© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Easily scale your network with AWS Transit Gateway
Bhavin DesaiSenior Solutions ArchitectAmazon Web Services
S V C 3 0 5
S U M M I T
NATInstance B10.1.1.11/24
Instance BNAT-GW
NAT-GW
0.0.0.0/0
AWS Region
Availability Zone 2Availability Zone 1
Private subnet
VGW
VPCPeering
VPCFlow Logs
VPN
The internet
Private subnet
Public subnet
Instance A
Public subnet
Amazon S3
VPC CIDR 10.1.0.0/16
10.1.0.11/24
Instance C10.1.2.11/24
Instance D10.1.3.11/24
DXGW
+ Expand + IPv6
IGWVPCE
10.1.0.0/16 Local
0.0.0.0/0 IGW
S3.prefix.list VPCE-123
On premises VGW
VPC-B PCX-123
Destination Target
Intra or Inter
region
10.1.0.0/16 Local
S3.prefix.list VPCE-123
On premises VGW
VPC-B PCX-123
Destination Target
AWS PrivateLink Service Provider VPC
NLB
On premises
VPC-B
EIP - 10.1.0.11 : 54.23.12.43EIP - 10.1.1.11 : 54.19.12.23
Let’s take a closer look
Amazon DynamoDB
AWS Lambda
AWS Direct Connect
Amazon SQS Amazon SNSAWS IoT
Amazon CloudWatch
AWS PrivateLink
AWS Transit Gateway
On premisesAWS PrivateLinkEnabled Services
Other routes TGW
Other routes TGW
Amazon S3
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
What is the AWS Transit Gateway?
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Transit Gateway
AWS Transit Gateway radically evolved and simplified cloud networking. Using AWS Transit Gateway, we reduced the time to interconnect new VPCs and on-premises networks from weeks to minutes while attaining consistent and more reliable network performance!
Khoder ShamyDirector, Cloud Platform and Infrastructure
Fuze
“”
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Before AWS Transit Gateway
AWS Cloud
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Interconnecting VPCs at scale: Peering
AWS Cloud
Connecting a large number of VPCs in a mesh is challenging to manage
Connecting on-premises networks to each new VPC can take weeks to months to implement due to customer's internal processes
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Interconnecting VPCs at scale: AWS Transit Gateway
AWS Cloud
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Single VPN with AWS Transit Gateway
AWS Cloud Server contents
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Introducing AWS Transit Gateway
AWS Region
AWS Transit Gateway
ENIs
VPN
Routing domain
Routing domain
AWS Direct Connect Gateway
Regional service
Scalable
Flexible routing
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Flat: AWS Transit Gateway route domains (route tables)
AWS Transit Gateway
Route Destination
10.1.0.0/16 vpc-att-1xxxxxxx
10.2.0.0/16 vpc-att-2xxxxxxx
10.3.0.0/16 vpc-att-3xxxxxxx
10.4.0.0/16 vpc-att-4xxxxxxx
Defaultrouting domain
Route Destination
10.1.0.0/16 Local
10.0.0.0/8 tgw-xxxxxxxxx
Per VPC
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Flat: AWS Transit Gateway route domains (route tables)
Route Destination
10.1.0.0/16 vpc-att-1xxxxxxx
10.2.0.0/16 vpc-att-2xxxxxxx
10.3.0.0/16 vpc-att-3xxxxxxx
10.4.0.0/16 vpc-att-4xxxxxxx
Defaultrouting domain
Route Destination
10.1.0.0/16 Local
10.0.0.0/8 tgw-xxxxxxxxx
Per VPC
AWS Transit Gateway
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Isolated: AWS Transit Gateway route domains
Route Destination
0.0.0.0/0 VPN
Routing domain for VPN
Route Destination
