In this session, we discuss the need for AWS Transit Gateway, dive into common use cases, and discuss reference architectures. The session will prepare you with the fundamentals to understand AWS Transit Gateway operations and create advanced architectures. Learn how AWS Transit Gateway interacts with other services, like Amazon Route 53 Resolver and AWS PrivateLink, to provide enterprise scale service in large operating environments.

1. P U B L I C S E C T O R
S U M M I T
WASH INGTON, D.C.

2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Advanced Architectures with
AWS Transit Gateway
Alan Halachmi
Sr. Manager, Solutions Architecture
Amazon Web Services
2 9 5 4 9 7

3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Agenda
Motivation for AWS Transit Gateway
Key Concepts
Common Use Cases
Advanced Use Cases
Parting Thoughts

4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T

5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
What do customers want to do?
Interconnect VPCs and
their on-prem networks
Globally scale out
connectivity across regions
Simplify network
configuration

6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
What challenges are they facing?
Complex point-to-point
peering does not scale
VPN Bandwidth limitations Monitoring and
Management of routing
configurations is time
consuming

7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
VPN connectionCustomer
gateway
Amazon VPC Amazon VPC
AWS Direct Connect
Gateway
VPC peering
VPC peering VPC peering
Amazon VPC Amazon VPCVPC peering
VPN
connection
VPN connection
VPC peering
Before AWS Transit Gateway …

8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Full mesh: How many Amazon VPC peering
connections do I need (full mesh)?
n(n-1)
2
VPC x 10

9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Full mesh: How many Amazon VPC peering
connections do I need (full mesh)?
10(10-1)
2
VPC x 10

10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Full mesh: How many Amazon VPC peering
connections do I need (full mesh)?
VPC x 10
45

11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Full mesh: How many Amazon VPC peering
connections do I need (full mesh)?
100(100-1)
2
VPC x 100

12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Full mesh: How many Amazon VPC peering
connections do I need (full mesh)?
VPC x 100
4500

13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Static routes per
Amazon VPC route
table
1,000
Amazon VPC peering
connections per Amazon
VPC
125

14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
AWS Transit Gateway
Easily interconnect thousands of VPCs and
on-premise networks
On-Premise
Data Center
AWS VPC
AWS Transit
Gateway

15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
AWS Transit
Gateway
Amazon VPCAmazon VPC
Amazon VPCAmazon VPC
Customer
gateway
VPN
connection
AWS Direct
Connect Gateway*
With AWS Transit Gateway …
*Available in US Regions, excluding GovCloud

16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T

17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
AWS Transit Gateway key concepts
1) Attachments
2) Route Tables
i. Association
ii. Propagation

18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Attachments

19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Attachments
att-red att-blue
att-orange

20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Route Tables
tgw-rtb-a
att-red att-blue
att-orange

21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Associations
att-red att-blue
att-orange
“associated”

22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Propagation
att-red att-blue
att-orange

23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
att-red att-blue
att-orange
Default Association and Propagation

24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
att-red
TGW Route Table
att-blue
att-orange

25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Attachments – but what about VPCs?
att-red att-prpl

26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Learning Routes
TGW Attachment

27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
10.1.0.0/16 via BGP
10.2.0.0/16 via BGP
Default Behavior
On-Premise
AWS
VPN
10.99.99.0/24 via BGP
AWS Direct
Connect
Gateway
10.1.0.0/16 via BGP (Allowed Prefix)
10.2.0.0/16 via BGP (Allowed Prefix)

28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Path Selection Behavior
1. Most Specific Route / Longest Prefix Match
2. Static route entries, including static Site-to-Site VPN routes
3. BGP propagated routes from AWS Direct Connect Gateway
4. BGP propagated routes from Site-to-Site VPN

