Professional Documents
Culture Documents
© 2019, Amazon Web services, Inc. or its affiliates. All rights reserved.
What to expect
Dev Prod
VPC Peering
Dev Prod
Dev Prod
Shared
services
VPC Peering
Dev Prod
Dev Prod
Shared
services
Dev Prod
Disaster Recovery Region
API
Also
Dev
Prod Prod New Dev Dev Prod
Dev Prod
Dev Prod
Disaster Recovery Region
API
Transit
Gateway
Dev Prod
Wh a t is A WS
Tr a n sit Ga te w a y?
AWS Transit Gateway
Regional service
AWS Region
Scalable
ENIs
Routing domain
Routing domain
Flexible routing AWS Transit Gateway
Transit Gateway
AWS HyperPlane
Transit Gateway example time!
Isolated: Don’t let anything talk! Send everything back over VPN!
Flat: Transit Gateway route domains (route tables)
Per VPC
Route Destination
10.1.0.0/16 Local
10.0.0.0/8 tgw-xxxxxxxxx
Route Destination
10.1.0.0/16 vpc-att-1xxxxxxx
Default
10.2.0.0/16 vpc-att-2xxxxxxx
Transit Gateway routing domain 10.3.0.0/16 vpc-att-3xxxxxxx
10.4.0.0/16 vpc-att-4xxxxxxx
Flat: Transit Gateway route domains (route tables)
Per VPC
Route Destination
10.1.0.0/16 Local
10.0.0.0/8 tgw-xxxxxxxxx
Route Destination
10.1.0.0/16 vpc-att-1xxxxxxx
Default
10.2.0.0/16 vpc-att-2xxxxxxx
Transit Gateway routing domain 10.3.0.0/16 vpc-att-3xxxxxxx
10.4.0.0/16 vpc-att-4xxxxxxx
Isolated: Transit Gateway route domains
Per VPC
Route Destination
10.1.0.0/16 Local
0.0.0.0/0 tgw-xxxxxxxxx
Route Destination
Routing domain for VPCs
0.0.0.0/0 VPN
VPN
Isolated: Transit Gateway route domains
Per VPC
Route Destination
10.1.0.0/16 Local
0.0.0.0/0 tgw-xxxxxxxxx
Route Destination
Routing domain for VPCs
0.0.0.0/0 VPN
VPN
Isolated: Transit Gateway route domains
Per VPC
Route Destination
10.1.0.0/16 Local
0.0.0.0/0 tgw-xxxxxxxxx
Attach
go
Route Destination
Routing domain for VPCs
0.0.0.0/0 VPN
You need mutual
routes for connectivity Routing domain
Route Destination Route Destination
Transit Gateway 10.1.0.0/16 vpc-att-1xxxx 10.3.0.0/16 vpc-att-3xxxx
for VPN 10.2.0.0/16 vpc-att-2xxxx 10.4.0.0/16 vpc-att-4xxxx
Propagate routes
can reach
VPN
Reference
Network Account Account Account Account IAM, cross-account roles
Architecture
Account Account Account Account Account Account
Route Route
tables tables
Transit Gateway
DX
VPN
Account
Strategy
© 2019, Amazon Web services, Inc. or its affiliates. All rights reserved.
A cco u n t a n d VP C se gm e n ta tio n
Infrastructure and
Policy and IAM
Networking
both?
Infrastructure
account
Account
Resource Share External
application
Account
accounts
Account
Internal
Resource Share application
Account
accounts
VPC Sharing and Resource Access Manager
Account owners only see subnets and their resources
Account External
accounts
Internal
Account
accounts
VPC Sharing and Resource Access Manager
Account owners only see subnets and their resources
Account External
accounts
Internal
Account
accounts
Why not use VPC sharing?
Advantages of separate VPCs
Separate VPCs reduce blast radius and VPC limits
Compliance for applications in individual VPCs
De-merges and spinoffs are easy
Caveats
New: Participants can now use NLB
Participants can’t create Amazon FSx or AWS CloudHSM Classic endpoints
VPC owner cannot eject running participant’s resources
Session on shared VPCs
NET322-R
Shared VPC: Simplify your AWS Cloud scale network with VPC sharing
Wednesday, Dec 4, 3:15 PM - 4:15 PM
Thursday, Dec 5, 1:00 PM - 2:00 PM
Segmentation
© 2019, Amazon Web services, Inc. or its affiliates. All rights reserved.
