AWS Advanced Networking: Inter-VPC Connectivity & Architecture

This guide explores the mechanisms for interconnecting AWS Virtual Private Clouds (VPCs). Choosing the right connectivity pattern is critical for optimizing performance, managing costs, and ensuring security across complex multi-account and multi-region environments.

Learning Objectives

After studying this guide, you should be able to:

• Differentiate between VPC Peering, Transit Gateway, and PrivateLink based on technical constraints.
• Identify use cases for transitive vs. non-transitive routing.
• Evaluate solutions for overlapping CIDR blocks.
• Implement hub-and-spoke architectures for scalable networking.

Key Terms & Glossary

• Transitive Routing: The ability for traffic to pass through one network component (like a VPC) to reach another. VPC Peering is not transitive.
• Hub-and-Spoke: A topology where multiple "spoke" VPCs connect to a central "hub" (Transit Gateway) for simplified management.
• Interface VPC Endpoint: A PrivateLink-powered ENI with a private IP address that acts as an entry point for traffic destined to a supported service.
• AWS RAM (Resource Access Manager): A service that allows you to share AWS resources (like subnets or Transit Gateways) across accounts within an organization.
• CIDR Overlap: A situation where two VPCs use the same IP address range, preventing standard layer-3 routing (peering).

The "Big Idea"

In the AWS ecosystem, connectivity is no longer just about "plugging things in." It is about architectural intent. If you need high-performance, low-latency links between two specific workloads, you use Peering. If you need to manage a massive web of hundreds of VPCs and on-premises sites, you use Transit Gateway. If you need to expose a specific application to a customer without exposing your whole network, you use PrivateLink. The choice depends on the balance between granularity and scalability.

Formula / Concept Box

Hierarchical Outline

1. VPC Peering (The Point-to-Point Solution)
   • Direct Connection: Uses AWS backbone; no single point of failure.
   • Constraints: No transitive routing; cannot use a peer's IGW/VGW for internet/VPN.
   • Cost: No hourly charge; only data transfer fees.
2. AWS Transit Gateway (The Network Hub)
   • Scalability: Connects thousands of VPCs and on-premises environments.
   • Centralized Control: Simplifies routing tables and security inspection (East-West traffic).
   • Inter-region: TGWs can be peered across regions.
3. AWS PrivateLink (The Service Exporter)
   • Security: Traffic never leaves the AWS backbone; no IGW needed.
   • Overlapping CIDRs: Solves the IP exhaustion/overlap issue using ENIs in the consumer VPC.
   • Directionality: One-way (Consumer initiates to Provider).

Visual Anchors

Multi-VPC Topology Comparison

PrivateLink Architecture

Definition-Example Pairs

• Nontransitive Peering: If VPC A is peered with VPC B, and VPC B is peered with VPC C, VPC A cannot talk to VPC C through B.
  • Example: A shared "Services" VPC connects to multiple clients; clients cannot see each other through the Services VPC.
• Interface Endpoint: A physical Elastic Network Interface (ENI) placed in a subnet that represents an external service.
  • Example: Placing an Interface Endpoint for Amazon S3 in your VPC so your EC2 instances can upload logs without using an Internet Gateway.
• VPC Sharing: Allowing multiple AWS accounts in the same Organization to create resources (EC2, RDS) in the same VPC subnets.
  • Example: A central Networking team creates a large VPC and shares subnets with the Development team, reducing the need for peering or TGWs.

Worked Examples

Scenario: The Scaling Dilemma

Problem: A company has 5 VPCs that all need to communicate. They currently use VPC Peering. They plan to add 15 more VPCs next month.

Step 1: Calculate current peering connections. Formula: $N(N-1)/2$ For 5 VPCs: $5(4)/2 = 10 peering connections.

Step 2: Calculate future peering connections. For 20 VPCs: 20(19)/2 = 190$ peering connections.

Step 3: Analyze the overhead. Managing 190 routing table entries manually is error-prone.

Solution: Implement AWS Transit Gateway. Instead of 190 connections, the company creates 1 TGW and 20 attachments. Routing is consolidated into the TGW route table, allowing for centralized security inspection and simpler management.

Checkpoint Questions

1. Why would an architect choose PrivateLink over VPC Peering when connecting to a 3rd party vendor's application?
2. True or False: You can use a VPC Peer connection to access the Internet via a peered VPC's Internet Gateway.
3. Which service is required if you need to support Multicast traffic between VPCs?
4. How does AWS RAM facilitate VPC Sharing?

▶Click to see answers

1. PrivateLink handles overlapping CIDR blocks and provides better security by only exposing a specific service rather than the entire network layer.
2. False. VPC Peering does not support edge-to-edge routing or transitive IGW access.
3. AWS Transit Gateway.
4. AWS RAM allows a resource owner (e.g., a Network Admin) to share subnets with other accounts (Participants) so they can launch resources into a centrally managed network.

Muddy Points & Cross-Refs

• The "Transitive" Trap: Students often assume that because they can route from VPC A to TGW and TGW to VPC B, that "Transitive" means any connection is possible. Remember: TGW supports transitive routing, but VPC Peering does not.
• PrivateLink vs. Peering for Overlaps: If two VPCs both use 10.0.0.0/16, Peering is physically impossible. You must use PrivateLink or a NAT solution.
• Cross-Ref: For more on on-premises connectivity, see the Direct Connect & Site-to-Site VPN Study Guide.

Comparison Tables: Routing Limits