicast Multicast
VPC route domain domain domain
Transit Gateway
Multi-Region
AWS Region
AWS Region
On-premises to multiple Regions
AWS Region
DX
location
DX
gateway
Customer AWS
router router
WAN AWS Region
On-premises
Private virtual
DX interface (VIF)
location 2
Customer AWS
router router
Cross-region Transit Gateway peering
Peering attachment
AWS Transit Gateway Cross-Region Peering
Full mesh network across multiple

regions with static peering
Private and performant connectivity

across the AWS Global Network
All traffic across Transit Gateway Cross-

Region peering is encrypted
Horizontally scalable
Global network connectivity
Leverage the AWS Global Network
Combine AWS Global Accelerator with

VPN
Lower latency, less jitter, consistent

connectivity
Ideal for branch connectivity

My global network
Cost
Costs in AWS Transit Gateway architectures
AWS Transit Gateway costs (N. Virginia):
• $0.05/hour per attachment ~
$36.50/month https://aws.amazon.com/transit-
gateway/pricing/
• $0.02 per GB data processed (sender) https://aws.amazon.com/ec2/pricing/
https://aws.amazon.com/directconnect/pricing/
Notes:
• VPC peering is $0.01/GB in and out, $0.02 total. Similar to TGW.
• Ingress data has no additional cost. VPN and DX-GW attachments to
TGW incur $0.02/GB data processing.
• VPN to TGW integration method is considered intra-Region public
transfer, $0.01/GB each direction, same as cross-AZ transfer.
• To reduce VPC peering costs, look at using VPC sharing
Takeaways
We have tools and architectures that horizontally scale to many VPCs
There’s wiggle room for your specific use cases
Use services in combination to meet scale and security requirements

A dvice
• Networking changes fast, no more crystal balls
• Start simple! Stay simple. Reduce complexity to smaller scopes
• Segment and modify as needed
• Experiment and test

Learn networking with AWS Training and Certification
Resources created by the experts at AWS to help you build and validate networking skills
Free digital courses cover topics related to networking and

content delivery, including Introduction to Amazon CloudFront
and Introduction to Amazon VPC
Validate expertise with the

AWS Certified Advanced Networking - Specialty exam
Visit aws.amazon.com/training/paths-specialty
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you!
Nick Matthews

REPEAT 1 AWS Transit Gateway Reference Architectures For Many VPCs NET406-R1 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

REPEAT 1 AWS Transit Gateway Reference Architectures For Many VPCs NET406-R1 PDF

Uploaded by

Copyright:

Available Formats

NET406

AWS Transit Gateway

How Transit Gateway works

Let’s build an architecture:

Account Segmentation Connectivity Network Multi-Region Cost

Ease of creation Access models Diverse ownership

Dev? Dev? Dev? Dev? Dev? Dev?

Shared Shared Dev Prod

Dev? Dev? Dev? Dev? Dev? Dev?

Also Prod Prod New Dev Dev Prod

Dev Prod Transit

VPN AWS Direct

VPC A VPC B VPC A VPC B VPC A VPC B

Flat: Every VPC should talk to every VPC!

Route Destination Route Destination

Route Destination Route Destination

Account Account Account Account Account Account

Larger VPCs or accounts Smaller VPCs or accounts

AWS Identity and Access Management Automation of infrastructure

Provide granular account control

If distributed teams manage their own environments

Relationship between accounts, VPCs, and tenants?

Who owns security and networking?

Compliance and governance requirements?

All routes and attachments

VPC and Shared

• Supports overlapping CIDRs

Account Account Account Account Account Account

• Uses Network Load Balancer Route Route

• Use PrivateLink when possible

• Use VPC peering or shared VPCs for clusters of

• Build new policies for groups of VPCs

Includes a Transit Network Management console

Spoke accounts only need to tag their VPC and subnets

No servers to manage using AWS Lambda and AWS Step Functions

Propagate-to Hybrid, Infrastructure

AWS Resource Manager

Amazon STNO State

10.0.0.0/16 Local tag

AWS Resource Manager

Amazon STNO State

AWS Resource Manager

Amazon STNO State

Amazon EC2 customer VPN AWS Transit Gateway VPN / DX

Amazon EC2 Customer VPN AWS Transit Gateway VPN / DX

Up to 50 VIFs per port

VIFs x50 DX gateway

accounts and Regions

Customer AWS x10 VPCs AWS Region

Route Route Route Route Route Route

Transit Gateway Transit Gateway Transit Gateway

20 routes 20 routes 20 routes

DX-GW 100 routes Route

Transit Gateway Transit Gateway

Transit VIF 1 per port

per port Customer

Account Account Account Account Account Account

Use cases: Use cases:

Support for spreading traffic across up to 50 gbps

Leverage Amazon’s Global

Account Account Account Account Account Account

Account Account Account Account Account Account

0.0.0.0/0 vpc-att-outbound 10.1.0.0/16 vpc-att-a Service VPC