How to provision transit VPC VPN connectivity on AWS

Transit VPC is a connectivity topology on AWS, where geographically distributed virtual and on-premise networks are connected to a central hub.

Transit VPC

AWS allows its customers to create as many virtual networks as they need. These networks tend to span across regions and are generally isolated from each other. Most organizations also prefer to keep a foothold in their legacy on-premise networks. Another level of complexity is added by globally distributed office locations and a remote workforce.

Connecting all these disparate networks and bringing them under the umbrella of one overlying network and management regime is not easy.

AWS’s transit VPC is one way in which all these components can be connected. In networking terms transit VPC is referred to as hub and spoke topology. The transit VPC serves as the hub of all communication between all the different components of the network, which are referred to as spokes.

Communication between any two edge nodes or spokes has to go through the transit VPC.

Why do I need to setup transit VPC?

Enterprise applications built for a global audience tend to be distributed across multiple cloud locations, providers and enterprise networks. These components usually do not function on their own and are constantly communicating with each other. Integrating them into a transit VPC or full-mesh architecture serves to bring them under one homogeneous network management regime.

Securing inter-region communication is also an important aspect of setting up a transit VPC. Most organizations transmit sensitive data between regions which they do not want to expose to the public internet. Deploying VPN appliances in spoke VPCs to encrypt data helps overcome security concerns.

How transit VPC works on AWS

The transit VPC solution on AWS is deployed through a cloudformation stack. The stack creates all the AWS artefacts that are required for the transit VPC. Transit VPC leverages a Cisco CSR 1000v instance to provide routing, security, and network management. It also supports a high availability option, which when enabled creates two instances instead of one, in separate availability zones.

Users can choose up to a maximum of 2 GBPS throughput levels.

AWS transit VPC pricing

There are several components to transit VPC pricing. First off is the throughout level selected. Different throughout levels have different costs associated with them. Cisco also provides two licensing models for the CSR 1000v instance, with differing prices. Pricing also includes all costs related to AWS resources and network transit costs.

AWS transit VPC vs full-mesh

Transit VPC architecture serves to minimize the number of required connections to inter-connect geographically distributed AWS VPCs. Other network topologies like full mesh tend to lead to a higher number of connections.

This complicates management and troubleshooting for full mesh architectures as compared to transit VPC topologies. However, full mesh architectures create direct connections between VPCs or edge nodes, which minimize the number of network hops and tends to provide a better performance. Managed VPN solutions also offset the higher management overhead, by providing full-mesh VPNs as a service, with a single pane of glass management and troubleshooting console. Managed full-mesh VPN’s managed VPN allows AWS users to connect VPCs in a full mesh topology over encrypted IPsec based VPN tunnels. It is fully managed, completely automated, easily scalable and highly available with no new hardware or software requirements. It incorporates both VPN connectivity scenarios into the overall network architecture i.e. transit VPC and full-mesh. It also natively supports cross-account VPN connectivity.

At the core of the network is a full mesh architecture with a transit VPC structure for VPCs at the edge inside a region.

Setting up a transit VPC or full-mesh VPN connectivity is as easy as choosing the required regions and clicking a button. The console automatically creates all AWS and VPN artifacts including AWS VPN Gateways, AWS instances and IPsec VPN tunnels.

The managed VPN solution can also be extended to peer VPCs across AWS regions over a private network with reserved bandwidth. This is part of’s VPC peering solution.

To learn more about Transit VPC and full-mesh topology on AWS, download the Whitepaper.

Download Now

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.