Amazon Virtual Private Cloud (Amazon VPC) provides customers with the ability to create as many virtual networks as they need, as well as different options for connecting those networks to each other and to non-AWS infrastructure. There are two common strategies for connecting multiple, geographically dispersed VPCs and remote networks: one is to implement a hub-and-spoke network topology that routes all traffic through a network transit center (a transit VPC); the other is to create a meshed network that uses individual connections between all networks. Both approaches can create an efficient and available transit network, each offering specific benefits and tradeoffs for different business needs.

This webpage addresses key considerations for implementing a global transit network on AWS, and provides general best practices and an overview of common transit network patterns. The following sections assume basic knowledge of highly available remote-network connectivity, IPsec VPNs, network addressing, subnetting, and routing.

  • Solution Brief

    When creating transit networks, there are some universal network-design principles to consider. For example, the transit network will become a critical component of your network backbone, so choose network vendor products you are familiar with and comfortable supporting. With this in mind, consider the following AWS remote-connectivity best practices:

    • To reduce the amount of traffic in the transit network, leverage VPC peering between resources that do not require transitive routing. This will reduce transit network contention and latency, which can improve application performance.
    • Implement non-overlapping network ranges for your private networks to simplify the ability to route between remote networks. While it is possible to implement NAT rules in the transit network to compensate for overlapping networks, doing so adds additional complexity to the network design.
    • Implement measures to ensure your network is highly available, resilient, and scalable. For example, leverage multiple dynamically routed, rather than statically routed, connections between networks to enable automatic failover between available connections, or use systems to monitor and manage network connectivity and availability in real time.

    The following sections provide high-level design overviews, including associated benefits and considerations, for creating either a hub-and-spoke network or a meshed network to directly route network traffic between global networks both on-premises and in the cloud. Implementing a global transit network virtually can reduce costs associated with colocation transit hubs or physical network gear. A global transit network is applicable to customers with the following use case/requirements:

    • AWS resources in geographically dispersed VPCs need access to a wide variety of on-premises or remote infrastructure.
    • Customer VPCs are located in different AWS Regions.
    • Complex network-routing is required to implement a hybrid network architecture.
    • Security or compliance programs require additional network-based monitoring or filtering between resources in different networks (e.g., Network Intrusion Detection Systems or next-generation firewalls).

    This approach uses host-based VPN appliances in a dedicated VPC to perform transitive routing between spoke networks through a central hub. The transit VPC simplifies network management and minimizes the number of connections required to connect multiple VPCs and remote networks.

    This design deploys VPN appliances on Amazon Elastic Compute Cloud (Amazon EC2) instances in separate Availability Zones of a transit VPC. We highly recommend leveraging virtual network appliances from the AWS Marketplace to significantly reduce the level of effort to establish and maintain these VPN connections.

    Spoke VPCs are connected to the transit network through dynamically routed VPN connections between their virtual private gateways (VGWs) and the network appliances. This design uses VPN connections from spoke VPCs rather than VPC peering to enable routing between any connected network, including external networks or VPCs in other AWS Regions. This also allows spoke VPC resources to leverage VGW capabilites for routing and failover in order to maintain highly available network connections to the transit VPC network appliances. Remote networks also connect to the transit VPN appliances using redundant, dynamically routed VPN connections. Once connected, leverage dynamic routing protocols to automatically route traffic around potential network failures as well as to propogate network routes to remote networks.

    Note that in the diagram to the right, all communication with the VPN appliances (including the VPN connection between the corporate data center and other provider networks and the transit VPC) uses the transit VPC Internet gateway and Elastic IP addresses. In addition to using dynamically routed connections, we highly recommend the use of Auto Recovery for EC2 to protect instances in the transit VPC.

    Along with providing direct network routing between VPCs and on-premises networks, this design also enables the transit VPC to implement more complex routing rules, such as network address translation between overlapping network ranges, or to add additional network-level packet filtering or inspection.

    transit-vpc-detail

    This design supports any IP-based connectivity requirements between Amazon VPCs and remote resources with minimal on-premises network changes. It also provides an opportunity to select products available on the AWS Marketplace that integrate seamlessly with AWS-provided VPN connections, without the need to deploy these products into existing data centers. However, this design does require the customer to configure and manage the EC2-based VPN instances deployed in the transit VPC. This will result in additional Amazon EC2 and, potentially, third-party license charges. Also, be aware that this design will generate additional data-transfer charges for traffic traversing the transit VPC: data is charged when it is sent from a spoke VPC to the transit VPC, and again from the transit VPC to the on-premises network.

    See the AWS Solution tab for information on how to deploy fully automated Cisco-based transit VPC in minutes. This solution actively monitors a customer’s environment for specifically tagged VGWs to automatically join to the transit network. Also, it supports VPCs located in multiple AWS regions and in different AWS accounts. Aviatrix, an AWS Partner Network (APN) Partner, also provides an automated solution that allows customers to quickly and easily deploy a secure and managed transit VPC network. See the Partner Offerings tab for more information.

    A fully or partially meshed design uses individual VPN connections between networks without a central hub. This approach reduces the number of hops in the network which can reduce latency and simplify troubleshooting. The implementation and ongoing management of a meshed network can be more complex than the hub-and-spoke approach, but it might be more suitable for companies with large inter-regional data transfer needs, or who have extensive compliance requirements for network logging and monitoring.

