AWS re: Invent 2018 had a lot of new services to be called COOL, well if you have satellite( :) ), you don’t need ground datacenter to process data. (ground station). Combination of Robomaker and Alexa can be groundbreaking if used properly. A whole lot of things to talk about. Today, I am writing about a rather less fancy service they launched (CISCO, Where are you), “AWS Transit-Gateway”.
AWS VPC has been one of the strong networking backbone for EC2 to perform the way it does but VPC capabilities don’t always cater to the networking requirements enterprises ask. They always need a central gateway where a firewall has to know & manage what packets are flowing in the environment and how. Ultimately enterprises used third party solutions like CISCO CSR router to achieve this. Read about the earlier AWS Solution — Transit VPC
let’s discuss AWS Transit-gateway and how it works. Below image explains pretty much what it is .
Let’s get to the working of AWS Transit-Gateway.
We had a customer in the past where we deployed CISCO CSR to achieve the transitive nature of the network. They had 4 different external apps hosted in 4 different VPC which needed to communicate privately with another app on-prem through VPN. Their compliance required was there will be just one endpoint for VPN and all of the traffic between apps has to flow through the firewall sitting at a central location (VPC) on AWS. Let’s see how we would deploy this today using the Transit-Gateway.
- We have 2 custom VPC’s with each having one subnet. I have created 1 instance in each VPC(subnet). One of the VM is part of 10.0.0.0/16 network (IP:10.0.1.188) and another one being part of 184.108.40.206/16 network (IP:220.127.116.11)
2. Transit-Gateway is available under the VPC-Dashboard. We will start by creating our first gateway. Enabling DNS support will be useful as finding the applications with their hostname/FQDN. Click create on the bottom right.
3. Let’s create Transit-Gateway Attachments now. These attachments are nothing but the connections to VPC’s. We need to create a different attachment for each VPC with the transit-gateway. Each VPC requires to have a separate attachment.
4. Once we have created the attachments for both VPC, they will be available in this windows.
5. Now, If you have checked the “default route table association” in the first step, no need to modify the Default RT at transit gateway end but we need to modify the VPC’s route table and create the route via transit-gateway. Remember to modify the route table for both the VPC.
6. The final step, let’s test out connection and ping the 18.104.22.168/16 network from 10.0.0.0/16 network.
BOOM! No VPC-Perring, We are able to communicate different VPC using the transit-gateway.
Well, interestingly you can share transit gateway with other AWS accounts or AWS Organization using AWS Resource Access Manager
What else about transit-gateway?
- Simplified connectivity
- Better visibility and network control
- Availability of On-demand network bandwidth
- Routing between Amazon VPCs with overlapping CIDRs is not supported.
- Spoke VPC can’t refer security group of other spokes connected to the gateway.
- Maximum network bandwidth per VPN connection in the transit mesh is limited to 1.25Gbps. You can use ECMP to get higher VPN bandwidth. Bandwidth limit per VPC attachment is 50Gbps burst.
Check this AWSome slide from AWS to understand where transit gateway can be used.