Segmentation: Decision inputs
Account Account
Account Account
At the VPC
Account Account
Account Account
ACLs
Baseline security
Tenant
configuration IAM
Security groups
Tenant and infrastructure
shared security line
Network security
Infrastructure Route tables
configuration
Network ACLs
Separate VPCs
Segmentation options: Layers
Inside the account
Account Account
Account Account
At the VPC
Account Account
Account Account
Transit Gateway
Route Route
tables tables
Security services Transit Gateway
DX
VPN
Let’s do some examples
Flat: Transit Gateway route domains
Route Destination
10.1.0.0/16 vpc-att-1xxxxxxx
Default 10.2.0.0/16 vpc-att-2xxxxxxx
Transit Gateway routing domain 10.3.0.0/16 vpc-att-3xxxxxxx
10.0.0.0/8 VPN
Building a routing policy: Isolated VPCs and shared services
Route table setup
VPN and Shared services
propagation
VPC propagation
Route Destination
VPC 10.0.0.0/8 VPN
10.4.0.0/16 vpc-att-4xxxx
Transit Gateway
Route Destination
VPN + Route Destination
10.1.0.0/16 vpc-att-1xxxx 10.3.0.0/16 vpc-att-3xxxx
shared
10.2.0.0/16 vpc-att-2xxxx
services
VPN
Route table setup
VPN and Shared services
propagation
VPC propagation
Route Destination
VPC 10.0.0.0/8 VPN
10.4.0.0/16 vpc-att-4xxxx
Transit Gateway
Route Destination
VPN + Route Destination
10.1.0.0/16 vpc-att-1xxxx 10.3.0.0/16 vpc-att-3xxxx
shared
10.2.0.0/16 vpc-att-2xxxx
services
VPN
Routing policy: Flat shared services with on-premises
Route table setup
VPN and Shared services
propagation
Route Destination
VPC 10.0.0.0/8 VPN
10.4.0.0/16 vpc-att-4xxxx
Transit Gateway
Route Destination
VPN + Route Destination
10.1.0.0/16 vpc-att-1xxxx 10.3.0.0/16 vpc-att-3xxxx
shared 10.4.0.0/16 vpc-att-4xxxx
10.2.0.0/16 vpc-att-2xxxx
services 10.0.0.0/8 VPN
VPN
Segmentation considerations: Where to start
Security groups and IAM are effective and proven
• Encourage IAM and security group use and monitor security configuration
Shared VPCs
• Enforce controls between tenants (security groups, NACLs) and the internet
• Peered VPCs are likely to benefit from Shared VPCs
Separate VPCs
• Often the best security decision is the simplest
• Strong network segmentation and resource isolation
• Transit Gateway removes the scaling issues with many VPCs (peering, VPN, routes)
Use Transit Gateway route tables to define policy for groups of VPCs
How to handle exceptions?
API
Route Destination
VPC 10.0.0.0/8 VPN
10.4.0.0/16 vpc-att-4xxxx
Transit Gateway
Route Destination
VPN + Route Destination
10.1.0.0/16 vpc-att-1xxxx 10.3.0.0/16 vpc-att-3xxxx
shared 10.4.0.0/16 vpc-att-4xxxx
10.2.0.0/16 vpc-att-2xxxx
services
VPN
How to handle exceptions? Shared services
API
Route Destination
VPC 10.0.0.0/8 VPN
10.4.0.0/16 vpc-att-4xxxx
Transit Gateway
Route Destination
VPN + Route Destination
10.1.0.0/16 vpc-att-1xxxx 10.3.0.0/16 vpc-att-3xxxx
shared 10.4.0.0/16 vpc-att-4xxxx
10.2.0.0/16 vpc-att-2xxxx
services
VPN
How to handle exceptions? PrivateLink
API API
Route Destination
VPC 10.0.0.0/8 VPN
10.4.0.0/16 vpc-att-4xxxx
Transit Gateway
Route Destination
VPN + Route Destination
10.1.0.0/16 vpc-att-1xxxx 10.3.0.0/16 vpc-att-3xxxx
shared 10.4.0.0/16 vpc-att-4xxxx
10.2.0.0/16 vpc-att-2xxxx
services
VPN
PrivateLink versus Transit Gateway
AWS PrivateLink AWS Transit Gateway
• One-to-many connectivity Development Testing Production
• Many-to-Many or one-to-many
with route tables
Shared services
Transit Gateway
Scope: Scope
Trust model: Trust model
Dependencies: Dependencies
Scale: Scale
Cost: Cost
How to handle exceptions?
