AWS Transit Gateways – Learning made simple

Reading Time: 7 minutes

A transit gateway is a network transit hub. It allows us to interconnect our virtual private clouds (VPCs) and the on-premises networks. The AWS transit gateway saves us the effort of creating multiple VPC peering connections between all the existing VPCs. And establishing VPN tunnels between the on-premise network and each individual VPC, in order to establish connectivity.

Imagine a scenario with four VPCs,

vpc without transit gateway

As depicted above, this is how a VPC mesh would look like. Now, consider the same situation with hundreds and thousands of VPCs in a network. Without transit gateways, maintaining such a complex infrastructure is a tedious task. The transit gateway, as the name suggests, acts as a universal gateway for all of the resources.

We can think of TGW as a big cloud provider. It is responsible for sending traffic across multiple regions over a secure, available, and high-performance AWS global network.

Why do we need Transit gateways?

Interconnecting VPCs at scale.

As suggested above, connecting thousands of VPCs together in a mesh-like structure will be a painful task. Now, assuming in such a network, we desire to add an additional VPC to the existing structure. In order to do that, one has to create a VPC peering connection. And from all the existing VPCs to the foreign VPC being added. In general, ‘n’ number of VPCs would require ‘n’ VPC peering connections.

before transit gateway
Without Transit Gateways
after transit gateway
With Transit Gateways

Similarly, deleting a VPC from a mesh structure would follow the same procedure. One will have to remove all the VPC peering connections from all the VPC’s to the one, being deleted. As a result, this manual management of connections to the VPCs requires a feasible solution, which is the Transit Gateways.

Edge Consolidation

Consider the above situation when we have an On-Premise network. In that case, too, we can use a single transit gateway. Rather than creating multiple VPN gateways connections from multiple VPCs to the on-premise network. It eases establishing and maintaining communication over such a network.

 Using TRANSIT GATEWAYS simplifies:

  1. Easy edge connectivity
  2. Simplified connectivity
  3. High bandwidth
  4. Connectivity Isolation

Benefits of using Transit Gateways

  • Better visibility and control

Firstly, the AWS Transit Gateway Network Manager provides easy monitoring of the Amazon VPCs and the edge connections from a central console. AWS Transit Gateway Network Manager is integrated with popular SD-WAN devices. It helps in quickly identifying issues and react to events on our global network.

  • Easier connectivity

Secondly, one can understand AWS Transit Gateway as a cloud router that helps simplify our network architecture. The complexity of managing incremental connections is not a problem. That too, even when there is a rapid increase in the demand for resources in the network. When building global applications, we can connect AWS Transit Gateways using inter-Region peering.

  • Improved security

Thirdly, all the traffic flow between a VPC and the AWS Transit Gateway remains on the AWS global private network. Thus, none of the communication over this network is exposed to the public internet. AWS Transit Gateway inter-Region peering encrypts all traffic, with no single point of failure or bandwidth bottleneck. This helps in protection against distributed denial of service (DDoS) attacks and other common exploits.

  • Flexible multicast

And at last, AWS Transit Gateway multicast helps in the distribution of the same content to multiple but, specific destinations. This eliminates the need for expensive on-premises multicast networks. And thus, reduces the bandwidth needed for high-throughput applications such as video conferencing, media, or teleconferencing.

Use cases:

Inter-region Peering: Rapidly expand to global scale.
In other words, with inter-region peering, everything attached to an AWS Transit Gateway is shared across AWS Regions. This can include multiple AWS resources, like VPCs, DNS, Microsoft Active Directory, and IPS/IDS being shared.

High Availability: Deliver applications around the world.
AWS Transit Gateway helps you build applications spanning hundreds and thousands of Amazon VPCs. This means deploying new applications without updating massive route tables to create peering relationships. Adding a new Amazon VPC or deleting one from an existing network is made easy. Everything is easier to deploy, manage, and troubleshoot.

Highly Scalable: Smoothly responds to spikes in demand.
In addition to being highly available, with AWS Transit Gateways, one can quickly add resources to meet unexpected demands. These resources can be Amazon VPCs, or AWS accounts, increase VPN capacity or AWS Direct Connect gateways. This helps in avoiding wrestling with complex connections or massive routing tables. Similarly, resources can be deleted easily.