    This design deploys VPN appliances on EC2 instances in each VPC which use fully (or partially) meshed point-to-point VPN connections to route network traffic. On-premises VPN devices can also join the transit network by creating individual VPN connections to VPN instances as needed. VPC route tables are configured to route transit network traffic through the VPN appliances to the intended destination network.

    We highly recommend leveraging an APN Partner or AWS Marketplace offering that automatically provisions, manages, and monitors the availability of these networking instances and associated VPN connections.

    This design does not rely on a central hub for routing all transit traffic, which allows it to scale more effectively by sending traffic directly to another VPC. However it relies on EC2 instances to provide transit network connectivity, which will result in additional EC2 instance costs and introduces a single point of failure between a VPC and remote networks. It also requires more involved instance and VPN provisioning, monitoring, management, and recovery, which is why we recommend using a comprehensive partner offering, such as those offered by Aviatrix (Aviatrix Mesh Network) or Riverbed (SteelConnect) to automate and simplify these processes.

    meshed-global-network
    Download PDF Version of this Solution Brief
  • AWS Solution

    AWS offers a fully automated solution that deploys a Cisco-based transit VPC in minutes. The diagram below presents the transit VPC architecture you can build using the solution's implementation guide and accompanying AWS CloudFormation template.

    transit-vpc-detail-medium
    1. This highly available design deploys two Cisco CSR 1000v instances into separate Availability Zones of a dedicated transit VPC, which will act as the hub of your global transit network. The CSR instances allow for VPN termination and routing.
    2. This solution uses AWS Lambda to automatically search for appropriately tagged virtual private gateways (VGWs) and then configure VPN connections between those spoke VPCs and the CSR instances in the transit VPC. Configuration data is stored in Amazon S3.
    3. This solution includes an optional template that allows you to automatically add spoke VPCs from a second AWS account.
    4. Once you have established your transit VPC, you can extend beyond the AWS Cloud and manually configure VPN connections to on-premises infrastructure or other network providers.
    Deploy Solution
    Implementation Guide

    What you'll accomplish:

    Deploy a transit VPC using AWS CloudFormation. The CloudFormation template offers four deployment sizes, and will automatically launch and configure your transit VPC using best practices for high availability and dynamic routing.

    Automatically add spoke VPCs in all AWS Regions to your transit network using simple resource tags. Within one minute of tagging an applicable VGW, a preconfigured AWS Lambda function will automatically create a VPN connection between that VPC and the transit VPC hub.

    Connect a second AWS account to your transit network using AWS CloudFormation. This solution includes an optional template to help you expand your transit network into a second AWS account.

    What you'll need before starting:

    An AWS account: You will need an AWS account to begin provisioning resources. Sign up for AWS.

    Skill level: This solution is intended for IT infrastructure and networking professionals who have practical experience architecting on the AWS cloud.

    Cisco licensing: You must decide on a licensing model for the Cisco Cloud Services Router (CSR) used in this design. See the implementation guide for detailed information.

    Q: What is a transit VPC?

    A transit VPC is a common strategy for connecting multiple, geographically disperse VPCs and remote networks in order to create a global network transit center. A transit VPC simplifies network management and minimizes the number of connections required to connect multiple VPCs and remote networks. For more information on global networks and shared VPN connections, see AWS Answers.

    Q: Why would I implement a transit VPC instead of using multiple connections from my remote networks?

    A transit VPC can save time and effort, simplify routing, and also reduce costs. There are fewer connections to manage, and because it is implemented virtually on the AWS Cloud, you can forego the traditional expense of establishing a physical presence in a colocation transit hub or deploying physical network gear.

    Q: Can I use a different VPN appliance than the Cisco CSR Amazon Machine Image (AMI) for my transit VPC?

    This automated transit VPC solution provides a reference implementation with Cisco Cloud Services Router (CSR) 1000V. You can achieve similar architectural patterns using additional AWS Marketplace products.

    Q: How much will it cost to run a transit VPC?

    You are responsible for the cost of the AWS services used while running this reference deployment, as well as for the Cisco CSR licenses, which you can either purchase beforehand or request from the AWS Marketplace. See the implementation guide for detailed information.

  • Partner Offerings

    The Amazon Partner Network (APN) offers a variety of comprehensive networking products for organizations of any size or stage of development. Explore the AWS Marketplace for a comprehensive list of partner offerings, including popular options from the following parters.

    aviatrix

    Aviatrix offers cloud networking software that enables you to build encrypted connectivity for site-to-VPC connections, VPC-to-VPC connections across regions, and remote user VPN access. Aviatrix software solutions include a central controller that simplifies network management and automates the complexity of deploying and operating a global transit network. Learn more about Aviatrix transit VPC network and meshed network solutions.

    cisco

    The Cisco Cloud Services Router (CSR) 1000V series delivers the maximum performance available in AWS cloud for virtual networking services. With CSR1000V, AWS customers can rapidly deploy enterprise-class VPN and manage both sides of the VPN tunnel for higher security. Learn more »

    riverbed

    Riverbed SteelConnect Gateway lets you effortlessly realize the latest trend in highly-compartmentalized, multi-VPC architectures. Automated VPC selection and gateway deployment creates a full-mesh, secure fabric between your VPCs in all AWS Regions. Learn more »

Need more resources to get started with AWS? Visit the Getting Started Resource Center to find tutorials, projects and videos to get started with AWS.

Tell us what you think