10.1.0.0/16 Local
0.0.0.0/0 tgw-xxxxxxxxx
Per VPC
VPN
Routing domain for VPCs
Route Destination
10.1.0.0/16 vpc-att-1xxxx
10.2.0.0/16 vpc-att-2xxxx
Route Destination
10.3.0.0/16 vpc-att-3xxxx
10.4.0.0/16 vpc-att-4xxxx
AWS Transit Gateway
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Isolated: AWS Transit Gateway route domains
Route Destination
0.0.0.0/0 VPN
Route Destination
10.1.0.0/16 Local
0.0.0.0/0 tgw-xxxxxxxxx
Per VPC
VPN
Route Destination
10.1.0.0/16 vpc-att-1xxxx
10.2.0.0/16 vpc-att-2xxxx
Route Destination
10.3.0.0/16 vpc-att-3xxxx
10.4.0.0/16 vpc-att-4xxxx
Associate
go
Propagate routescan reach
Routing domain for VPN
Routing domain for VPCs
AWS Transit Gateway
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Isolated: AWS Transit Gateway route domains
Route Destination
0.0.0.0/0 VPN
Route Destination
10.1.0.0/16 Local
0.0.0.0/0 tgw-xxxxxxxxx
Per VPC
VPN
Route Destination
10.1.0.0/16 vpc-att-1xxxx
10.2.0.0/16 vpc-att-2xxxx
Route Destination
10.3.0.0/16 vpc-att-3xxxx
10.4.0.0/16 vpc-att-4xxxx
Routing domain for VPN
Routing domain for VPCs
AWS Transit Gateway
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Quick comparison: AWS Transit Gateway and Transit VPC
VPN
WAN
AWS Direct Connect
Transit VPC
Transit VPC AWS Transit Gateway
S U M M I T
Reference network architecture
Account Account
Account Account
Account Account
Account Account
Account Account
Account Account
VPNDirect Connect Gateway
Account Account Account Account IAM, cross-account roles
Route
tables
Route
tables
AWS Transit Gateway
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Shared services + VPN
VPN
VPC
Route Destination
10.1.0.0/16 vpc-att-1xxxx
10.2.0.0/16 vpc-att-2xxxx
Route Destination
10.3.0.0/16 vpc-att-3xxxx
10.4.0.0/16 vpc-att-4xxxx
Route Destination
10.0.0.0/8 VPN
10.4.0.0/16 vpc-att-4xxxx
VPCs attach to a route table with routes to shared resources
Shared resources attach to a route table with routes to all resources
Use case 1: Shared services with AWS Transit Gateway
AWS Transit Gateway
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Use Case 2: Outbound Internet with NAT Gateway
100.64.0.0/16
Outbound VPC
SNAT
SNAT
AWS Transit Gateway
VPC route domain
10.1.0.0/16 10.2.0.0/16
Outbound route domain
Spoke route table Outbound VPC route table
VPC B
VPC attachment route table, per AZ
Route Destination
10.2.0.0/16 Local
0.0.0.0/0 tgw-xxxxxxxxx
Route Destination
100.64.0.0/16 Local
10.0.0.0/8 tgw-xxxxxxxxx
0.0.0.0/0 igw-xxxxxxxxx
Route Destination
0.0.0.0/0 ngw-xxxxxxx
0.0.0.0/0 vpc-att-outbound 10.1.0.0/16 vpc-att-a
10.2.0.0/16 vpc-att-b
Apply SNAT outbound to the internet
SNAT
VPC A
Use Case 2: Outbound internet with NAT gateway
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Use Case 3: Outbound services VPC
100.64.0.0/16
Outbound VPC
SNAT
SNAT
VPC route domain
10.1.0.0/16 10.2.0.0/16
Outbound route domain
Spoke route table Outbound VPC route table
VPC B
ECMPVPN
BGP advertisement
Route Destination
10.2.0.0/16 Local
0.0.0.0/0 tgw-xxxxxxxxx
Route Destination
100.64.0.0/16 Local
10.0.0.0/8 tgw-xxxxxxxxx
0.0.0.0/0 igw-xxxxxxxxx
BGP prefix Next hop
0.0.0.0/0 Local IP
0.0.0.0/0 Outbound VPC VPN 10.1.0.0/16 vpc-att-a
10.2.0.0/16 vpc-att-b
Apply SNAT outbound to the internet
SNAT
VPC A
AWS Transit Gateway
