Amazon Virtual Private Cloud (Amazon VPC) provides customers with the ability to create as many virtual networks as they need, as well as different options for connecting those networks to each other and to non-AWS infrastructure. There are two common strategies for connecting multiple, geographically dispersed VPCs and remote networks: one is to implement a hub-and-spoke network topology that routes all traffic through a network transit center (a transit VPC); the other is to create a meshed network that uses individual connections between all networks. Both approaches can create an efficient and available transit network, each offering specific benefits and tradeoffs for different business needs.

This webpage addresses key considerations for implementing a global transit network on AWS, and provides general best practices and an overview of common transit network patterns. The following sections assume basic knowledge of highly available remote-network connectivity, IPsec VPNs, network addressing, subnetting, and routing.

  • Solution Brief

    When creating transit networks, there are some universal network-design principles to consider. For example, the transit network will become a critical component of your network backbone, so choose network vendor products you are familiar with and comfortable supporting. With this in mind, consider the following AWS remote-connectivity best practices:

    • To reduce the amount of traffic in the transit network, leverage VPC peering between resources that do not require transitive routing. This will reduce transit network contention and latency, which can improve application performance.
    • Implement non-overlapping network ranges for your private networks to simplify the ability to route between remote networks. While it is possible to implement NAT rules in the transit network to compensate for overlapping networks, doing so adds additional complexity to the network design.
    • Implement measures to ensure your network is highly available, resilient, and scalable. For example, leverage multiple dynamically routed, rather than statically routed, connections between networks to enable automatic failover between available connections, or use systems to monitor and manage network connectivity and availability in real time.

    The following sections provide high-level design overviews, including associated benefits and considerations, for creating either a hub-and-spoke network or a meshed network to directly route network traffic between global networks both on-premises and in the cloud. Implementing a global transit network virtually can reduce costs associated with colocation transit hubs or physical network gear. A global transit network is applicable to customers with the following use case/requirements:

    • AWS resources in geographically dispersed VPCs need access to a wide variety of on-premises or remote infrastructure.
    • Customer VPCs are located in different AWS Regions.
    • Complex network-routing is required to implement a hybrid network architecture.
    • Security or compliance programs require additional network-based monitoring or filtering between resources in different networks (e.g., Network Intrusion Detection Systems or next-generation firewalls).

    This approach uses host-based VPN appliances in a dedicated VPC to perform transitive routing between spoke networks through a central hub. The transit VPC simplifies network management and minimizes the number of connections required to connect multiple VPCs and remote networks.

    This design deploys VPN appliances on Amazon Elastic Compute Cloud (Amazon EC2) instances in separate Availability Zones of a transit VPC. We highly recommend leveraging virtual network appliances from the AWS Marketplace to significantly reduce the level of effort to establish and maintain these VPN connections.

    Spoke VPCs are connected to the transit network through dynamically routed VPN connections between their virtual private gateways (VGWs) and the network appliances. This design uses VPN connections from spoke VPCs rather than VPC peering to enable routing between any connected network, including external networks or VPCs in other AWS Regions. This also allows spoke VPC resources to leverage VGW capabilites for routing and failover in order to maintain highly available network connections to the transit VPC network appliances. Remote networks also connect to the transit VPN appliances using redundant, dynamically routed VPN connections. Once connected, leverage dynamic routing protocols to automatically route traffic around potential network failures as well as to propogate network routes to remote networks.

    Note that in the diagram to the right, all communication with the VPN appliances (including the VPN connection between the corporate data center and other provider networks and the transit VPC) uses the transit VPC Internet gateway and Elastic IP addresses. In addition to using dynamically routed connections, we highly recommend the use of Auto Recovery for EC2 to protect instances in the transit VPC.

