It is common requirement to be able to route traffic between different VPCs, either in the same region or cross-regions.
In corporate environment is also common to connect multiple VPCs to your on premise datacenter via VPN or Direct Connect. Things can get even more complicated when you have multiple AWS accounts where your VPCs are. Let’s get through this scenarios step by step.
Requirements:
- Connect multiple VPCs from different accounts.
- Connect all VPCs to on premise environment via VPN.
Solution 1: VPC Peering
You can use VPC peering to create a full mesh network that uses individual connections between all networks. Peering must be established between each VPC as transitive routing is not supported.
Advantages:
- Bandwidth between instances in peered VPCs is no different than bandwidth between instances in the same VPC.
- Inter-Region VPC Peering is supported.
- Peering can be established between VPC in different AWS accounts.
Disadvantages:
- This can be very complex to manage as the number of your VPCs grows.
- For every VPC that needs on-premises connectivity you have to configure an AWS Site-to-Site VPN connection.
- VPC peering does not support transitive peering. For example: you have a VPC peering connection between VPC A and VPC B, and between VPC A and VPC C. There is no VPC peering connection between VPC B and VPC C. You cannot route packets directly from VPC B to VPC C through VPC A. To achieve that, you have to establish peering between VPC B and VPC C.
- CIDRs can’t overlap.
Solution 2: Transit VPC
In this solution you can build a hub-and-spoke topology on VPCs and centralise edge connectivity. This approach creates a transitive network using host-based VPN appliances on EC2 instances in a dedicated VPC to route traffic between multiple VPCs and on-premises resources. You have to create VPN connections between spoke VPC VGWs and VPN appliances in transit VPC. You can use ready-made CloudFormation stacks from AWS Marketplace with solutions like: Cisco CSR 1000V, Fortinet FortiGate, Palo Alto Networks, Sophos UTM, Vyatta.
Advantages:
- Enables customers to control cross-region network traffic using AWS and third-party network security products and implement more complex routing rules.
- You can add additional network-level packet filtering or inspection.
- CIDRs in VPC can overlap as you can configure NAT on the instances.
- It works across accounts and regions.
Disadvantages:
- Leverages instance-based routing that increases costs while limiting the bandwidth.
- You have to take care of high availability of EC2 instances used for VPN.
Solution 3: Transit Gateway
In 2018, AWS released Transit Gateway which offers almost the same advantages of transit VPC, but it is a managed service that scales elastically.
Advantages:
- AWS managed service designed to be highly scalable and resilient.
- By default, you can attach up to 5000 VPCs to each gateway and each attachment can handle up to 50 Gbits per second of traffic burst.
- Support for multi account connections.
Disadvantages:
- As for now, no multi region connectivity possible.
I presented here just a couple of possible solutions that I was considering during my design work. You can, of course, build other architectures, like routing all traffic through you corporate datacenter, all depends on your requirements.
Like!! I blog frequently and I really thank you for your content. The article has truly peaked my interest.
I am really grateful to the owner of this website who has shared this
great piece of writing at at this place.
Good day! I know this is somewhat off topic but I was wondering if
you knew where I could locate a captcha plugin for my comment form?
I’m using the same blog platform as yours and I’m having trouble finding one?
Thanks a lot!
I like reading through an article that can make people think.
Also, thank you for permitting me to comment!
Peculiar article, exactly what I needed.
A big thank you for your article.
I am regular visitor, how are you everybody? This article posted at this web site is in fact pleasant.