AWS Advanced Networking: Transit Gateway
- 1. 1 AWS Advanced Networking Part 2: Transit Gateway June 28, 2019
- 2. 2 Today’s Agenda • Transitive Routing Overview • Traditional AWS Solution • AWS Transit Gateway • Case Study: Client Story
- 3. 3 Assumptions & Prerequisites • Knowledge of CIDR’s • Some knowledge of IP routing • Some knowledge of AWS VPC’s • Some knowledge of various Network Topologies • Not a comprehensive discussion • Dedicated series
- 4. 4 Transitive Routing Overview What is it and why do we need a Transit Gateway solution
- 5. 5 The Concept Quick Overview: Routing Source Destination Gateway 192.168.0.0/24 192.168.1.0/24 192.168.1.1 192.168.0.0/24 192.168.1.0/24 Network A Network B 192.168.1.1192.168.0.1 Destination Gateway 192.168.1.0/24 192.168.1.1 Destination Gateway 192.168.0.0/24 192.168.0.1
- 6. 6 The Concept Quick Overview: Transitive Routing 192.168.0.0/24 Network A Network B 192.168.1.1192.168.0.1 Destination Gateway 192.168.1.0/24 192.168.1.1 Destination Gateway 192.168.0.0/24 192.168.0.1 Network C 192.168.2.1 Destination Gateway 192.168.1.0/24 192.168.2.0/24 Destination Gateway 192.168.1.0/24 192.168.1.1 Destination Gateway 192.168.0.0/24 192.168.0.1 192.168.2.0/24 192.168.2.1 Destination Gateway 192.168.1.0/24 192.168.1.1 192.168.2.0/24 192.168.1.1 Destination Gateway 192.168.1.0/24 192.168.1.1 192.168.0.0/24 192.168.1.1
- 7. 7 The Concept Quick Overview: AWS Transitive Routing 192.168.0.0/24 Corp DC Network B 192.168.1.1192.168.0.1 Destination Gateway 192.168.1.0/24 192.168.1.1 Destination Gateway 192.168.0.0/24 192.168.0.1 Network C 192.168.2.1 Destination Gateway 192.168.1.0/24 192.168.2.0/24 Destination Gateway 192.168.1.0/24 192.168.1.1 Destination Gateway 192.168.0.0/24 192.168.0.1 192.168.2.0/24 192.168.2.1 Destination Gateway 192.168.1.0/24 192.168.1.1 192.168.2.0/24 192.168.1.1 Destination Gateway 192.168.1.0/24 192.168.1.1 192.168.0.0/24 192.168.1.1 VPC A VPC B VPN
- 8. 8 Tradition AWS Solution How do we route across networks in AWS?
- 9. 9 AWS Options • Transit VPC • VPC Peering
- 10. 10 AWS Transit VPC • Cisco CSR QuickStart • Other options • Centralized management • Complexity • EC2 base • Lambda • Step Functions • CloudWatch • Traffic scaling issues • Cost
- 11. 11 AWS VPC Peering • Fun! • Decentralized • Maintenance Overhead • Not suitable for the enterprise
- 13. 13 AWS Transit Gateway A new solution
- 14. 14 Transit Gateway History • Transit Gateway Icon • Initial release on November 2018 • Direct Connect support released April 2019
- 15. 15 What is Transit Gateway? • Alternative to a Transit VPC. • Not a physical device, it’s a fully managed, distributed AWS Service • Create simple and complex routing decisions based on requirements • Application and Networking teams can move very quickly • Share on-premise connectivity to all of your VPCs • Advanced routing features
- 16. 16 Limitations • 5000 VPCs to each Transit Gateway • Each attachment can handle up to 50Gbits/second of burst traffic. • AWS Transit Gateway doesn’t support routing between Amazon VPCs with overlapping CIDRS. • Security Group referencing on Amazon VPC is not supported. Spoke VPC can't refer security group of other spokes connected to the gateway. • It does not support cross region VPCs and VPN attachments. (Cross account is supported)
- 17. 17 Why - Transit Gateway? Interconnecting VPCs at Scale Before: Peering VPCs Together creating complex solutions especially when it scales After: Connect each VPC or VPN to AWS Transit Gateway and it will route traffic to and from each VPC or VPN
- 18. 18 Why - Transit Gateway? Consolidating Edge Connectivity Multiple VPN Connections, One per VPC Single VPN Ingress / Egress Point
- 19. 19 Why - Transit Gateway? Consolidating Edge Connectivity – High Resilience Multiple VPN Connections, One per VPC Single VPN Ingress / Egress Point
- 20. 20 Transit Gateway Key Concepts 1. Attachments 2. Route Tables I. Association II. Propagation
- 22. 22 Route Tables VPC 10.1 VPC 10.2 Attachment Orange Attachment Green Route Table
- 23. 23 Association VPC 10.1 VPC 10.2 Attachment Orange Attachment Green Route Table
- 24. 24 Propagation VPC 10.1.0.0/16 VPC 10.2.0.0/16 Attachment Orange Attachment Green Route Table 10.1.0.0/16 via Orange 10.2.0.0/16 via Green “propagated” “propagated”
- 25. 25 Transit Gateway Route Table VPC 10.1.0.0/16 VPC 10.2.0.0/16 Attachment Orange Attachment Green Route Table 10.1.0.0/16 via Orange 10.2.0.0/16 via Green By default, everything can route to everything.
