AWS Advanced Networking: Inter-VPC & Multi-Account Connectivity

This study guide covers the strategies and services used to interconnect AWS VPCs, on-premises networks, and multi-account environments, focusing on scalability, security, and performance.

Learning Objectives

• Evaluate the trade-offs between VPC Peering, Transit Gateway, and PrivateLink.
• Design a hub-and-spoke network architecture using AWS Transit Gateway.
• Implement hybrid connectivity with SD-WAN and MPLS using Transit Gateway Connect.
• Understand routing protocols (BGP) and encapsulation (GRE) in complex AWS environments.
• Manage IP address overlaps and resource sharing via AWS RAM and VPC Sharing.

Key Terms & Glossary

• Transitive Routing: The ability for traffic to pass through a middle network to reach a destination. (VPC Peering does not support this; Transit Gateway does).
• VPC Peering: A networking connection between two VPCs that enables routing of traffic between them using private IPv4/IPv6 addresses.
• Transit Gateway (TGW): A network transit hub used to interconnect VPCs and on-premises networks.
• TGW Connect: A feature that simplifies SD-WAN integration by using GRE tunnels and BGP for dynamic routing.
• BGP (Border Gateway Protocol): The standardized exterior gateway protocol used to exchange routing and reachability information.
• VPC Sharing: Allows multiple AWS accounts to create their application resources (EC2, RDS) into shared, centrally managed Amazon VPCs.

The "Big Idea"

As organizations grow from single-account/single-VPC setups to massive multi-account architectures, the networking complexity scales exponentially. The "Big Idea" is the transition from a decentralized mesh (where every VPC must be manually peered with every other VPC) to a centralized hub-and-spoke model. AWS Transit Gateway acts as the "Cloud Router," simplifying management, enabling transitive routing, and allowing for massive scalability that point-to-point peering cannot match.

Formula / Concept Box

Hierarchical Outline

• I. Inter-VPC Connectivity Patterns
  • VPC Peering: Direct connection; no single point of failure; no bandwidth bottlenecks; no transitive routing.
  • VPC Sharing: Centralized network management; subnets shared via AWS RAM; accounts own resources but not the VPC.
• II. AWS Transit Gateway (TGW)
  • Centralized Hub: Simplifies connectivity across thousands of VPCs and accounts.
  • Routing: Uses BGP for dynamic updates; supports Multicast.
  • Attachments: VPCs, VPNs, Direct Connect Gateways, and Peered TGWs.
• III. Hybrid & Third-Party Integration
  • SD-WAN: Integrated via TGW Connect using GRE tunnels.
  • MPLS: Often terminated at a Direct Connect location and integrated via TGW.
• IV. Routing Strategy
  • Static Routing: Required for VPCs to send traffic to TGW.
  • Dynamic Routing: BGP used between TGW and on-premises/SD-WAN.

Visual Anchors

Transit Gateway Hub-and-Spoke Architecture

BGP Routing over TGW Connect

\begin{tikzpicture}[node distance=2cm, every node/.style={draw, rectangle, rounded corners, align=center}] \node (tgw) {AWS Transit Gateway}; \node (connect) [right=of tgw, fill=gray!20] {TGW Connect Attachment}; \node (sdwan) [right=of connect] {SD-WAN Virtual Appliance$Partner Node)};

\end{tikzpicture}

Definition-Example Pairs

• VPC Peering: A networking connection that routes traffic between VPCs using private IP addresses as if they are in the same network.
  • Example: A small startup has two VPCs (App and Database) and needs a simple, high-bandwidth connection between them without adding management overhead.
• Transit Gateway Connect: A sub-feature of TGW that enables native integration of SD-WAN appliances into AWS.
  • Example: A global corporation uses Cisco SD-WAN to connect branch offices; they use TGW Connect to automatically propagate routes from those branches into their AWS VPCs.
• Generic Routing Encapsulation (GRE): A tunneling protocol used to encapsulate a wide variety of network layer protocols inside virtual point-to-point links.
  • Example: TGW Connect uses GRE to wrap BGP traffic between the Transit Gateway and a third-party firewall appliance.

Worked Examples

Problem: Resolving a Mesh Network Complexity

Scenario: A company has 10 VPCs that all need to talk to each other. They currently use VPC Peering.

1. Calculate Peerings: Using the formula $n(n-1)/2, for 10 VPCs, they need 10(9)/2 = 45$ peering connections.
2. The Issue: Adding the 11th VPC requires 10 new peerings and 10 route table updates across all VPCs.
3. The Solution: Replace mesh peering with a Transit Gateway.
   • Step 1: Create a Transit Gateway in the central account.
   • Step 2: Create a TGW Attachment for each of the 10 VPCs.
   • Step 3: In each VPC route table, add a single entry: 0.0.0.0/0 (or the internal CIDR block) pointing to the tgw-id.
   • Result: Management reduces from 45 connections to 10 attachments.

Checkpoint Questions

1. Does VPC Peering support transitive routing? (e.g., if VPC A is peered with B, and B with C, can A talk to C?)
2. Which protocol does Transit Gateway use to automatically update routing tables between regions or on-premises?
3. What is the main advantage of VPC Sharing over VPC Peering for a dev/test team?
4. Which feature of Transit Gateway specifically supports SD-WAN and uses GRE tunnels?

[!NOTE] Answers:

1. No. VPC Peering is non-transitive.
2. BGP (Border Gateway Protocol).
3. Reduced IP duplication and simplified management while maintaining account-level resource ownership.
4. Transit Gateway Connect.

Muddy Points & Cross-Refs

• TGW vs. PrivateLink: Learners often confuse these. Remember: TGW provides full network-to-network IP connectivity (Layer 3). PrivateLink provides access to a specific application via an IP in your subnet (Layer 4), usually for service providers.
• IPv6 on TGW: Even if you only route IPv6, the BGP peering for TGW actually occurs over IPv4 using MP-BGP (Multi-Protocol BGP).
• Further Study: See Unit 3 for details on Direct Connect Gateway and Unit 4 for Network Firewall integration with TGW.

Comparison Tables

Routing Methods Comparison