In this session, we show you how to design connectivity between many VPCs and how new services interact with network architectures. We review common design patterns such as shared services VPCs, transit VPCs, private link, firewalls, and more. We also cover solutions to common challenges, such as VPN sprawl, keeping up with VPC automation, sharing services, and network segmentation at scale for hundreds of VPCs. Please join us for a speaker meet-and-greet following this session at the Speaker Lounge (ARIA East, Level 1, Willow Lounge). The meet-and-greet starts 15 minutes after the session and runs for half an hour.

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Connecting Many VPCs:
Network Designs that Scale
Nick Matthews
Principal Solutions Architect
AWS
A R C 4 0 5
nickpowpow

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Architecture walk-through
Account
strategy
VPN
WAN
AWS Direct
Connect
Transit VPC
Network
services
Connectivity
WAN
Shared
services
Multi-Region
options
Segmentation
model

4. Reference
network
architecture
Account Account
Account Account
Account Account
Account Account
Account Account
Account Account
VPN
AWS Direct
Connect *
Account Account Account Account IAM, cross-account roles
Route
tables
Route
tables
Transit Gateway
Available Q1 2019

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automation of infrastructure
AWS Direct Connect and VPN standards
Subnet and routing standards
AWS Identity and Access Management
(IAM)
Strict security groups and routing
Identifying resources with tags
Smaller VPCs or accountsLarger VPCs or accounts
Account and VPC segmentation
Infrastructure and
networkingPolicy and IAM

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
both?
Provide granular account control
with centralized infrastructure

7. VPC Sharing and Resource Access Manager
Share subnets between accounts in an AWS Organization
Account
Account
Account
Account
Resource share
Resource share
Infrastructure
account

8. VPC Sharing and Resource Access Manager
Account owners only see subnets and their resources
Account
Account

9. VPC Sharing and Resource Access Manager
Account owners only see subnets and their resources
Account
Account

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Introducing: Transit Gateway
AWS Region
Transit Gateway
ENIs
VPN
Routing Domain
Routing Domain
AWS Direct
Connect *
Regional router
Scalable
Flexible routing
Available Q1 2019

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS HyperPlane and AWS Transit Gateway
AWS Region
VPC A VPC B VPC A VPC B VPC A VPC B
AWS HyperPlane
Attachments

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Flat: Transit Gateway Route Domains (Route tables)
Transit Gateway
Route Destination
10.1.0.0/16 vpc-att-1xxxxxxx
10.2.0.0/16 vpc-att-2xxxxxxx
10.3.0.0/16 vpc-att-3xxxxxxx
10.4.0.0/16 vpc-att-4xxxxxxx
Default
Routing Domain
Route Destination
10.1.0.0/16 Local
10.0.0.0/8 tgw-xxxxxxxxx
Per VPC

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Isolated: Transit Gateway Route Domains
Transit Gateway
Route Destination
0.0.0.0/0 VPN
VPN Routing
Domain
Route Destination
10.1.0.0/16 Local
0.0.0.0/0 tgw-xxxxxxxxx
Per VPC
VPN
VPC Routing Domain
Route Destination
10.1.0.0/16 vpc-att-1xxxx
10.2.0.0/16 vpc-att-2xxxx
Route Destination
10.3.0.0/16 vpc-att-3xxxx
10.4.0.0/16 vpc-att-4xxxx

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Segmentation options: Layers
Account Account
Account Account
VPN
AWS Direct
Connect *
Route
Tables
Route
Tables
Transit Gateway
Transit Gateway
Security services
Inside the account
At the VPC
Account Account
Account Account
Available Q1 2019

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Shared services connectivity options
VPC peering
• 1-to-1 connectivity
• Scales to 100 VPCs
• Security groups across VPCs
• Inter-region peering
• Data transfer costs
Transit VPC
• Shared services as a spoke
• Bandwidth restricted
• Complex management
• Instance and licensing costs
VPN
WAN
AWS Direct
Connect
Transit VPC
Shared
Services
AWS Transit Gateway
• Many-to-many or one-to-many
with route tables
• Highly scalable
• Hourly per AZ endpoint costs
Account Account
Account Account
Development
Account Account
Account Account
Testing
Account Account
Account Account
Production Shared Services
Route
Tables
Route
Tables
Transit Gateway
AWS PrivateLink
• 1:Many connectivity
• Highly scalable
• Supports overlapping CIDRs
• Uses Elastic Load Balancing
• Load balancing and hourly
endpoint costs

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Connecting to on-premises
Virtual private gateway VPN AWS Direct Connect
VPN WAN
• Per VPC
• 1.25 gbps per tunnel
• Encrypted in transit
• Per VPC (50 per port)
• Multiple VPCs with Direct
Connect gateway
• No bandwidth restraint
AWS Transit Gateway VPN
VPN
• Multiple VPCs
• Add VPN connection as needed
• 1.25 gbps per tunnel
• Roadmap: AWS Direct Connect
Amazon EC2 customer VPN
VPN
• Per VPC or multiple (Transit VPC)
• Bandwidths vary by instance type
• AWS Marketplace options
• Scalability is generally limited by
management complexity

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Direct Connect and Transit Gateway
Use an edge services VPC in front of
a private virtual interface (VIF) Transit VPC
Private virtual
interface
AWS Direct
Connect
Tunnels
VPN
10.1.0.0/16 10.2.0.0/16
VPC A VPC B
AWS Transit
Gateway
• More detail in the Network Services section
• Also how used to migrate or extend existing
Transit VPCs
• Helpful for single-VIF (<1 Gbps) Direct Connect
• Can be used for North-South inspection use-
cases

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
100.64.0.0/16
Outbound VPC
SNAT
SNAT
Outbound services VPC
Transit Gateway
VPC Route Domain
10.1.0.0/16 10.2.0.0/16
Outbound Route Domain
Spoke route table Outbound VPC route table
VPC A VPC B
ECMP
VPN
BGP advertisement
Route Destination
10.2.0.0/16 Local
0.0.0.0/0 tgw-xxxxxxxxx
Route Destination
100.64.0.0/16 Local
10.0.0.0/8 tgw-xxxxxxxxx
0.0.0.0/0 igw-xxxxxxxxx
BGP prefix Next hop
0.0.0.0/0 Local IP
0.0.0.0/0 Outbound VPC VPN 10.1.0.0/16 vpc-att-a
10.2.0.0/16 vpc-att-b
Apply SNAT
outbound to the
internet
SNAT
Use cases:

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
100.64.0.0/16
Outbound VPC
SNAT
SNAT
Outbound services VPC: Interface
Transit Gateway
VPC Route Domain
10.1.0.0/16 10.2.0.0/16
Outbound Route Domain
Spoke route table Outbound VPC route table
VPC A VPC B
VPC attachment route table, per AZ
Route Destination
10.2.0.0/16 Local
0.0.0.0/0 tgw-xxxxxxxxx
Route Destination
100.64.0.0/16 Local
10.0.0.0/8 tgw-xxxxxxxxx
0.0.0.0/0 igw-xxxxxxxxx
Route Destination
0.0.0.0/0 eni-xxxxxxx
0.0.0.0/0 vpc-att-outbound 10.1.0.0/16 vpc-att-a
10.2.0.0/16 vpc-att-b
Apply SNAT
outbound to the
internet
SNAT

20. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

21. Time: 15 minutes after this session
Location: Speaker Lounge (ARIA East, Level 1, Willow Lounge)
Duration: 30 min.

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.