SlideShare a Scribd company logo

[NEW LAUNCH!] AWS Transit Gateway and Transit VPCs - Reference Architectures for Many VPCs (NET402) - AWS re:Invent 2018

This document discusses reference architectures for connecting many VPCs using Transit Gateways and Transit VPCs. It begins by describing how Transit VPCs work for connecting VPCs and their limitations around scaling and performance. It then introduces the AWS Transit Gateway as a new solution for connecting many VPCs across accounts and regions. It provides examples of how to configure route domains in Transit Gateways to implement flat or isolated connectivity models between VPCs.

1 of 93
Download to read offline
[NEW LAUNCH!] AWS Transit Gateway and Transit VPCs - Reference Architectures for Many VPCs (NET402) - AWS re:Invent 2018
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Transit Gateway and Transit VPCs
Reference Architectures for Many VPCs
Nick Matthews
Principal Solutions Architect
AWS
N E T 4 0 2
nickpowpow
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What to expect
How it works
Transit VPC
Transit Gateway
Build out a reference architecture:
Account
Strategy
VPN
WAN
AWS Direct
Connect
Transit VPC
Network
Services
Connectivity
WAN
Shared
Services
Multi-Region
Options
Segmentation
Model
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC management differences
Ease of creation Access models Diverse ownership
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Our starting point
VPN
WAN
AWS Direct
Connect
Virtual private
gateway
Dev Prod

Recommended

[NEW LAUNCH!] Introducing AWS Transit Gateway (NET331) - AWS re:Invent 2018
[NEW LAUNCH!] Introducing AWS Transit Gateway (NET331) - AWS re:Invent 2018[NEW LAUNCH!] Introducing AWS Transit Gateway (NET331) - AWS re:Invent 2018
[NEW LAUNCH!] Introducing AWS Transit Gateway (NET331) - AWS re:Invent 2018Amazon Web Services
 
Advanced Architectures with AWS Transit Gateway
Advanced Architectures with AWS Transit GatewayAdvanced Architectures with AWS Transit Gateway
Advanced Architectures with AWS Transit GatewayAmazon Web Services
 
AWS Connectivity, VPC Design and Security Pro Tips
AWS Connectivity, VPC Design and Security Pro TipsAWS Connectivity, VPC Design and Security Pro Tips
AWS Connectivity, VPC Design and Security Pro TipsShiva Narayanaswamy
 
20210316 AWS Black Belt Online Seminar AWS DataSync
20210316 AWS Black Belt Online Seminar AWS DataSync20210316 AWS Black Belt Online Seminar AWS DataSync
20210316 AWS Black Belt Online Seminar AWS DataSyncAmazon Web Services Japan
 
20200722 AWS Black Belt Online Seminar AWSアカウント シングルサインオンの設計と運用
20200722 AWS Black Belt Online Seminar AWSアカウント シングルサインオンの設計と運用20200722 AWS Black Belt Online Seminar AWSアカウント シングルサインオンの設計と運用
20200722 AWS Black Belt Online Seminar AWSアカウント シングルサインオンの設計と運用Amazon Web Services Japan
 
AWS Transit Gateway를 통한 Multi-VPC 아키텍처 패턴 - 강동환 솔루션즈 아키텍트, AWS :: AWS Summit ...
AWS Transit Gateway를 통한 Multi-VPC 아키텍처 패턴 - 강동환 솔루션즈 아키텍트, AWS :: AWS Summit ...AWS Transit Gateway를 통한 Multi-VPC 아키텍처 패턴 - 강동환 솔루션즈 아키텍트, AWS :: AWS Summit ...
AWS Transit Gateway를 통한 Multi-VPC 아키텍처 패턴 - 강동환 솔루션즈 아키텍트, AWS :: AWS Summit ...Amazon Web Services Korea
 

More Related Content

What's hot

AWS Networking Fundamentals - SVC304 - Anaheim AWS Summit
AWS Networking Fundamentals - SVC304 - Anaheim AWS SummitAWS Networking Fundamentals - SVC304 - Anaheim AWS Summit
AWS Networking Fundamentals - SVC304 - Anaheim AWS SummitAmazon Web Services
 
