AWS Network Connectivity Architectures: Single and Multi-VPC Design

This guide covers the fundamental and advanced architectural patterns for connecting AWS environments, focusing on routing, security, and scalability within single and multi-VPC designs.

Learning Objectives

After studying this guide, you should be able to:

• Design and implement VPC connectivity using Peering, Transit Gateway, and PrivateLink.
• Configure advanced routing behaviors including static and dynamic (BGP) propagation.
• Apply security controls at the instance (Security Groups) and subnet (NACL) levels.
• Manage multi-account networking using AWS Resource Access Manager (RAM) and AWS Organizations.
• Resolve IP address overlapping issues using NAT and PrivateLink patterns.

Key Terms & Glossary

• VPC Peering: A networking connection between two VPCs that enables you to route traffic between them using private IP addresses.
• Transit Gateway (TGW): A network transit hub used to interconnect VPCs and on-premises networks through a central point.
• AWS RAM (Resource Access Manager): A service that allows you to share resources (like TGWs or Subnets) across AWS accounts.
• Security Group (SG): A stateful virtual firewall for EC2 instances to control incoming and outgoing traffic.
• Network ACL (NACL): A stateless optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets.
• PrivateLink: Provides private connectivity between VPCs, AWS services, and on-premises networks without exposing traffic to the public internet.

The "Big Idea"

The evolution of AWS networking moves from Isolation (Single VPC) to Interconnection (Peering) to Centralization (Transit Gateway). As organizations grow, the "Big Idea" is to treat the network as a modular utility where connectivity is governed by a central hub-and-spoke model, allowing for consistent security inspection and simplified routing management across hundreds of accounts.

Formula / Concept Box

[!IMPORTANT] When designing for high availability, always ensure your Transit Gateway attachments and VPC Peering connections span multiple Availability Zones (AZs).

Hierarchical Outline

• VPC Fundamentals
  • IP Addressing: Designing CIDR blocks and handling secondary CIDRs.
  • DHCP Option Sets: Customizing DNS servers and domain names for internal resolution.
• Inter-VPC Connectivity
  • VPC Peering: Point-to-point, non-transitive connectivity.
  • Transit Gateway: Hub-and-spoke architecture for scale and multi-account sharing via AWS RAM.
  • Software-Defined WAN (SD-WAN): Integrating third-party appliances via TGW Connect.
• Hybrid & Private Connectivity
  • PrivateLink: Service-provider model using Interface VPC Endpoints.
  • Site-to-Site VPN: Encrypted tunnels over the internet.
  • Direct Connect: Physical dedicated fiber for low latency.
• Network Verification
  • Reachability Analyzer: Testing if a path exists between source and destination.
  • VPC Flow Logs: Capturing IP traffic information for auditing.

Visual Anchors

Transit Gateway Hub-and-Spoke Architecture

Security Layers in a VPC

Definition-Example Pairs

• Transitive Routing: The ability for traffic to pass through one component to reach another.
  • Example: In a Transit Gateway setup, VPC A can talk to VPC C by passing through the TGW. This is NOT possible in a standard VPC Peering chain (A-B-C).
• Overlapping CIDR: When two networks use the same IP address range.
  • Example: Two companies merge; both use 10.0.0.0/16. They cannot peer. They must use PrivateLink or NAT to communicate without re-addressing.
• Stateful Filtering: The firewall remembers the state of active connections.
  • Example: If you allow inbound traffic on Port 80 in a Security Group, the return traffic from the instance to the client is automatically allowed, regardless of outbound rules.

Worked Examples

Scenario: Establishing Cross-Account Connectivity for a Shared Service

Goal: VPC A (Account 1) needs access to a Database in VPC B (Account 2).

1. Requirement: Ensure CIDR blocks do not overlap (e.g., VPC A is 10.1.0.0/16, VPC B is 10.2.0.0/16).
2. Request: Initiate a Peering Request from Account 1 to Account 2 using the VPC ID and Account ID.
3. Acceptance: Log into Account 2 and accept the pending peering invitation.
4. Routing Update:
   • In VPC A Route Table: Add route 10.2.0.0/16 -> pcx-12345 (Peering ID).
   • In VPC B Route Table: Add route 10.1.0.0/16 -> pcx-12345.
5. Security Update: Update Security Groups in VPC B to allow inbound traffic from the CIDR of VPC A or the specific SG ID (if using SG referencing, only possible within the same region).

Checkpoint Questions

1. What is the primary limitation of VPC Peering that Transit Gateway resolves?
2. Why would an architect choose PrivateLink over VPC Peering for a service-oriented architecture?
3. If a packet is dropped by a NACL but allowed by a Security Group, will the connection succeed?
4. How does AWS RAM facilitate multi-account networking?

▶Click to see answers

1. VPC Peering is non-transitive and becomes difficult to manage at scale (mesh topology). TGW provides a central hub.
2. PrivateLink handles overlapping CIDRs and provides one-way connectivity (provider-to-consumer), reducing the blast radius.
3. No. Traffic must be allowed by both the NACL and the Security Group.
4. RAM allows the central networking account to share Transit Gateways, Subnets, and Route 53 Resolver Rules with other accounts in the Organization.

Muddy Points & Cross-Refs

• SG Referencing: You can reference a Security Group ID in another rule instead of a CIDR. Crucial Note: This works across Peered VPCs only if they are in the same region. It does NOT work over Transit Gateway.
• MTU Size: Inter-VPC traffic supports Jumbo Frames (9001 MTU) within a region, but traffic over a VPN or Inter-Region Peering is limited to 1500 MTU.
• Route Propagation: Don't forget that for VPN/Direct Connect, you must enable "Route Propagation" on the VPC Route Table for BGP-learned routes to appear automatically.

Comparison Tables