Study Guide1,080 words
Networking Services of VPCs: AWS Advanced Networking Study Guide
Networking services of VPCs
Networking Services of VPCs
This study guide covers the architectural patterns and AWS services used to interconnect Virtual Private Clouds (VPCs) and external networks, specifically focused on the requirements for the AWS Certified Advanced Networking - Specialty (ANS-C01) exam.
Learning Objectives
After studying this document, you should be able to:
- Differentiate between VPC Peering, Transit Gateway, and VPC Sharing.
- Explain the concept of non-transitive routing in VPC Peering.
- Configure multi-account networking using AWS Resource Access Manager (RAM).
- Identify use cases for AWS PrivateLink versus standard VPC interconnects.
- Understand the differences between a Transit Gateway service and a Transit VPC architecture.
Key Terms & Glossary
- VPC Peering: A networking connection between two VPCs that enables you to route traffic between them using private IPv4 or IPv6 addresses.
- VPC Sharing: A feature allowing multiple AWS accounts to create their application resources (EC2, RDS) into shared, centrally managed subnets.
- AWS RAM (Resource Access Manager): A service that enables the sharing of AWS resources (like subnets or Transit Gateway attachments) across accounts.
- Transitive Routing: The ability for traffic to pass through an intermediate network component to reach a destination (e.g., A → B → C). VPC Peering does not support this.
- SD-WAN: Software-Defined Wide Area Network; a virtual WAN architecture that allows enterprises to leverage any combination of transport services to connect users to applications.
The "Big Idea"
The "Big Idea" of VPC networking is the shift from isolated silos to a centrally managed, scalable fabric. In a modern AWS environment, you rarely manage a single VPC. You manage hundreds. The challenge is balancing connectivity (allowing services to talk) with segregation (security boundaries). Services like Transit Gateway act as the "cloud router" to simplify this complexity, while VPC Sharing optimizes IP space and cost.
Formula / Concept Box
| Feature | VPC Peering | Transit Gateway | VPC Sharing |
|---|---|---|---|
| Topology | Mesh / Point-to-Point | Hub-and-Spoke | Shared Subnet |
| Transitive? | No | Yes | N/A (Local Routing) |
| Bandwidth | No aggregate limit | Up to 50 Gbps per VPC | Local VPC Speed |
| Management | Decentralized | Centralized | Centralized IP/Subnet |
Hierarchical Outline
- VPC Interconnectivity Models
- VPC Peering
- Point-to-point connections
- No bandwidth bottlenecks or single points of failure
- Non-transitive: Traffic cannot hop through a peer to a third VPC
- Transit Gateway (TGW)
- Regional hub for VPCs and on-premises networks
- Supports transitive routing
- Scale-out architecture using attachments
- VPC Peering
- Multi-Account Strategies
- VPC Sharing
- Uses AWS Resource Access Manager (RAM)
- Participants manage resources; Owners manage infrastructure (Subnets, IGWs, VGWs)
- Shared Security Group limitations (cannot launch resources using another account's SG)
- AWS Organizations
- Essential for enabling RAM and billing consolidation
- VPC Sharing
- Hybrid & Wide Area Networking
- SD-WAN & MPLS
- MPLS uses labels/tags rather than IP next-hop routing
- Transit Gateway Connect for SD-WAN integration
- SD-WAN & MPLS
Visual Anchors
VPC Peering vs. Transit Gateway Routing
Loading Diagram...
Architectural Layering of VPC Sharing
Compiling TikZ diagram…
⏳
Running TeX engine…
This may take a few seconds
Definition-Example Pairs
- Non-Transitive Peering: A connection where VPC A can talk to VPC B, and VPC B can talk to VPC C, but A cannot talk to C through B.
Example: If you peer your Prod VPC to a Shared Services VPC, and your Dev VPC to the same Shared Services VPC, Dev and Prod remain isolated from each other. - VPC Sharing: The act of making one VPC's subnets available to other accounts in the same AWS Organization.
Example: A central Network Team creates a large VPC with specific IP ranges and shares subnets with the DevOps team so they don't have to manage their own Gateways or VPNs. - MPLS (Multiprotocol Label Switching): A routing technique that directs data from one node to the next based on short path labels rather than long network addresses.
Example: A corporate backbone link provided by a carrier like AT&T or Verizon to connect branch offices to an AWS Direct Connect location.
Worked Examples
Scenario 1: Scaling Connections
Problem: A company has 50 VPCs that all need to communicate with each other. Should they use VPC Peering or Transit Gateway?
Step-by-Step Breakdown:
- Calculate Peerings: For a full mesh with $N VPCs, the number of peering connections is \frac{N(N-1)}{2}. For 50 VPCs, that is \frac{50 \times 49}{2} = 1,225 connections.
- Assess Management: Managing 1,225 route table entries and peering handshakes is operationally impossible.
- Evaluate TGW: With Transit Gateway, you only need 50 attachments (one per VPC). The TGW manages the routing table centrally.
- Conclusion: Use Transit Gateway. It reduces complexity from O(N^2)O(N)$.
Checkpoint Questions
- Does VPC Peering have a bandwidth limitation compared to Transit Gateway?
- Can a participant in a Shared VPC delete the Subnet they are using?
- What service is required to enable VPC Sharing across AWS Accounts?
- Why might you choose a "Transit VPC" (EC2-based) over an AWS native Transit Gateway?
▶Click to see answers
- No, VPC Peering has no aggregate bandwidth limit; it is limited only by the instance type. TGW has per-attachment limits (50 Gbps).
- No, only the VPC Owner can manage/delete infrastructure like subnets.
- AWS Resource Access Manager (RAM) and AWS Organizations.
- To implement specific 3rd-party firewall features not supported natively or for global transit across regions before TGW supported peering.
Muddy Points & Cross-Refs
- Peering vs. TGW Cost: Peering is free for the connection (you only pay for data transfer). TGW charges a per-attachment hourly fee + data processing fees. For low-traffic, high-bandwidth needs, Peering is cheaper.
- Security Groups in VPC Sharing: Remember that participants cannot reference security groups from other accounts in their own security group rules. This is a common exam "gotcha."
- PrivateLink: Unlike Peering/TGW, PrivateLink is for service-specific connectivity (one-way exposure) and is the best solution for overlapping CIDRs.
Comparison Tables
Interconnectivity Comparison
| Attribute | VPC Peering | Transit Gateway | AWS PrivateLink |
|---|---|---|---|
| Connectivity | Full Network (L3) | Full Network (L3) | Service-specific (L4) |
| IP Overlap | Not Allowed | Possible (with NAT) | Allowed (NAT-less) |
| Ease of Use | High (for 2 VPCs) | High (for many VPCs) | Moderate (Interface EP) |
| Data Charges | Standard Inter-AZ | Per GB Processed | Per GB Processed |
| Security | Security Group Refs | Network ACLs/TGW Tables | IAM & Endpoint Policies |
[!IMPORTANT] For the ANS-C01 exam, always prioritize VPC Sharing when the goal is to reduce NAT Gateway costs and centralize IP management, and Transit Gateway when the goal is transitive routing and hub-and-spoke scaling.