AWS Network Architecture: Routing, Peering, and Transit Gateway

This guide covers the architectural patterns for connecting Virtual Private Clouds (VPCs) and on-premises networks within the AWS ecosystem. Understanding the trade-offs between point-to-point peering and centralized routing is critical for building scalable, cost-effective cloud infrastructures.

Learning Objectives

After studying this guide, you should be able to:

• Differentiate between VPC Peering and AWS Transit Gateway based on use cases.
• Explain the concept of Transitive Routing and its limitations in peering.
• Configure route table entries for bidirectional communication between network segments.
• Identify the components of a hybrid cloud network, including VPN and Direct Connect.
• Determine the correct networking service to minimize complexity and data transfer costs.

Key Terms & Glossary

• VPC Peering: A networking connection between two VPCs that enables you to route traffic between them using private IPv4 or IPv6 addresses.
• Transitive Routing: The ability for traffic to pass through an intermediate network to reach a destination (e.g., A → B → C). VPC peering does not support this.
• AWS Transit Gateway (TGW): A network transit hub that can be used to interconnect VPCs and on-premises networks.
• Route Propagation: The process of a Transit Gateway automatically learning and distributing routes via BGP (Border Gateway Protocol).
• CIDR (Classless Inter-Domain Routing): A method for allocating IP addresses and IP routing. Peered VPCs cannot have overlapping CIDRs.
• Blackhole Route: A route entry in a Transit Gateway route table that drops traffic matching a specific destination prefix.

The "Big Idea"

In AWS networking, the goal is to create a seamless "extension" of your data center. While VPC Peering is excellent for simple, low-latency connections between a few VPCs, it becomes unmanageable at scale (forming a "mesh"). AWS Transit Gateway acts as the "cloud router," simplifying the topology into a hub-and-spoke model that centralizes management, security, and hybrid connectivity.

Formula / Concept Box

Hierarchical Outline

1. VPC Peering Mechanics
   • Point-to-Point: Connection between exactly two VPCs; no "daisy-chaining."
   • Configuration: Requires a requester/accepter handshake and mirror-image routes in both VPC route tables.
   • Resource Sharing: Supports instance-to-instance and NLB sharing; does not share IGWs or NAT Gateways.
2. AWS Transit Gateway (TGW)
   • The Centralized Router: Consolidates VPCs, VPNs, and Direct Connect.
   • Attachments: Each network (VPC, VPN) must be "attached" to the TGW.
   • Route Tables: TGW has its own route tables, separate from VPC route tables.
3. Hybrid Connectivity Options
   • Site-to-Site VPN: Encrypted IPsec tunnel over the public internet.
   • Direct Connect (DX): Physical, dedicated private line to AWS.
   • Client VPN: Remote user access using OpenVPN protocol.

Visual Anchors

Network Topology Comparison

Transit Gateway Architecture

\begin{tikzpicture}[node distance=2cm, every node/.style={draw, rectangle, rounded corners, align=center, fill=blue!10}] \node (tgw) [fill=orange!20, circle, line width=1.5pt] {Transit\Gateway}; \node (vpc1) [above left of=tgw] {VPC A\10.0.0.0/16}; \node (vpc2) [above right of=tgw] {VPC B\10.1.0.0/16}; \node (onprem) [below of=tgw] {On-Premises\192.168.0.0/16};

\end{tikzpicture}

Definition-Example Pairs

• Non-Transitive Routing: The rule that traffic cannot "hop" through a VPC.
  • Example: If VPC A is peered with VPC B, and VPC B is peered with VPC C, an instance in VPC A cannot ping an instance in VPC C via VPC B.
• Route Propagation: Automatic updating of the TGW route table.
  • Example: When a new VPN connection is established with BGP enabled, the TGW automatically adds the on-premises network range (e.g., 172.16.0.0/12) to its route table.
• Static Routing: Manually defining the path for traffic.
  • Example: Specifying in a VPC route table that all traffic destined for 10.2.0.0/16 must go to target pcx-123abc456 (the peering ID).

Worked Examples

Example 1: Calculating Mesh Complexity

Problem: A company has 10 VPCs and wants to connect all of them using VPC Peering. How many peering connections are required? Solution: Using the formula for a complete graph: $Connections = \frac{N(N-1)}{2}$

• $N = 10$
• $Connections = \frac{10 \times 9}{2} = 45$ connections. Takeaway: At this scale, Transit Gateway is the superior architectural choice as it only requires 10 attachments.

Example 2: Configuring Bidirectional Peering Routes

Scenario: VPC-Alpha (10.0.0.0/16) and VPC-Beta (172.31.0.0/16) are peered using pcx-alpha-beta.

Checkpoint Questions

1. Why must CIDR blocks not overlap when setting up VPC Peering or Transit Gateway attachments?
2. You have a central Shared Services VPC. You peer all other VPCs to it. Can those other VPCs talk to each other through the Shared Services VPC? (Explain why/why not).
3. Which AWS service would you use to connect 50 VPCs and 3 on-premises data centers while maintaining a simplified routing table?
4. True or False: AWS Transit Gateway can perform stateful traffic filtering like a Firewall.
5. What target identifier type do you look for in a VPC route table when routing traffic to a peer? (e.g., igw-, vgw-, pcx-).

[!TIP] Remember: VPC Peering is essentially a virtual cable between two routers. Transit Gateway is the router itself. If you see the word "transitive" or "centralized" on the exam, the answer is almost always Transit Gateway.