Visibility and Management with AWS Transit Gateway Network Manager

This study guide focuses on AWS Transit Gateway (TGW) Network Manager, a centralized service designed to provide visibility and simplify the management of global networks across AWS and on-premises environments.

Learning Objectives

After studying this material, you should be able to:

Define the role of a Global Network and its relationship with Transit Gateways.
Explain how SD-WAN integrations automate site-to-site connectivity.
Identify the specific visibility metrics and events provided by the Network Manager dashboard.
Differentiate between TGW Network Manager, TGW Flow Logs, and VPC Reachability Analyzer.
Map complex network topologies using the service's visualization tools.

Key Terms & Glossary

Global Network: A logical container in Network Manager that represents your entire network (AWS and on-premises).
Transit Gateway (TGW): A regional network hub that connects VPCs and on-premises networks.
SD-WAN (Software-Defined Wide Area Network): A technology that uses software to manage and operate a WAN, often integrating directly with AWS.
Core Network: The part of the network managed by AWS Cloud WAN (often used alongside Network Manager for global orchestration).
On-Premises Device: Physical or virtual appliances located in corporate data centers that connect to AWS via VPN or Direct Connect.

The "Big Idea"

Managing a global network manually is prone to "visibility gaps." AWS Transit Gateway Network Manager acts as the "Single Pane of Glass." It bridges the gap between the AWS cloud and your private corporate network. Instead of checking separate consoles for VPN status, TGW health, and SD-WAN performance, Network Manager aggregates this data into a unified dashboard, allowing for proactive monitoring of global traffic flows.

Formula / Concept Box

Feature	Description / Metric
Centralized Dashboard	Unified view of TGWs and connected on-premises networks.
Utilization Metrics	Packets sent/received, bytes sent/received, and packet drops.
Event Monitoring	Alerts for topology changes, routing updates, and connection up/down events.
SD-WAN Partners	Cisco, Aruba (HP), Aviatrix, and Silver Peak (Vera).

Hierarchical Outline

Core Capabilities
- Centralized Management: Manage multiple TGWs across accounts/Regions.
- Infrastructure-as-Code: Automated provisioning via SD-WAN integration.
Hybrid Connectivity Integration
- On-Premises Registration: Adding customer gateways and devices to the Global Network.
- Automated VPN: SD-WAN consoles can automatically provision Site-to-Site VPNs to AWS.
Network Visibility
- Topology Graphs: Visual mapping of how VPCs, TGWs, and On-Premises sites connect.
- Geographic View: Map-based visualization of your global footprint.
- TGW Flow Logs: Integration for flow-level visibility (Source/Dest IP, Protocol, Port).

Visual Anchors

Global Network Structure

Loading Diagram...

Network Path Logic

\begin{tikzpicture}[node distance=2cm, every node/.style={draw, rectangle, rounded corners, align=center, fill=blue!10}] \node (src) {On-Premises\Device}; \node (vpn) [right of=src, xshift=1.5cm] {VPN / Direct\Connect}; \node (tgw) [right of=vpn, xshift=1.5cm] {Transit\Gateway}; \node (dest) [right of=tgw, xshift=1.5cm] {Target\VPC};

code

\draw[->, thick] (src) -- (vpn);
\draw[->, thick] (vpn) -- (tgw);
\draw[->, thick] (tgw) -- (dest);

\node[draw=none, fill=none, below of=tgw, yshift=1cm] {\textbf{Network Manager Visibility Zone}};
\draw[dashed, red, thick] (-1,-1) rectangle (8.5,1.5);

\end{tikzpicture}

Definition-Example Pairs

Topology Discovery: Automatically mapping the relationships between network resources.
- Example: After adding a new TGW attachment to a VPC in London, Network Manager automatically updates the visual graph to show the new connection path.
Route Event Notifications: Real-time alerts when network paths change.
- Example: If a BGP session drops on a VPN connection to a branch office, Network Manager triggers an event in the dashboard showing the connection is "Down."

Worked Examples

Scenario: Integrating a Cisco SD-WAN Branch

Create Global Network: In the AWS Console, create a new "Global Network" object.
Register TGW: Associate your existing Regional Transit Gateways with the Global Network.
Vendor Integration: Log into the Cisco vManage console and provide AWS IAM credentials.
Automated Tunneling: The SD-WAN controller uses the TGW Connect attachment to build GRE tunnels and establish BGP peering automatically.
Verification: Open TGW Network Manager to see the branch office device appear on the geographic map with real-time health status.

Checkpoint Questions

What is the primary advantage of using a "Global Network" container in Network Manager?
Which metric would you check in the dashboard to identify if a TGW is congested?
True or False: TGW Network Manager can automate the creation of VPC Peering connections.
Which SD-WAN vendors integrate directly with AWS Transit Gateway Network Manager?

Muddy Points & Cross-Refs

Network Manager vs. Reachability Analyzer: Network Manager is for ongoing monitoring and topology visibility. Reachability Analyzer is for point-in-time troubleshooting of specific packet paths (it does not send real data).
Flow Logs: TGW Flow Logs provide the "Who" (IPs/Ports), while Network Manager provides the "How" (Topology/Health).

Comparison Tables

Tool	Primary Use Case	Does it send real traffic?
TGW Network Manager	Global visibility, topology, and SD-WAN health.	No (Passive monitoring)
Reachability Analyzer	Troubleshooting specific connectivity between two points.	No (Logical model)
VPC Flow Logs	Auditing and analyzing individual traffic flows.	Yes (Captures real flow data)
Traffic Mirroring	Deep packet inspection (DPI) for security/compliance.	Yes (Copies real packets)