Route Destination
VPC 10.0.0.0/8 VPN
10.4.0.0/16 vpc-att-4xxxx
Transit Gateway
Route Destination
VPN + Route Destination
10.1.0.0/16 vpc-att-1xxxx 10.3.0.0/16 vpc-att-3xxxx
shared 10.4.0.0/16 vpc-att-4xxxx
10.2.0.0/16 vpc-att-2xxxx
services
VPN
How to handle exceptions? VPC peering
Route Destination
VPC 10.0.0.0/8 VPN
10.4.0.0/16 vpc-att-4xxxx
Transit Gateway
Route Destination
VPN + Route Destination
10.1.0.0/16 vpc-att-1xxxx 10.3.0.0/16 vpc-att-3xxxx
shared 10.4.0.0/16 vpc-att-4xxxx
10.2.0.0/16 vpc-att-2xxxx
services
VPN
How to handle exceptions? VPC peering
Route Destination
VPC 10.0.0.0/8 VPN
10.4.0.0/16 vpc-att-4xxxx
Transit Gateway
Route Destination
VPN + Route Destination
10.1.0.0/16 vpc-att-1xxxx 10.3.0.0/16 vpc-att-3xxxx
shared 10.4.0.0/16 vpc-att-4xxxx
10.2.0.0/16 vpc-att-2xxxx
services
VPN
Exceptions: Route tables for DB and consumer VPCs
Exceptions: Route tables for DB and consumer VPCs
How to handle connectivity exceptions
• Ask them to move it to Shared services
tag
VPC tags: Amazon
tag tag
CloudWatch
Associate-with Isolated Rule
Network Admin
Role AWS Transit Gateway
Amazon
EventBridge (4 pre-built route tables)
AWS
Lambda
Network account
Network Admin
Role AWS Transit Gateway
Amazon
EventBridge (4 pre-built route tables)
Transit Network
Management console
AWS
Lambda
tag
ApprovalRequired Yes Amazon
tag tag
CloudWatch
Rule
Network account
tag
Network Admin
Amazon Simple Role AWS Transit Gateway
Amazon
Notification Service EventBridge (4 pre-built route tables)
Transit Network
Management console
AWS
Approval
Lambda required
https://amzn.to/37KQMzD
Connectivity
© 2019, Amazon Web services, Inc. or its affiliates. All rights reserved.
Connecting to on-premises
Virtual Private Gateway VPN DX
• Per VPC • Per VPC (50-500 per port)
• 1.25 gbps per tunnel • Multiple VPCs with DX gateway
• Encrypted in transit • No bandwidth restraint
VPN WAN
VPN WAN
AWS DX
location 10.1.0.0/16
Customer AWS
router router
WAN
10.2.0.0/16
On-premises
AWS DX
location 2
Customer AWS
router router
Account
10.1.0.0/16
Account
Private virtual
interface (VIF) Account
10.2.0.0/16
x10 VPCs
AWS Region
Account
10.1.0.0/16
AWS Region
Account
10.2.0.0/16 Account
10.1.0.0/16
WAN
Account
10.2.0.0/16
router router
Account
On-premises
10.1.0.0/16
AWS Region
Account
10.1.0.0/16
AWS DX location
Account
10.2.0.0/16
Account
10.2.0.0/16
x10 VPCs
Transit virtual interface
Account Account Account Account Account Account Account Account Account Account Account Account Account Account Account Account Account Account
Account Account Account Account Account Account Account Account Account Account Account Account Account Account Account Account Account Account
DX location
Other DX and Transit Gateway options
Use DX in parallel VPN over a public virtual interface
AWS Cloud
Route Route
Tables Tables
Account Account Account Account Account Account
Transit Gateway
Receive AWS
public IP addresses
Route
Tables
Route
Tables Private virtual VPN Public virtual
Transit Gateway
interfaces interface
DX
VPN
DX
VPN
Check your on-premises support
• Multi-path BGP required
• ECMP support, amount of equal paths, reverse-path Customer Gateway
forwarding/spoofing checks
Accelerated VPN
© 2019, Amazon Web services, Inc. or its affiliates. All rights reserved.
Reference
Optional network services
Network
Architecture Development Testing Production Shared services
Route Route
tables tables
Transit Gateway
DX
VPN
Method one: Interface attachment
Spoke route table
Route Destination
Outbound VPC route table
0.0.0.0/0 tgw-xxxxxxxxx
Route Destination
Create return route to VPCs 10.0.0.0/8 tgw-xxxxxxxxx
0.0.0.0/0 igw-xxxxxxxxx
Control egress behavior with a ‘public’ subnet
Create dedicated attachment subnets and route tables to control traffic Apply SNAT
outbound to the
internet
SNAT
SNAT
Create dedicated attachment subnets and route tables to control traffic Apply SNAT
outbound to the
internet
NGW
• Limited to one Transit Gateway attachment per Availability Zone, so one route table
• Traffic is forwarded within the same Availability Zone if possible
• Likely that traffic isn’t evenly distributed across instances
High availability
• There are no built-in health checks for the VPC routes, requires monitoring and management
• Optionally place instances in Amazon EC2 automatic recovery
Stateful services
• Use Source NAT or active-standby to guarantee the return flow to the same instance
Method two: VPN attachment
Spoke route table
Route Destination
Outbound VPC route table
0.0.0.0/0 tgw-xxxxxxxxx
Route Destination
0.0.0.0/0 igw-xxxxxxxxx
Load balance traffic across many VPN tunnels
SNAT
BGP advertisement
VPN insertion design notes
Instance must be able to support: Horizontally scalable service pattern,
more overhead
• VPN to the Transit Gateway
Preferred method if the service supports BGP, VPN,
• BGP to the Transit Gateway (ECMP requirement) and NAT.
