Transitive Peering between networks using AWS Transit Gateway

AWS Advanced Networking Series — Part 02

In my last article, I explained how Site-2-Site VPN works between AWS and an on-premise networks. In this article, we will discuss one more networking topic, which is heavily utilized with AWS networking. This is called as the Transit Gateway.

In a nutshell, Transit Gateway is a network gateway, which can be used to significantly simplify networking between AWS Virtual Private Clouds (VPCs), Virtual Private Networks (VPNs) and Direct Connect connections.

It primarily can be used to peer VPCs in the same account, different accounts in the same region or different regions and to basically to have a “transitive peering” between networks.

Why Transit Gateway?

When there are multiple VPCs on the AWS side trying to communicate to an on-premise network setup via a Customer Gateway (CGW) it can be eventually be very complex in terms of the number of connections that it can have. (See Figure 1).

Figure 1 — VPC Connectivity to on-premise network with a single CGW

You can clearly see, each VPC is trying to reach on-premise Customer Gateway (CGW) having a dedicated connections. It means if there are “n” number of VPCs, then there could be “n” number of peering connections it can have to CGW. The diagram only shows three (03) connections for brevity, but it could be even 10s or 100s of them, which can lead to a lot of complexity in terms of routing and other means. This could even get worse if you get multiple Customer Gateways (CGWs) at the on-premise side (See Figure 2).

Figure 2 — VPC Connectivity to on-premise network with multiple CGWs

This is the exact problem that “Transit Gateway” is trying to solve. (See Figure 3).

Figure 3 — Transitive Peering with Transit Gateway

On Figure 3, you may see that Transit Gateway routes all the AWS VPC traffic through it to talk to Customer Gateways (CWGs) on the on-premise network. This basically reduces the complexity of having multiple routing connections to Customer Gateways and multiple connections from Virtual Private Gateways (VPGs) in each VPC. The Transit Gateway works as a middle person to do the mediation work as another layer to reduce mesh based complexity.

Furthermore, the Transit Gateway could be used to connect to other AWS accounts or any other connections such as Direct Connect or the AWS Global Accelerator. However, both these option will have an additional cost involved compared to the default public Internet VPN option. Out of these two options, as we know the Direct Connect option is more suited for larger organizations mainly due to its cost. The Global Accelerator option is quite cheaper option compared to the Direct Connect option.

With the Global Accelerator

In the Global Accelerator option, it gives you multiple “any-cast” IPs, which are mapped to your closer Edge locations. With that, it connects up to the Edge location via the public Internet and then after that the Global Accelerator network takes control of the communication to the Transit Gateway and into the VPC. With that, it drastically reduces the network latency between the CGW and the Transit Gateway. However, this option only available if you use the Transit Gateway as the mediation point within AWS (See Figure 4 for the Global Accelerator illustrationwith Transit Gateway).

Figure 4 — Using the Global Accelerator with the Transit Gateway

References

1. AWS Site-to-Site VPN: https://crishantha.medium.com/?p=c4baf45703fd