AWS Network Connectivity Selection: VPC Peering, Transit Gateway, and Proxy Patterns

This study guide explores the decision-making process for selecting the optimal AWS networking architecture. For the ANS-C01 exam, you must be able to analyze requirements for scale, cost, management overhead, and performance to choose between 1-to-1 peering, hub-and-spoke models, or service-specific patterns.

Learning Objectives

• Analyze Scale Requirements: Determine when the number of VPCs necessitates a transition from peering to Transit Gateway.
• Identify Transitive Routing Constraints: Understand why VPC peering cannot be used for multi-hop communication.
• Cost Optimization: Compare data transfer costs of peering vs. the data processing charges of Transit Gateway.
• Architectural Selection: Select between VPC Peering, Transit Gateway, and PrivateLink/Proxy patterns based on specific security and compliance needs.

Key Terms & Glossary

• VPC Peering: A networking connection between two VPCs that enables you to route traffic between them using private IPv4 or IPv6 addresses.
• Transit Gateway (TGW): A network transit hub used to interconnect Virtual Private Clouds (VPCs) and on-premises networks.
• Transitive Routing: The ability to route traffic from one network through a second network to a third. (Note: VPC Peering does not support this).
• Hub-and-Spoke: A network topology where all secondary networks (spokes) connect to a single central point (hub).
• AWS PrivateLink: Technology that provides private connectivity between VPCs, AWS services, and on-premises networks without exposing traffic to the public internet.

The "Big Idea"

In AWS networking, there is a fundamental shift from point-to-point connectivity to centralized management. Small environments with two or three VPCs benefit from the simplicity and low cost of VPC Peering. However, as an organization scales to dozens or hundreds of VPCs, the "mesh" of peering connections becomes an unmanageable "spaghetti" of routes. The Transit Gateway acts as a regional router, simplifying the architecture by providing a single point of control for routing, security, and inspection.

Formula / Concept Box

Hierarchical Outline

1. VPC Peering: The Direct Approach
   • Characteristics: Low latency, utilizes AWS backbone, no single point of failure.
   • Ideal Use Case: Database replication between two VPCs in the same region.
   • Limitation: No transitive routing (A cannot talk to C through B).
2. AWS Transit Gateway: The Scalable Hub
   • Characteristics: Centralized routing, supports thousands of VPCs, simplified VPN/Direct Connect management.
   • TGW Connect: Supports GRE tunnels for SD-WAN integration.
   • Security: Facilitates "Inspection VPC" patterns for centralized firewalls.
3. Proxy & PrivateLink Patterns: The Service-Specific Approach
   • PrivateLink: Exposes specific services (NLB) to other VPCs; avoids full network exposure.
   • Proxies: Used for protocol translation, data scrubbing, or filtering (e.g., Squid for HTTP egress).

Visual Anchors

Architectural Comparison

Decision Tree for Connectivity

Definition-Example Pairs

• Transitive Routing:
  • Definition: A network property where traffic can pass through an intermediate gateway to reach a destination.
  • Example: VPC A is connected to a Transit Gateway, which is connected to VPC B. VPC A can reach VPC B without a direct peering connection between them.
• Proxy Pattern:
  • Definition: Using an intermediary server to handle requests from clients seeking resources from other servers.
  • Example: A fleet of EC2 instances running Squid proxy in a "Shared Services VPC" to filter all outbound internet traffic from 50 different application VPCs.

Worked Examples

Problem 1: The Multi-Account Startup

Scenario: A startup has 3 VPCs in the same region. They need low-latency communication between a web tier and a shared database tier. Cost is a primary concern.

• Analysis: With only 3 VPCs, the number of peering connections is $N(N-1)/2 = 3. This is manageable. VPC Peering has no data processing fees, making it cheaper than TGW.
• Solution: Use VPC Peering between Web VPCs and the Database VPC.

Problem 2: The Enterprise Global Backbone

Scenario: A multinational corporation has 200 VPCs across 5 regions. They need to inspect all cross-VPC traffic using a third-party appliance.

• Analysis: Managing 19,900 peering connections is impossible. They need a hub-and-spoke model. Furthermore, they need a central inspection point.
• Solution: Deploy a Transit Gateway in each region, peer the Transit Gateways together, and use TGW Route Tables to redirect traffic through an Inspection VPC containing firewalls.

Checkpoint Questions

1. Does VPC Peering support overlapping CIDR blocks? (Answer: No, the IP ranges must be unique).
2. Which service should you choose to connect an on-premises SD-WAN to AWS while supporting BGP? (Answer: Transit Gateway with TGW Connect).
3. You have two VPCs in different regions. Which two methods can provide private connectivity? (Answer: Inter-region VPC Peering or Transit Gateway Inter-region Peering).

Muddy Points & Cross-Refs

• TGW Data Processing: Students often forget that TGW charges per GB processed. For high-volume data transfers (like TBs of logs), VPC Peering is significantly more cost-effective.
• MTU Limitations: VPC Peering supports Jumbo Frames (9001 bytes) within a region, but Transit Gateway MTU is limited to 8500 bytes for traffic between VPCs and 1500 bytes for VPN/Direct Connect.
• Cross-Ref: For more on PrivateLink, see the Network Security & Compliance chapter regarding Service Providers.

Comparison Tables

Scalability vs. Complexity