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
VPC to VPC service insertion
100.64.0.0/16
In-line VPC
SNAT
SNAT
VPC route domain
10.1.0.0/16 10.2.0.0/16
Outbound route domain
Spoke route table Outbound VPC route table
VPC B
ECMPVPN
BGP advertisement
Route Destination
10.2.0.0/16 Local
0.0.0.0/0 tgw-xxxxxxxxx
100.64.0.0/16 tgw-xxxxxxxxx
Route Destination
100.64.0.0/16 Local
10.0.0.0/8 tgw-xxxxxxxxx
0.0.0.0/0 igw-xxxxxxxxx
BGP prefix Next hop
0.0.0.0/0 Local IP
0.0.0.0/0 Outbound VPC VPN 10.1.0.0/16 vpc-att-a
10.2.0.0/16 vpc-att-b
Apply SNAT between VPCs for flow affinity
SNAT
VPC A
Use cases:
VPCs will traffic as originated from the in-line VPC CIDR
AWS Transit Gateway
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
VPN with AWS Transit Gateway
VPN
Route
tables
Route
tables
AWS Transit Gateway
Customer gateway
Consolidate VPN at the transit gateway (TGW)• VPN acts similar to the virtual private gateway (VGW)
• Bandwidth, configuration, APIs, cost, and experience• VPN is attached to a TGW instead of a VGW• Same 1.25 Gbps bandwidth per tunnel applies
Encryption to the edge of many VPCs• Traffic is encrypted until it’s inside the VPC• Does not natively encrypt traffic between VPCs
• Inter-region VPC peering does
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
VPN with AWS Transit Gateway: Add more bandwidth
VPN
Route
tables
Route
tables
Customer gateway
Support for spreading traffic across many tunnels• Equal-cost multi-path (ECMP) support with BGP multi-path• Tested up to 50 Gbps of traffic• Split traffic into smaller flows, multi-part uploads, etc.
Check your on-premises configuration• Multi-path BGP• ECMP support, amount of equal paths, reverse-path
forwarding/spoofing checks• Only supported with BGP, not static routing
AWS Transit Gateway
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Direct Connect with AWS Transit Gateway
Route
tables
Route
tables
AWS Direct Connect gateway attachment• Direct Connect gateway (DXGW)• Attach transit virtual interface (VIF) to DXGW• Associate AWS Transit Gateway to Direct Connect gateway
• List the network prefixes that you want to advertise to on premises
Benefits• Use dedicated high bandwidth of 1G and 10G AWS Direct
Connect connections• Failover between AWS Direct Connect and AWS site-to-site VPN• Connectivity from AWS Direct Connect co-locations
WAN
AWS Transit Gateway
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Route
tables
Route
tables
AWS Transit Gateway
Route
tables
Route
tables
AWS Transit Gateway
Direct ConnectGateway
Equinix DC2/DC11, Ashburn, VAEquinix SE2, Seattle, WA
Direct Connect gateway and AWS Transit Gateway
US-WEST-2 US-EAST-1
AWS Transit Gateway
Association
AWS Transit Gateway
Association
Transit VIF Transit VIF
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Takeaways
We have tools and architectures that horizontally scale to many VPCs
There’s wiggle room for your specific use cases
Use services in combination to meet scale and security requirements
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Advice
• Networking changes fast; no more crystal balls.
• Start simple! Stay simple. Reduce complexity to smaller scopes.
• Segment and modify as needed.
• Experiment and test.
Thank you!
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Bhavin [email protected]