Hybrid Cloud is the preferred approach with ‘Cloud first’ policy for most of the organizations. Many large enterprises have a need to establish secured hybrid cloud connectivity topology across
- Cloud accounts & its VPCs(Virtual Private Cloud)
- Office on premise across geo locations.
It is also essential that the network connectivity design, address the need for the isolation of North South and East West traffics based on business / compliance needs is also critical. In this post, we’ll look at the design choices we have and how AWS Transit Gateway can help simplify and enable well architected network design on cloud.
Network connectivity design is one of the most significant aspects that one needs to get it right from the beginning of any design strategy before provisioning any resources in cloud. From infra network setup point of view, creating and managing multiple IPSec tunnels/peering / direct connect(DX) among accounts and VPC will become more complicated over time and with every addition of a component.
A Customer Scenario
Let us take the case of the customer whose needs warranted to have distinct AWS account for deployments of Prod and Dev resources. To start with the connectivity requirements was to link up 3 corporate (locations & DC co-locations) and the existing current cloud workloads. There was also a need to have VPC peering connections between Prod and Dev accounts and also to their partner’s VPC in another AWS account in the same region.
Customer insisted a centralized approach of connectivity that could help maintain and enhance this to future new locations and accounts with ease and simplicity.
Solutions Considered
Option A : The obvious solution was to create individual VPNs for combination of each account VPC and on premise location along with peering. This would need to create multiple VPN tunnels and routing rules on both sides and even for this starting configuration was complex enough and in no way centralized
Option B: Transit VPC, this was favored centralized approach that existed before we had Transit Gateway. For common practical purposes scalable, centralized but not native solution and always looked a work around / patchy as you need maintain a VPC only for the purpose of connectivity. Still visibly complex and rigid on routing.
Options C: Transit Gateway: The solution using AWS Transit Gateway to simplify network infra setup and manage multiple connections in one place is the least complex, centralized and easy to maintain. Leveraging AWS Transit Gateway, which act as a central hub for connecting multiple VPC and VPN connections simplified the solution.
Transit gateway attachments
Transit Gateway attachments can be multiple VPN connections from on-prem to AWS, VPC peering and VPN connection from other cloud account.
Additional Features
Being an AWS managed service, transit gateway provides up to 50 Gbps of bandwidth between each VPN attachment and transit gateway. By using the AWS Transit Gateway, creating an IPSec VPN connection from AWS VPC to any cloud account via VPN is simpler. To configure VPN connections, across accounts, one can share the AWS transit gateway with other accounts via RAM(Resource Access Management). To view data about IP traffic routed through AWS Transit Gateway, one can enable and use VPC flow logs. Transit Gateway provides AWS Cloudwatch metrics to monitor packet drop count, bytes sent and received between VPNs and VPCs.
There is a cost of attachment to Transit gateway and cost of data transfer as well. With the new support for Direct Connect with Transit gateway it makes it a compelling case to get going with Transit Gateway considering future scaling option.
Right now Transit gateway is regional and hoping it should be a matter of time before this supports cross regional VPC connectivity.
For more information on AWS VPC connectivity and security, you can schedule time with our experts at 1CloudHub and request this topic specifically.
Written by :
Geetha Pandiyan & Umashankar Nedunchezhian
1CloudHub
Cloud Solution Architect
1CloudHub