In our DevOps consulting services, we work daily with AWS architectures on behalf of a wide variety of large enterprises. As a result, we were excited to see that Amazon announced AWS Transit Gateway at re:Invent. Indeed, one of the most talked about launches of the show, AWS Transit Gateway addresses pent-up demand for a simplified solution to connectivity across multiple Amazon Virtual Private Clouds (VPCs) and on-premise networks. Having had a little time to explore the new solution, in today’s blog we’ll walk through what the service entails, our impressions of the new service, and how we hope to see it evolve.
AWS Transit Gateway allows operators to connect VPCs and their on-premises networks with a single gateway. Said another way, AWS Transit Gateway acts as a network transit hub to connect thousands of VPCs and on-prem networks, helping enterprises more easily scale the number of workloads in AWS across multiple accounts with simplified connectivity and greater control.
Before AWS Transit Gateway
According to Amazon, VPC is one of AWS’s most popular features with people creating hundreds of VPCs. However, before AWS Transit Gateway, these many VPCs led to a complicated network design with an array of peer-to-peer relationships that are difficult to manage -- made exponentially more difficult as the number of VPCs grows.
Peer-to-peer networking of VPCs is simply complicated, requiring extra care and attention to watch for potential errors, conducting necessary rewiring that inevitably crops up, and managing the accompanying documentation. Making the process more challenging is the lack of a central hub for monitoring and establishing routing policies.
Until now, we relied on AWS Transit VPC to connect multiple, geographically diverse VPCs and remote networks. This global network transit center simplifies network management and minimizes the number of connections required to connect multiple VPCs and remote networks. The design saves time, effort and costs as it is implemented virtually without the traditional expense of establishing a physical presence in a colocation transit hub or deploying physical network gear.
Provided by partners like Cisco, Aviatrix, or Juniper, Transit VPC deployment and configuration involves complex automations, especially around automating and managing the creation of VPN tunnels and peering sessions. They also tend to be more expensive when compared to the new AWS Transit Gateway. Indeed, cost has been a major factor in many of our customers switching to using the new AWS Transit Gateway.
As can be seen in this figure of a deployment for Cisco CSR, the automation uses several services like Lambda, S3, and KMS in addition to maintaining EC2 instances. Now with AWS Transit Gateway, all of this will be simplified.
AWS Transit Gateway Benefits
As you can see, the new AWS Transit Gateway is an exciting addition for anyone managing -- or looking to migrate and manage -- a large AWS environment. They will now be able to create and manage a single connection from the central AWS Transit Gateway to each connection, whether it be a VPC, on-prem data center, or other network node.
In addition to simplified connectivity that will certainly decrease the need for resources from your Networking team, AWS Transit Gateway also features:
- On demand bandwidth that allows networks to auto scale, so you don’t have to worry about managing for peak demands;
- Better visibility with centralized monitoring and controls that allows you to much more easily manage traffic in your environment. This added visibility also helps you more quickly spot and remediate network-related issues.
- Greater control as you can now share AWS services, (e.g. DNS, Active Directory, and IPS/IDS) across VPCs.
On Our Wish List
While we are truly excited about the AWS Transit Gateway, there are a few things that would be helpful to have in the next version, (and as you might expect are much-awaited features by many of our customers) such as:
- Routing between Amazon VPCs that have overlapping CIDRs
- Support for security group referencing so that spoke Amazon VPCs can reference security groups of other spokes connected to the AWS Transit Gateway
- Expanded network bandwidth per connection past the current 1.25Gbps
- Support for on-premise connectivity through AWS Direct Connect. We expect this feature will be available by the end of Q1 2019.
AWS Transit Gateway is a welcome addition to the AWS family as it reduces complexity and will give users greater control over their network environment. At Flux7, we are already integrating the new service into our Landing Zone solution for greater DevOps automation, security and enterprise efficiency. Unfamiliar with the Flux7 AWS Landing Zone? Download our Getting Started Guide today.