Host multicast applications in the cloud.
We can host multicast applications on the cloud, without redesigning the application or making changes to the on-premises network. Using transit gateways, the multicast applications can scale as per the demands. Thus eliminating the need to buy and maintain custom hardware to support peak application loads.

Features:

Monitoring
AWS Transit Gateway provides statistics and logs that are then used by services such as Amazon CloudWatch and Amazon VPC Flow Logs. 

Single management portal across cloud and on-premises networks
Allows managing the private network that spans the cloud and the premises, from a single pane of glass on the AWS management console.

Security
AWS Transit Gateway is integrated with Identity and Access Management (IAM), enabling us to manage access to AWS TGW securely. Moreover, using IAM, we can create and manage AWS users and groups, and use permissions to allow and deny their access to the AWS Transit Gateway. 

Metrics
We can monitor the global network through performance and traffic metrics, such as bytes in/out, packets in/out, and packets dropped.

Limitations of TGW

  • Currently, the AWS Transit Gateway is not available for all AWS regions. the regions where transit gateways are supported are:
    1. US East
    2. US West
    3. EU
    4. AsiaPacific
    5. South America
    6. Africa
    7. Middle East

The work on support for other regions is still in progress.

  • CIDRs – AWS Transit Gateway doesn’t support routing between Amazon VPCs with overlapping CIDRs. Assuming, one attaches a new Amazon VPC that has a CIDR that overlaps with an already attached VPC. The AWS Transit Gateway will not allow the new Amazon VPC route into the AWS Transit Gateway route table.

Talking about the money – Pricing of TGWs

The users are charged for the number of connections that they make to the Transit Gateway. Moreover, they are charged per hour and for the amount of traffic that flows through AWS Transit Gateway. As a result, the more the number of transit gateway attachments, the higher will be the billing. The pricing is as follows:

Price per AWS Transit Gateway attachment ($) : $0.05

Price per GB of data processed ($) : $0.02

Transit gateway Concepts

Transit Gateway Attachments:

A transit gateway attachment can be created to any of the below mentioned resources.

  • One or more VPCs.
  • An AWS Direct Connect gateway.
  • A peering connection from another transit gateway.
  • A VPN connection to a transit gateway.

Transit gateway Maximum Transmission Unit (MTU)

The size of the largest permissible packet, in bytes, that can be passed over the connection is an MTU. The higher the MTU of a connection, the more data can be passed via a single packet.

Transit Gateways supports MTU of,
– 8500 bytes for traffic between VPCs, AWS Direct Connect, Transit Gateway Connect, and peering attachments.
– 1500 bytes for traffic over VPN connections.

Transit gateway route table

A route table contains dynamic and static records of routes that decide the next hop based on the destination IP address of the packet. By default, a transit gateway has a default route table attached to it. But, can optionally have any number of additional route tables.

Associations

Each transit gateway attachment is associated with exactly one route table. But each route table can be associated with zero to many attachments.

Route propagation

The routes from different types of resources define the type of propagation. A VPC, VPN connection, or Direct Connect gateway can dynamically propagate routes to a transit gateway route table. With a VPC, one must create static routes to send traffic to the transit gateway. Thus, route propagation may vary, with different types of resources attached to a TGW.

How Transit Gateways work?

In the above situation, where we assumed a network connection of four VPCs. Here, upon implementing transit gateways, we get,

Now, consider enabling communication with an On-Premise network,

Without Transit Gateway,

With Transit Gateway,

A real-world scenario of using Transit Gateways

Consider different environments like “production”, “dev”, etc. They share a common set of services set up in a different environment called a “shared-services” environment. A transit gateway is setup to enable communication between the services within these environments and the on-premise data center, like

Conclusion

In conclusion, implementing transit gateways will ease up creating and maintaining a complex architecture setup. AWS Transit Gateway acts as a central hub that helps to connect VPCs and on-premises networks. This simplifies the network and puts an end to complex peering relationships. It acts as a cloud router – each new connection is only made once.

References

knoldus-footer-blog