29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T

30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Flat Network
AWS Transit Gateway
Route Destination
10.1.0.0/16 vpc-att-1xxxxxxx
10.2.0.0/16 vpc-att-2xxxxxxx
10.3.0.0/16 vpc-att-3xxxxxxx
10.4.0.0/16 vpc-att-4xxxxxxx
Default
Route Table
Route Destination
10.1.0.0/16 Local
10.0.0.0/8 tgw-xxxxxxxxx
Per VPC

31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Flat Network
AWS Transit Gateway
Route Destination
10.1.0.0/16 vpc-att-1xxxxxxx
10.2.0.0/16 vpc-att-2xxxxxxx
10.3.0.0/16 vpc-att-3xxxxxxx
10.4.0.0/16 vpc-att-4xxxxxxx
Default
Route Table
Route Destination
10.1.0.0/16 Local
10.0.0.0/8 tgw-xxxxxxxxx
Per VPC

32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Segmented Network
AWS Transit Gateway
Route Destination
0.0.0.0/0 VPN
Routing domain
for VPN
Route Destination
10.1.0.0/16 Local
0.0.0.0/0 tgw-xxxxxxxxx
Per VPC
VPN
Routing domain for VPCs
Route Destination
10.1.0.0/16 vpc-att-1xxxx
10.2.0.0/16 vpc-att-2xxxx
Route Destination
10.3.0.0/16 vpc-att-3xxxx
10.4.0.0/16 vpc-att-4xxxx

33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Segmented Network
AWS Transit Gateway
Route Destination
0.0.0.0/0 VPN
Route Destination
10.1.0.0/16 Local
0.0.0.0/0 tgw-xxxxxxxxx
Per VPC
VPN
Route Destination
10.1.0.0/16 vpc-att-1xxxx
10.2.0.0/16 vpc-att-2xxxx
Route Destination
10.3.0.0/16 vpc-att-3xxxx
10.4.0.0/16 vpc-att-4xxxx
Associate
go
Propagate routes
can reach
Routing domain
for VPN
Routing domain for VPCs

34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Segmented Network
AWS Transit Gateway
Route Destination
0.0.0.0/0 VPN
Route Destination
10.1.0.0/16 Local
0.0.0.0/0 tgw-xxxxxxxxx
Per VPC
VPN
Route Destination
10.1.0.0/16 vpc-att-1xxxx
10.2.0.0/16 vpc-att-2xxxx
Route Destination
10.3.0.0/16 vpc-att-3xxxx
10.4.0.0/16 vpc-att-4xxxx
Routing domain
for VPN
Routing domain for VPCs

35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T

36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
100.64.0.0/16
Outbound VPC
SNAT
SNAT
Centralized NAT
AWS Transit Gateway
VPC route domain
10.1.0.0/16 10.2.0.0/16
Outbound route domain
Spoke route table Outbound VPC route table
VPC A VPC B
VPC Attachment route table, per AZ
Route Destination
10.2.0.0/16 Local
0.0.0.0/0 tgw-xxxxxxxxx
Route Destination
100.64.0.0/16 Local
10.0.0.0/8 tgw-xxxxxxxxx
0.0.0.0/0 igw-xxxxxxxxx
Route Destination
0.0.0.0/0 eni-xxxxxxx
0.0.0.0/0 vpc-att-outbound
10.0.0.0/8 Blackhole
10.1.0.0/16 vpc-att-a
10.2.0.0/16 vpc-att-b
Apply SNAT
outbound to the
internet
SNAT

37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
100.64.0.0/16
Outbound VPC
SNAT
SNAT
Centralized NAT
AWS Transit Gateway
VPC route domain
10.1.0.0/16 10.2.0.0/16
Outbound route domain
Spoke route table Outbound VPC route table
VPC A VPC B
ECMP
VPN
BGP advertisement
Route Destination
10.2.0.0/16 Local
0.0.0.0/0 tgw-xxxxxxxxx
Route Destination
100.64.0.0/16 Local
0.0.0.0/0 igw-xxxxxxxxx
BGP prefix Next hop
0.0.0.0/0 Local IP
0.0.0.0/0 Outbound VPC VPN
10.0.0.0/8 Blackhole
10.1.0.0/16 vpc-att-a
10.2.0.0/16 vpc-att-b
Apply SNAT
outbound to the
internet
SNAT