• Source NAT
Performance
• IPsec overhead
• Compatible with auto-scaling architectures
• No cumulative bandwidth limit, each tunnel ~1.25 gbps
High availability
• BGP and VPN Dead Peer Detection handle failover
• No API calls required for fault tolerance
Stateful services
• Use Source NAT or active-standby to guarantee the return flow to the same instance
Outbound services: Interface Use cases:
VPC A VPC B
10.1.0.0/16 10.2.0.0/16 Spoke route table Outbound VPC route table
Route Destination Route Destination
10.2.0.0/16 Local 10.0.0.0/8 tgw-xxxxxxxxx
0.0.0.0/0 tgw-xxxxxxxxx 0.0.0.0/0 igw-xxxxxxxxx
NGW
VPC A VPC B
10.1.0.0/16 10.2.0.0/16 Spoke route table Outbound VPC route table
Route Destination Route Destination
10.2.0.0/16 Local 100.64.0.0/16 Local
0.0.0.0/0 tgw-xxxxxxxxx 0.0.0.0/0 igw-xxxxxxxxx
ECMP
VPN
SNAT
BGP advertisement
Ingress services Use cases:
VPC A
10.1.0.0/16
Edge VPC route table
Spoke route table
Route Destination
Route Destination
100.64.0.0/16 Local
10.1.0.0/16 Local
0.0.0.0/0 igw-xxxxxxxxx
100.64.0.0/16 tgw-xxxxxxxxx
ECMP
VPN
Edge VPC
100.64.0.0/16 Edge VPC VPN 10.1.0.0/16 vpc-att-a SNAT
100.64.0.0/16
100.64.1.9/32 Edge VPC VPN
Optional ELB
100.64.2.7/32 Edge VPC VPN
100.64.3.8/32 Edge VPC VPN SNAT
Edge route domain
VPC route domain
Transit Gateway SNAT
DX
Reminder:
VPC A VPC B
10.1.0.0/16 10.2.0.0/16 Spoke route table Inline VPC route table
Route Destination Route Destination
10.2.0.0/16 Local 100.64.0.0/16 Local
10.0.0.0/8 tgw-xxxxxxxxx 0.0.0.0/0 igw-xxxxxxxxx
100.64.0.0/16 tgw-xxxxxxxxx
VPCs will traffic as originated
from the inline VPC CIDR Apply SNAT
between VPCs for
ECMP flow affinity
VPN
SNAT
10.1.13.100
54.1.1.100
10.1.13.100
54.1.1.100
Unused IGW
NGW
0.0.0.0/0 VPN
0.0.0.0/0 VPN 0.0.0.0/0 NAT
100.64.0.0/16 VPC
VPC route domain VPC route domain NGW
NAT VPC
NAT route domain
10.100.0.0/16
Transit Gateway Transit Gateway (routable)
NGW
10.1.0.0/16 vpc-att-a
10.2.0.0/16 vpc-att-b Group Group Group
Multicast Multicast
VPC route domain domain domain
Transit Gateway
Multi-Region
AWS Region
AWS Region
© 2019, Amazon Web services, Inc. or its affiliates. All rights reserved.
On-premises to multiple Regions
AWS Region
DX
location
DX
gateway
Customer AWS
router router
On-premises
Private virtual
DX interface (VIF)
location 2
Customer AWS
router router
Cross-region Transit Gateway peering
Peering attachment
AWS Transit Gateway Cross-Region Peering
Horizontally scalable
Global network connectivity
© 2019, Amazon Web services, Inc. or its affiliates. All rights reserved.
Costs in AWS Transit Gateway architectures
AWS Transit Gateway costs (N. Virginia):
• $0.05/hour per attachment ~
$36.50/month https://aws.amazon.com/transit-
gateway/pricing/
• $0.02 per GB data processed (sender) https://aws.amazon.com/ec2/pricing/
https://aws.amazon.com/directconnect/pricing/
Notes:
• VPC peering is $0.01/GB in and out, $0.02 total. Similar to TGW.
• Ingress data has no additional cost. VPN and DX-GW attachments to
TGW incur $0.02/GB data processing.
• VPN to TGW integration method is considered intra-Region public
transfer, $0.01/GB each direction, same as cross-AZ transfer.
• To reduce VPC peering costs, look at using VPC sharing
© 2019, Amazon Web services, Inc. or its affiliates. All rights reserved.
Takeaways
Visit aws.amazon.com/training/paths-specialty
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you!
Nick Matthews
© 2019, Amazon Web services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web services, Inc. or its affiliates. All rights reserved.