    Along with providing direct network routing between VPCs and on-premises networks, this design also enables the transit VPC to implement more complex routing rules, such as network address translation between overlapping network ranges, or to add additional network-level packet filtering or inspection.

    transit-vpc-detail

    This design supports any IP-based connectivity requirements between Amazon VPCs and remote resources with minimal on-premises network changes. It also provides an opportunity to select products available on the AWS Marketplace that integrate seamlessly with AWS-provided VPN connections, without the need to deploy these products into existing data centers. However, this design does require the customer to configure and manage the EC2-based VPN instances deployed in the transit VPC. This will result in additional Amazon EC2 and, potentially, third-party license charges. Also, be aware that this design will generate additional data-transfer charges for traffic traversing the transit VPC: data is charged when it is sent from a spoke VPC to the transit VPC, and again from the transit VPC to the on-premises network.

    See the Aviatrix and Cisco tabs for information on how to deploy fully automated transit VPCs in minutes. This solution actively monitors a customer’s environment for specifically tagged VGWs to automatically join to the transit network. Also, it supports VPCs located in multiple AWS regions and in different AWS accounts. AWS Partner Network (APN) Partners Aviatrix and Juniper also provide automated solutions that allow customers to quickly and easily deploy a secure and managed transit VPC network. See the Partner Offerings tab for more information.

    A fully or partially meshed design uses individual VPN connections between networks without a central hub. This approach reduces the number of hops in the network which can reduce latency and simplify troubleshooting. The implementation and ongoing management of a meshed network can be more complex than the hub-and-spoke approach, but it might be more suitable for companies with large inter-regional data transfer needs, or who have extensive compliance requirements for network logging and monitoring.

    This design deploys VPN appliances on EC2 instances in each VPC which use fully (or partially) meshed point-to-point VPN connections to route network traffic. On-premises VPN devices can also join the transit network by creating individual VPN connections to VPN instances as needed. VPC route tables are configured to route transit network traffic through the VPN appliances to the intended destination network.

    We highly recommend leveraging an APN Partner or AWS Marketplace offering that automatically provisions, manages, and monitors the availability of these networking instances and associated VPN connections.

    This design does not rely on a central hub for routing all transit traffic, which allows it to scale more effectively by sending traffic directly to another VPC. However it relies on EC2 instances to provide transit network connectivity, which will result in additional EC2 instance costs and introduces a single point of failure between a VPC and remote networks. It also requires more involved instance and VPN provisioning, monitoring, management, and recovery, which is why we recommend using a comprehensive partner offering, such as those offered by Aviatrix (Aviatrix Mesh Network) or Riverbed (SteelConnect) to automate and simplify these processes.

    meshed-global-network
    Download PDF Version of this Solution Brief
  • Aviatrix Offering

    Aviatrix has collaborated with AWS to offer a fully automated AWS Quick Start that deploys a global transit VPC in minutes. The diagram below presents the transit VPC architecture you can build using the Quick Start deployment guide and accompanying AWS CloudFormation template.

    Aviatrix Next-Gen Global Transit Hub is part of a second generation of networking technology, combining a traditional global transit hub with additional security, scale, and easier operational functionalities.   

    aviatrix-global-transit-hub-architecture-on-aws
    1. This Quick Start sets up a secure Aviatrix Next-Gen Global Transit Hub architecture that includes the Aviatrix Controller and Aviatrix Gateways in a highly available configuration. You can create a new VPC or use an existing VPC for the transit hub.
    2. After you deploy the Aviatrix Controller using this Quick Start, you can use the Aviatrix Global Transit Network Wizard in the Aviatrix Controller to deploy the Hub Gateway instances into a VPC that will be designated as the Next-Gen Global Transit Hub. The wizard allows you to launch and configure two Aviatrix Gateways in the transit hub VPC and the designated spoke VPCs. The gateway instances allow for IPsec VPN termination, routing, and security policies, and provide ongoing monitoring.
    3. Once you have established your transit VPC, you can extend beyond the AWS Cloud and automatically configure VPN connections to on-premises infrastructure or other network providers with the Aviatrix Controller.
    4. Aviatrix also enables you to expand your global transit architecture to include a Shared Services layer AWS Direct Peering for better support of teams that require a shared or management VPC for common services in the cloud.
    Deploy Quick Start in a new VPC
    Deploy Quick Start in an existing VPC

    Download: Deployment Guide | Source Code

     

    What you'll accomplish:

    Build a network infrastructure for your Aviatrix Next-Gen Global Transit Hub using AWS CloudFormation and the Aviatrix Global Transit Network Wizard. The CloudFormation template will automatically launch and configure your transit VPC using best practices for high availability and dynamic routing.

