Amazon Virtual Private Cloud (Amazon VPC) provides customers with the ability to create as many virtual networks as they need, as well as different options for connecting those networks to each other and to non-AWS infrastructure. One common strategy for connecting multiple, geographically disperse VPCs and remote networks is to create a transit VPC that serves as a global network transit center. A transit VPC simplifies network management and minimizes the number of connections required to connect multiple VPCs and remote networks. This design can save time and effort and also reduce costs, as it is implemented virtually without the traditional expense of establishing a physical presence in a colocation transit hub or deploying physical network gear.

This webpage provides an overview of a transit VPC design that assumes a typical hub-and-spoke network topology where remote VPCs access each other and remote networks through the transit VPC, as depicted in the diagram to the right. It also introduces an AWS solution that creates a Cisco-based transit VPC on the AWS Cloud.

The following sections describe key considerations and recommendations for building a transit VPC and assume basic knowledge of highly available remote-network connectivity, IPsec VPNs, network addressing, subnetting, and routing.

transit-vpc-overview
  • Solution Brief

    When creating transit networks, there are some universal network-design principles to consider. For example, the transit network will become a critical component of your network backbone, so choose network vendor products you are familiar with and comfortable supporting. With this in mind, consider the following AWS remote-connectivity best practices:

    • Create a dedicated VPC solely for containing your transit network infrastructure. This greatly simplifies routing and failover configurations compared to a single shared services VPC that combines transit network instances with other shared service infrastructure.
    • Leverage VPC peering when possible for network connectivity between VPCs to reduce the amount of traffic that must traverse the transit network. This will reduce transit network contention and latency, which can improve application performance.
    • Implement non-overlapping network ranges for your private networks to simplify the ability to route between remote networks. Although a transit network can be an excellent place to implement NAT rules to compensate for overlapping networks, this adds additional complexity to the network design.
    • Leverage multiple dynamically routed, rather than statically routed, connections to the transit VPC. This allows the transit network infrastructure to automatically fail over between available connections as necessary, creating a highly available, resilient, and more scalable network.

    The following sections provide a high-level overview for creating a dedicated transit VPC to directly route network traffic regardless of where each network is physically located. This approach creates a transitive network using host-based VPN appliances on Amazon Elastic Compute Cloud (Amazon EC2) instances in a dedicated VPC. AWS highly recommends leveraging virtual network appliances from the AWS Marketplace to significantly reduce the level of effort to establish and maintain these VPN connections.

    A transit VPC is applicable to customers with the following use case/requirements:

    • AWS resources in spoke VPCs need access to a wide variety of on-premises or remote infrastructure
    • Spoke VPCs are located in different AWS regions
    • Complex network-routing is required to implement a hybrid network architecture
    • Security or compliance programs require additional network-based monitoring or filtering between resources in different networks (e.g., Network Intrusion Detection Systems or next-generation firewalls)
    • The use of AWS network providers and partner products would reduce high colocation or other physical transit network costs

     

    This design deploys VPN appliances into a dedicated transit VPC. VPN appliances should be deployed into separate Availability Zones for maximum availability. Spoke VPCs are connected to the transit network through dynamically routed VPN connections between their virtual private gateways (VGWs) and the network appliances. This design uses VPN connections from spoke VPCs, rather than VPC peering to enable routing between any connected network, including external networks or VPCs in other AWS regions. This also allows spoke VPC resources to leverage VGW capabilites for routing and failover in order to maintain highly available network connections to the transit VPC network appliances. Remote networks also connect to the transit VPN appliances using redundant, dynamically routed VPN connections. Once connected, leverage dynamic routing protocols to automatically route traffic around potential network failures as well as to propogate network routes to remote networks.

    Note that in the diagram to the right, all communication with the VPN appliances (including the VPN connection between the corporate data center and other provider networks and the transit VPC) uses the transit VPC Internet gateway and Elastic IP addresses. In addition to using dynamically routed connections, AWS highly recommends the use of Auto Recovery for EC2 to protect instances in the transit VPC.