20190911 AWS Black Belt Online Seminar AWS Batch
20190911 AWS Black Belt Online Seminar AWS Batch20190911 AWS Black Belt Online Seminar AWS Batch
20190911 AWS Black Belt Online Seminar AWS BatchAmazon Web Services Japan
 
AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...
AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...
AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...Amazon Web Services
 
실전! AWS 하이브리드 네트워킹 (AWS Direct Connect 및 VPN 데모 세션) - 강동환, AWS 솔루션즈 아키텍트:: A...
실전! AWS 하이브리드 네트워킹 (AWS Direct Connect 및 VPN 데모 세션) - 강동환, AWS 솔루션즈 아키텍트::  A...실전! AWS 하이브리드 네트워킹 (AWS Direct Connect 및 VPN 데모 세션) - 강동환, AWS 솔루션즈 아키텍트::  A...
실전! AWS 하이브리드 네트워킹 (AWS Direct Connect 및 VPN 데모 세션) - 강동환, AWS 솔루션즈 아키텍트:: A...Amazon Web Services Korea
 
KINX와 함께 하는 AWS Direct Connect 도입 - 남시우 매니저, KINX :: AWS Summit Seoul 2019
KINX와 함께 하는 AWS Direct Connect 도입 - 남시우 매니저, KINX :: AWS Summit Seoul 2019KINX와 함께 하는 AWS Direct Connect 도입 - 남시우 매니저, KINX :: AWS Summit Seoul 2019
KINX와 함께 하는 AWS Direct Connect 도입 - 남시우 매니저, KINX :: AWS Summit Seoul 2019Amazon Web Services Korea
 
Plan Advanced AWS Networking Architectures - SRV323 - Chicago AWS Summit
Plan Advanced AWS Networking Architectures - SRV323 - Chicago AWS SummitPlan Advanced AWS Networking Architectures - SRV323 - Chicago AWS Summit
Plan Advanced AWS Networking Architectures - SRV323 - Chicago AWS SummitAmazon Web Services
 
Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...
Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...
Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...Amazon Web Services
 
금융권을 위한 AWS Direct Connect 기반 하이브리드 구성 방법 - AWS Summit Seoul 2017
금융권을 위한 AWS Direct Connect 기반 하이브리드 구성 방법 - AWS Summit Seoul 2017금융권을 위한 AWS Direct Connect 기반 하이브리드 구성 방법 - AWS Summit Seoul 2017
금융권을 위한 AWS Direct Connect 기반 하이브리드 구성 방법 - AWS Summit Seoul 2017Amazon Web Services Korea
 
AWS Black Belt Online Seminar AWS Direct Connect
AWS Black Belt Online Seminar AWS Direct ConnectAWS Black Belt Online Seminar AWS Direct Connect
AWS Black Belt Online Seminar AWS Direct ConnectAmazon Web Services Japan
 
AWS Direct Connect: Deep Dive (NET403) - AWS re:Invent 2018
AWS Direct Connect: Deep Dive (NET403) - AWS re:Invent 2018AWS Direct Connect: Deep Dive (NET403) - AWS re:Invent 2018
AWS Direct Connect: Deep Dive (NET403) - AWS re:Invent 2018Amazon Web Services
 
20191105 AWS Black Belt Online Seminar Amazon Route 53 Hosted Zone
20191105 AWS Black Belt Online Seminar Amazon Route 53 Hosted Zone20191105 AWS Black Belt Online Seminar Amazon Route 53 Hosted Zone
20191105 AWS Black Belt Online Seminar Amazon Route 53 Hosted ZoneAmazon Web Services Japan
 
20191016 AWS Black Belt Online Seminar Amazon Route 53 Resolver
20191016 AWS Black Belt Online Seminar Amazon Route 53 Resolver20191016 AWS Black Belt Online Seminar Amazon Route 53 Resolver
20191016 AWS Black Belt Online Seminar Amazon Route 53 ResolverAmazon Web Services Japan
 
20190313 AWS Black Belt Online Seminar Amazon VPC Basic
20190313 AWS Black Belt Online Seminar Amazon VPC Basic20190313 AWS Black Belt Online Seminar Amazon VPC Basic
20190313 AWS Black Belt Online Seminar Amazon VPC BasicAmazon Web Services Japan
 