    Automatically add spoke VPCs in all AWS Regions to your transit network by attaching those VPCs to the Next-Gen Global Transit Hub. VPN connections are automatically established between the spoke VPCs and the Next-Gen Global Transit Hub VPC.

    Simplify gateway management with a point-and-click, centralized management console that allows you to implement changes or customizations quickly and easily.

     

    What you'll need before starting:

    An AWS account: You will need an AWS account to begin provisioning resources. Sign up for AWS.

    Skill level: This solution is intended for IT infrastructure and networking professionals who have practical experience architecting on the AWS cloud.

    Aviatrix licensing: You must decide on a licensing option for the Aviatrix software used in this design and subscribe to the AMI that provides that option. See the deployment guide for detailed information.

    Q: What is a transit VPC?

    A transit VPC is a common strategy for connecting multiple, geographically disperse VPCs and remote networks in order to create a global network transit center. A transit VPC simplifies network management and minimizes the number of connections required to connect multiple VPCs and remote networks. 

    Q: How is Aviatrix Next-Gen Transit Hub different from a traditional transit VPC?

    Aviatrix Next-Gen Global Transit Hub provides enhanced security by maintaining VPC segmentation, allowing the user to control policy-based connectivity and to use encrypted links.

    From an operations perspective, this Aviatrix solution includes higher levels of automation via REST APIs, configuration wizards to simplify and streamline orchestration of networking services, troubleshooting with Aviatrix EC2 FlightPath and other integrated tests, and visibility with global dashboards.

    Future-oriented teams can grow easily, since this Aviatrix solution removes route table limitations and extends the Next-Gen Global Transit Hub with additional cloud networking use cases. These use cases include:

    • Remote user VPN
    • Egress security
    • Site to cloud and multicloud peering

    See Aviatrix Answers for more information.

    Q: Why would I implement a transit VPC instead of using multiple connections from my remote networks?

    A transit VPC can save time and effort, simplify routing, and also reduce costs. There are fewer connections to manage, and because it is implemented virtually on the AWS Cloud, you can forgo the traditional expense of establishing a physical presence in a colocation transit hub or deploying physical network gear.

    Q: Can I use a different VPN appliance than the Aviatrix Amazon Machine Image (AMI) for my transit VPC?

    This automated transit VPC Quick Start provides a reference implementation that includes Aviatrix software. The Quick Start doesn’t support transit networking products from other software providers. However, you can achieve similar architectural patterns by using other AWS Marketplace products or your own AWS CloudFormation templates.

    Q: How much will it cost to run a transit VPC?

    You are responsible for the cost of the AWS services used while running this reference deployment, as well as for the Aviatrix licenses, which you can either purchase beforehand or request from the AWS Marketplace. Aviatrix has a metered AMI on the AWS Marketplace, featuring pay-as-you-go pricing, which starts at a few cents per hour per connection. See the Aviatrix pricing page for detailed information.

  • Cisco Offering

    AWS offers a fully automated solution that deploys a Cisco-based transit VPC in minutes. The diagram below presents the transit VPC architecture you can build using the solution's implementation guide and accompanying AWS CloudFormation template.

    transit-vpc-detail-medium
    1. This highly available design deploys two Cisco CSR 1000v instances into separate Availability Zones of a dedicated transit VPC, which will act as the hub of your global transit network. The CSR instances allow for VPN termination and routing.
    2. This solution uses AWS Lambda to automatically search for appropriately tagged virtual private gateways (VGWs) and then configure VPN connections between those spoke VPCs and the CSR instances in the transit VPC. Configuration data is stored in Amazon S3.
    3. This solution includes an optional template that allows you to automatically add spoke VPCs from a second AWS account.
    4. Once you have established your transit VPC, you can extend beyond the AWS Cloud and manually configure VPN connections to on-premises infrastructure or other network providers.
    Deploy Solution
    Implementation Guide

    What you'll accomplish:

    Deploy a transit VPC using AWS CloudFormation. The CloudFormation template offers four deployment sizes, and will automatically launch and configure your transit VPC using best practices for high availability and dynamic routing.