38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
VPC Edge Ingress
100.64.0.0/16
Edge VPC
AWS Transit Gateway
VPC route domain
10.1.0.0/16
Edge route domain
Spoke route table Edge VPC route table
VPC A
ECMP
VPN
Route Destination
10.1.0.0/16 Local
100.64.0.0/16 tgw-xxxxxxxxx
Route Destination
100.64.0.0/16 Local
0.0.0.0/0 igw-xxxxxxxxx
BGP prefix Next hop
100.64.0.0/16 Local IP
100.64.0.0/16 Edge VPC VPN 10.1.0.0/16 vpc-att-a
SNAT
SNAT
SNAT
Optional ELB

39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
ECMP
VPN
SNAT
SNAT
SNAT
VPC to VPC Inspection
100.64.0.0/16
Inline VPC
AWS Transit Gateway
VPC route domain
10.1.0.0/16 10.2.0.0/16
Inline route domain
Spoke route table Inline VPC route table
VPC A VPC B
BGP advertisement
Route Destination
10.2.0.0/16 Local
10.0.0.0/8 tgw-xxxxxxxxx
100.64.0.0/16 tgw-xxxxxxxxx
Route Destination
100.64.0.0/16 Local
0.0.0.0/0 igw-xxxxxxxxx
BGP prefix Next hop
0.0.0.0/0 Local IP
0.0.0.0/0 Inline VPC VPN 10.1.0.0/16 vpc-att-a
10.2.0.0/16 vpc-att-b
Apply SNAT
between VPCs for
flow affinity
VPCs will traffic as originated
from the inline VPC CIDR

40. Reference
Network
Architecture
Account Account
Account Account
Development
Account Account
Account Account
Testing
Account Account
Account Account
Production Shared services
Authentication, Monitoring
VPN
AWS Direct
Connect Gateway
Route
tables
Route
tables
AWS Transit Gateway
Optional network services

41. Account Account
Account Account
Development
Account Account
Account Account
Testing
Account Account
Account Account
Production Shared services
PrivateLink and Route 53
VPN
AWS Direct
Connect Gateway
Route
tables
Route
tables
AWS Transit Gateway
Centralized PrivateLink with Hybrid Cloud

42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
AWS Transit Gateway in multiple Regions
Transit VPC
VPN
10.1.0.0/16 10.2.0.0/16
VPC A VPC B
AWS Transit
Gateway
10.1.0.0/16 10.2.0.0/16
VPC A VPC B
AWS Transit
Gateway
VPN AWS Region AWS Region
VPC
Peering
AWS Transit Gateway
inter-region support coming
soon!

43. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T

44. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
AWS Transit Gateway: Key features
Centralized routing polices across VPCs and on-prem
Scales to support thousands of VPCs across multi-accounts
Flexible segmentation and routing rules
Horizontally scalable
Increase connectivity throughput with multi-vpn connections
Simplified management
AWS Transit
Gateway

45. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
• Centrally interconnect multiple VPCs across accounts
• One central connection point for VPN and AWS Direct Connect
• Reduce or eliminate need for peer to peer networking
• Increase VPN throughput via ECMP routing (50 Gbps+)
• Peer AWS Transit Gateway across regions (coming soon!)
• Leverage the AWS Global Network for low latency cross-region
connectivity
• Regional construct reduces blast radius
• Reduces time to configure on premise connectivity to AWS
• Easily monitor and manage from a central point
• Integrated with Amazon CloudWatch and VPC Flow Logs
• Leverage existing VPC security groups and network access
control lists
Simplified
Networking
Global Connectivity
Manageability
AWS Transit Gateway: Benefits

46. Thank you!
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Alan Halachmi
halachmi@amazon.com

47. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T