20180425 AWS Black Belt Online Seminar Amazon Relational Database Service (Am...
20180425 AWS Black Belt Online Seminar Amazon Relational Database Service (Am...20180425 AWS Black Belt Online Seminar Amazon Relational Database Service (Am...
20180425 AWS Black Belt Online Seminar Amazon Relational Database Service (Am...Amazon Web Services Japan
 
20201111 AWS Black Belt Online Seminar AWS CodeStar & AWS CodePipeline
20201111 AWS Black Belt Online Seminar AWS CodeStar & AWS CodePipeline20201111 AWS Black Belt Online Seminar AWS CodeStar & AWS CodePipeline
20201111 AWS Black Belt Online Seminar AWS CodeStar & AWS CodePipelineAmazon Web Services Japan
 
20210526 AWS Expert Online マルチアカウント管理の基本
20210526 AWS Expert Online マルチアカウント管理の基本20210526 AWS Expert Online マルチアカウント管理の基本
20210526 AWS Expert Online マルチアカウント管理の基本Amazon Web Services Japan
 
[AWS Builders] AWS 네트워크 서비스 소개 및 사용 방법 - 김기현, AWS 솔루션즈 아키텍트
[AWS Builders] AWS 네트워크 서비스 소개 및 사용 방법 - 김기현, AWS 솔루션즈 아키텍트[AWS Builders] AWS 네트워크 서비스 소개 및 사용 방법 - 김기현, AWS 솔루션즈 아키텍트
[AWS Builders] AWS 네트워크 서비스 소개 및 사용 방법 - 김기현, AWS 솔루션즈 아키텍트Amazon Web Services Korea
 
(NET406) Deep Dive: AWS Direct Connect and VPNs
(NET406) Deep Dive: AWS Direct Connect and VPNs(NET406) Deep Dive: AWS Direct Connect and VPNs
(NET406) Deep Dive: AWS Direct Connect and VPNsAmazon Web Services
 
20200818 AWS Black Belt Online Seminar AWS Shield Advanced
20200818 AWS Black Belt Online Seminar AWS Shield Advanced20200818 AWS Black Belt Online Seminar AWS Shield Advanced
20200818 AWS Black Belt Online Seminar AWS Shield AdvancedAmazon Web Services Japan
 
AWS Core Services Overview, Immersion Day Huntsville 2019
AWS Core Services Overview, Immersion Day Huntsville 2019AWS Core Services Overview, Immersion Day Huntsville 2019
AWS Core Services Overview, Immersion Day Huntsville 2019Amazon Web Services
 

What's hot (20)

AWS Networking Fundamentals - SVC304 - Anaheim AWS Summit
AWS Networking Fundamentals - SVC304 - Anaheim AWS SummitAWS Networking Fundamentals - SVC304 - Anaheim AWS Summit
AWS Networking Fundamentals - SVC304 - Anaheim AWS Summit
 
20190911 AWS Black Belt Online Seminar AWS Batch
20190911 AWS Black Belt Online Seminar AWS Batch20190911 AWS Black Belt Online Seminar AWS Batch
20190911 AWS Black Belt Online Seminar AWS Batch
 
AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...
AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...
AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...
 
실전! AWS 하이브리드 네트워킹 (AWS Direct Connect 및 VPN 데모 세션) - 강동환, AWS 솔루션즈 아키텍트:: A...
실전! AWS 하이브리드 네트워킹 (AWS Direct Connect 및 VPN 데모 세션) - 강동환, AWS 솔루션즈 아키텍트::  A...실전! AWS 하이브리드 네트워킹 (AWS Direct Connect 및 VPN 데모 세션) - 강동환, AWS 솔루션즈 아키텍트::  A...
실전! AWS 하이브리드 네트워킹 (AWS Direct Connect 및 VPN 데모 세션) - 강동환, AWS 솔루션즈 아키텍트:: A...
 