- 26. 26 Multiple Route Tables VPC 10.1.0.0/16 VPC 10.2.0.0/16 Attachment Orange Attachment Green Route Table 10.99.99.0/24 via purp Route Table 10.99.99.0/24 via purp Route Table 10.1.0.0/16 via Orange 10.2.0.0/16 via Green AWS VPN 10.99.99.0/24 via BGP 10.1.0.0/16 via BGP 10.2.0.0/16 via BGP 10.99.99.0/24 Attachment Purple
- 27. 27 Case Study: Client Migrating to Transit Gateway
- 28. 28 Client: Before the TGW • Leveraged Aviatrix Hub and Spoke Model
- 29. 29 Client: With TGW • Route Table Requirements: • Connectivity to the internet through Symantec WSS for DLP • Connectivity to on-prem • Connectivity between VPCs in an environment, but not to other environments • Connectivity across regions
- 30. 30 Client: With the TGW Connectivity to the internet
- 31. 31 Considerations & Lessons Learned • Connectivity: • Between systems that are leveraging Aviatrix (or existing Transit VPC) and systems that are leveraging the TGW (ie. During the transition how is communication maintained) • Across regions during the transition • Back to VPCs from on-prem and internet • Route summarization and advertisements back from on-prem during the transition • Preventing connectivity routing through tgw to incorrect environment (Black Holes)
- 32. 32 Considerations & Lessons Learned • Cannot share the TGW across AWS Organizations (Had to share with each VPC) • Attachments done per AZ if you support multi-az. An eni will be dropped in there • Terraform Limitations: • BlackHole routing was not available (Had to use CLI with Null Resource) • Acceptance of RAM share was not available (Believe this is available now) • Having Health Checks during the migration is a lifesaver!!!!!!!!!!!!!!!!!!!!! • Tested access to internet, shared services, across region and on-prem connectivity
- 33. 33 RJ Jafarkhani rjj@slalom.com Zubin Ghafari zghafari@slalom.com Scott Meluski scott.meluski@slalom.com Thank you!
- 34. © 2018 Slalom, LLC. All rights reserved. The information herein is for informational purposes only and represents the current view of Slalom, LLC. as of the date of this presentation. SLALOM MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Editor's Notes
- #4: Adv Networking so it would be helpful if you had some knowledge of… CIDR’s…
- #6: Forget cloud Here’s Network A and Network B: 192.168… And they want to talk to each other, how?
- #7: What if we want to add another network, easy In simple terms, this is how the entire internet work, nearest neighbor
- #8: What if we want to add another network, easy In simple terms, this is how the entire internet work, nearest neighbor
- #10: Breaking point!
- #11: Breaking point!
- #12: Breaking point!
- #13: Breaking point!
- #15: November 2018 Release – Only supported AWS Site-to-Site VPN and Amazon VPC attachments. April 2019, AWS Direct Connect support was released for US-West and US-East regions. There is now support in the regions EU and Asia Pacific as well.
- #32: Had to build a Juniper router as it can have a VPN to TGW and Aviatrix without issue, so it was used in each region to handle the connections and propagate the appropriate routes to TGW and vice-versa.
- #33: Had to build a Juniper router as it can have a VPN to TGW and Aviatrix without issue, so it was used in each region to handle the connections and propagate the appropriate routes to TGW and vice-versa.