    Along with providing direct network routing between VPCs and on-premises networks, this design also enables the transit VPC to implement more complex routing rules, such as network address translation between overlapping network ranges, or to add additional network-level packet filtering or inspection.

    transit-vpc-detail

    This design supports any IP-based connectivity requirements between Amazon VPCs and remote resources with minimal on-premises network changes. It also provides an opportunity to select products available on the AWS Marketplace that integrate seamlessly with AWS-provided VPN connections, without the need to deploy these products into existing data centers. However, it does require the customer to configure and manage the EC2-based VPN instances deployed in the transit VPC. This will result in additional EC2 and, potentially, third-party license charges. Also, be aware that this design will generate additional data-transfer charges for traffic traversing the transit VPC: data is charged when it is sent from a spoke VPC to the transit VPC, and again from the transit VPC to the on-premises network.

    See the AWS Solution tab for information on how to deploy fully automated Cisco-based transit VPC in minutes. This solution actively monitors a customer’s environment for specifically tagged VGWs to automatically join to the transit network. Also, it supports VPCs located in multiple AWS regions and in different AWS accounts.

    Download PDF Version of this Solution Brief
  • AWS Solution

    AWS offers a fully automated solution that deploys a Cisco-based transit VPC in minutes. The diagram below presents the transit VPC architecture you can build using the solution's implementation guide and accompanying AWS CloudFormation template.

    transit-vpc-detail-medium
    1. This highly available design deploys two Cisco CSR 1000v instances into separate Availability Zones of a dedicated transit VPC, which will act as the hub of your global transit network. The CSR instances allow for VPN termination and routing.
    2. This solution uses AWS Lambda to automatically search for appropriately tagged virtual private gateways (VGWs) and then configure VPN connections between those spoke VPCs and the CSR instances in the transit VPC. Configuration data is stored in Amazon S3.
    3. This solution includes an optional template that allows you to automatically add spoke VPCs from a second AWS account.
    4. Once you have established your transit VPC, you can extend beyond the AWS Cloud and manually configure VPN connections to on-premises infrastructure or other network providers.
    Deploy Solution
    Implementation Guide

    What you'll accomplish:

    Deploy a transit VPC using AWS CloudFormation. The CloudFormation template offers four deployment sizes, and will automatically launch and configure your transit VPC using best practices for high availability and dynamic routing.

    Automatically add spoke VPCs in all AWS Regions to your transit network using simple resource tags. Within one minute of tagging an applicable VGW, a preconfigured AWS Lambda function will automatically create a VPN connection between that VPC and the transit VPC hub.

    Connect a second AWS account to your transit network using AWS CloudFormation. This solution includes an optional template to help you expand your transit network into a second AWS account.

    What you'll need before starting:

    An AWS account: You will need an AWS account to begin provisioning resources. Sign up for AWS.

    Skill level: This solution is intended for IT infrastructure and networking professionals who have practical experience architecting on the AWS cloud.

    Cisco licensing: You must decide on a licensing model for the Cisco Cloud Services Router (CSR) used in this design. See the implementation guide for detailed information.

    Q: What is a transit VPC?

    A transit VPC is a common strategy for connecting multiple, geographically disperse VPCs and remote networks in order to create a global network transit center. A transit VPC simplifies network management and minimizes the number of connections required to connect multiple VPCs and remote networks. For more information on global networks and shared VPN connections, see AWS Answers.

    Q: Why would I implement a transit VPC instead of using multiple connections from my remote networks?

    A transit VPC can save time and effort, simplify routing, and also reduce costs. There are fewer connections to manage, and because it is implemented virtually on the AWS Cloud, you can forego the traditional expense of establishing a physical presence in a colocation transit hub or deploying physical network gear.

    Q: Can I use a different VPN appliance than the Cisco CSR Amazon Machine Image (AMI) for my transit VPC?

    This automated transit VPC solution provides a reference implementation with Cisco Cloud Services Router (CSR) 1000V. You can achieve similar architectural patterns using additional AWS Marketplace products.

    Q: How much will it cost to run a transit VPC?

    You are responsible for the cost of the AWS services used while running this reference deployment, as well as for the Cisco CSR licenses, which you can either purchase beforehand or request from the AWS Marketplace. See the implementation guide for detailed information.

Need more resources to get started with AWS? Visit the Getting Started Resource Center to find tutorials, projects and videos to get started with AWS.

Tell us what you think