KINX와 함께 하는 AWS Direct Connect 도입 - 남시우 매니저, KINX :: AWS Summit Seoul 2019
KINX와 함께 하는 AWS Direct Connect 도입 - 남시우 매니저, KINX :: AWS Summit Seoul 2019KINX와 함께 하는 AWS Direct Connect 도입 - 남시우 매니저, KINX :: AWS Summit Seoul 2019
KINX와 함께 하는 AWS Direct Connect 도입 - 남시우 매니저, KINX :: AWS Summit Seoul 2019
 
Plan Advanced AWS Networking Architectures - SRV323 - Chicago AWS Summit
Plan Advanced AWS Networking Architectures - SRV323 - Chicago AWS SummitPlan Advanced AWS Networking Architectures - SRV323 - Chicago AWS Summit
Plan Advanced AWS Networking Architectures - SRV323 - Chicago AWS Summit
 
Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...
Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...
Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...
 
금융권을 위한 AWS Direct Connect 기반 하이브리드 구성 방법 - AWS Summit Seoul 2017
금융권을 위한 AWS Direct Connect 기반 하이브리드 구성 방법 - AWS Summit Seoul 2017금융권을 위한 AWS Direct Connect 기반 하이브리드 구성 방법 - AWS Summit Seoul 2017
금융권을 위한 AWS Direct Connect 기반 하이브리드 구성 방법 - AWS Summit Seoul 2017
 
AWS Black Belt Online Seminar AWS Direct Connect
AWS Black Belt Online Seminar AWS Direct ConnectAWS Black Belt Online Seminar AWS Direct Connect
AWS Black Belt Online Seminar AWS Direct Connect
 
AWS Direct Connect: Deep Dive (NET403) - AWS re:Invent 2018
AWS Direct Connect: Deep Dive (NET403) - AWS re:Invent 2018AWS Direct Connect: Deep Dive (NET403) - AWS re:Invent 2018
AWS Direct Connect: Deep Dive (NET403) - AWS re:Invent 2018
 
20191105 AWS Black Belt Online Seminar Amazon Route 53 Hosted Zone
20191105 AWS Black Belt Online Seminar Amazon Route 53 Hosted Zone20191105 AWS Black Belt Online Seminar Amazon Route 53 Hosted Zone
20191105 AWS Black Belt Online Seminar Amazon Route 53 Hosted Zone
 
20191016 AWS Black Belt Online Seminar Amazon Route 53 Resolver
20191016 AWS Black Belt Online Seminar Amazon Route 53 Resolver20191016 AWS Black Belt Online Seminar Amazon Route 53 Resolver
20191016 AWS Black Belt Online Seminar Amazon Route 53 Resolver
 
20190313 AWS Black Belt Online Seminar Amazon VPC Basic
20190313 AWS Black Belt Online Seminar Amazon VPC Basic20190313 AWS Black Belt Online Seminar Amazon VPC Basic
20190313 AWS Black Belt Online Seminar Amazon VPC Basic
 
20180425 AWS Black Belt Online Seminar Amazon Relational Database Service (Am...
20180425 AWS Black Belt Online Seminar Amazon Relational Database Service (Am...20180425 AWS Black Belt Online Seminar Amazon Relational Database Service (Am...
20180425 AWS Black Belt Online Seminar Amazon Relational Database Service (Am...
 
20201111 AWS Black Belt Online Seminar AWS CodeStar & AWS CodePipeline
20201111 AWS Black Belt Online Seminar AWS CodeStar & AWS CodePipeline20201111 AWS Black Belt Online Seminar AWS CodeStar & AWS CodePipeline
20201111 AWS Black Belt Online Seminar AWS CodeStar & AWS CodePipeline
 
20210526 AWS Expert Online マルチアカウント管理の基本
20210526 AWS Expert Online マルチアカウント管理の基本20210526 AWS Expert Online マルチアカウント管理の基本
20210526 AWS Expert Online マルチアカウント管理の基本
 
[AWS Builders] AWS 네트워크 서비스 소개 및 사용 방법 - 김기현, AWS 솔루션즈 아키텍트
[AWS Builders] AWS 네트워크 서비스 소개 및 사용 방법 - 김기현, AWS 솔루션즈 아키텍트[AWS Builders] AWS 네트워크 서비스 소개 및 사용 방법 - 김기현, AWS 솔루션즈 아키텍트
[AWS Builders] AWS 네트워크 서비스 소개 및 사용 방법 - 김기현, AWS 솔루션즈 아키텍트
 