    Automatically add spoke VPCs in all AWS Regions to your transit network using simple resource tags. Within one minute of tagging an applicable VGW, a preconfigured AWS Lambda function will automatically create a VPN connection between that VPC and the transit VPC hub.

    Connect a second AWS account to your transit network using AWS CloudFormation. This solution includes an optional template to help you expand your transit network into a second AWS account.

    What you'll need before starting:

    An AWS account: You will need an AWS account to begin provisioning resources. Sign up for AWS.

    Skill level: This solution is intended for IT infrastructure and networking professionals who have practical experience architecting on the AWS cloud.

    Cisco licensing: You must decide on a licensing model for the Cisco Cloud Services Router (CSR) used in this design. See the implementation guide for detailed information.

    Q: What is a transit VPC?

    A transit VPC is a common strategy for connecting multiple, geographically disperse VPCs and remote networks in order to create a global network transit center. A transit VPC simplifies network management and minimizes the number of connections required to connect multiple VPCs and remote networks. 

    Q: Why would I implement a transit VPC instead of using multiple connections from my remote networks?

    A transit VPC can save time and effort, simplify routing, and also reduce costs. There are fewer connections to manage, and because it is implemented virtually on the AWS Cloud, you can forgo the traditional expense of establishing a physical presence in a colocation transit hub or deploying physical network gear.

    Q: Can I use a different VPN appliance than the Cisco CSR Amazon Machine Image (AMI) for my transit VPC?

    This automated transit VPC solution provides a reference implementation with Cisco Cloud Services Router (CSR) 1000V. You can achieve similar architectural patterns using additional AWS Marketplace products.

    Q: How much will it cost to run a transit VPC?

    You are responsible for the cost of the AWS services used while running this reference deployment, as well as for the Cisco CSR licenses, which you can either purchase beforehand or request from the AWS Marketplace. See the implementation guide for detailed information.

  • Partner Offerings

    The Amazon Partner Network (APN) offers a variety of comprehensive networking products for organizations of any size or stage of development. Explore the AWS Marketplace for a comprehensive list of partner offerings, including popular options from the following parters.

    aviatrix

    Aviatrix offers cloud networking software that enables you to build encrypted connectivity for site-to-VPC connections, VPC-to-VPC connections across regions, and remote user VPN access. Aviatrix software solutions include a central controller that simplifies network management and automates the complexity of deploying and operating a global transit network. Learn more about Aviatrix transit VPC network and meshed network solutions.

    cisco

    The Cisco Cloud Services Router (CSR) 1000V series delivers the maximum performance available in AWS cloud for virtual networking services. With CSR1000V, AWS customers can rapidly deploy enterprise-class VPN and manage both sides of the VPN tunnel for higher security. Learn more »

    juniper

    Juniper Networks offers virtual network and routing products that enable customers to rule their networks with the security, speed, agility, control and flexibility they need to rapidly scale their workloads and their businesses. Juniper offers a transit networking solution that uses vSRX firewall instances on AWS to manage global network traffic. Learn more about Juniper's vSRX virtual Firewall-Based AWS Transit VPC and their other offerings in AWS Marketplace.

    riverbed

    Riverbed SteelConnect Gateway lets you effortlessly realize the latest trend in highly-compartmentalized, multi-VPC architectures. Automated VPC selection and gateway deployment creates a full-mesh, secure fabric between your VPCs in all AWS Regions. Learn more »

Need more resources to get started with AWS? Visit the Getting Started Resource Center to find tutorials, projects and videos to get started with AWS.

Tell us what you think