(NET406) Deep Dive: AWS Direct Connect and VPNs
(NET406) Deep Dive: AWS Direct Connect and VPNs(NET406) Deep Dive: AWS Direct Connect and VPNs
(NET406) Deep Dive: AWS Direct Connect and VPNs
 
20200818 AWS Black Belt Online Seminar AWS Shield Advanced
20200818 AWS Black Belt Online Seminar AWS Shield Advanced20200818 AWS Black Belt Online Seminar AWS Shield Advanced
20200818 AWS Black Belt Online Seminar AWS Shield Advanced
 
AWS Core Services Overview, Immersion Day Huntsville 2019
AWS Core Services Overview, Immersion Day Huntsville 2019AWS Core Services Overview, Immersion Day Huntsville 2019
AWS Core Services Overview, Immersion Day Huntsville 2019
 

Similar to [NEW LAUNCH!] AWS Transit Gateway and Transit VPCs - Reference Architectures for Many VPCs (NET402) - AWS re:Invent 2018

Connecting Many VPCs: Network Design Patterns at Scale (ARC405) - AWS re:Inve...
Connecting Many VPCs: Network Design Patterns at Scale (ARC405) - AWS re:Inve...Connecting Many VPCs: Network Design Patterns at Scale (ARC405) - AWS re:Inve...
Connecting Many VPCs: Network Design Patterns at Scale (ARC405) - AWS re:Inve...Amazon Web Services
 
DevNetOps: Automating large-scale hybrid cloud architectures - AWS Summit Cap...
DevNetOps: Automating large-scale hybrid cloud architectures - AWS Summit Cap...DevNetOps: Automating large-scale hybrid cloud architectures - AWS Summit Cap...
DevNetOps: Automating large-scale hybrid cloud architectures - AWS Summit Cap...Amazon Web Services
 
Everything You Wanted to Know about Firewalls and Middle Boxes on AWS (NET406...
Everything You Wanted to Know about Firewalls and Middle Boxes on AWS (NET406...Everything You Wanted to Know about Firewalls and Middle Boxes on AWS (NET406...
Everything You Wanted to Know about Firewalls and Middle Boxes on AWS (NET406...Amazon Web Services
 
AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...
AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...
AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...AWS Summits
 
高度規模化、可信賴的混合雲網路 (Level 300-400)
高度規模化、可信賴的混合雲網路 (Level 300-400)高度規模化、可信賴的混合雲網路 (Level 300-400)
高度規模化、可信賴的混合雲網路 (Level 300-400)Amazon Web Services
 
Become an AWS VPN and AWS Direct Connect Expert (NET306-R1) - AWS re:Invent 2018
Become an AWS VPN and AWS Direct Connect Expert (NET306-R1) - AWS re:Invent 2018Become an AWS VPN and AWS Direct Connect Expert (NET306-R1) - AWS re:Invent 2018
Become an AWS VPN and AWS Direct Connect Expert (NET306-R1) - AWS re:Invent 2018Amazon Web Services
 
Planificación de arquitecturas de red de AWS - MXO211 - Mexico City Summit
Planificación de arquitecturas de red de AWS - MXO211 - Mexico City SummitPlanificación de arquitecturas de red de AWS - MXO211 - Mexico City Summit
Planificación de arquitecturas de red de AWS - MXO211 - Mexico City SummitAmazon Web Services
 
Planning advanced AWS networking architectures - SVC304 - Chicago AWS Summit
Planning advanced AWS networking architectures - SVC304 - Chicago AWS SummitPlanning advanced AWS networking architectures - SVC304 - Chicago AWS Summit
Planning advanced AWS networking architectures - SVC304 - Chicago AWS SummitAmazon Web Services
 
Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018
Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018
Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018Amazon Web Services
 
Creating Your Virtual Data Center - VPC Fundamentals and Connectivity Options...
Creating Your Virtual Data Center - VPC Fundamentals and Connectivity Options...Creating Your Virtual Data Center - VPC Fundamentals and Connectivity Options...
Creating Your Virtual Data Center - VPC Fundamentals and Connectivity Options...Amazon Web Services
 
Networking Many VPCs: Transit and Shared Architectures - NET404 - re:Invent 2017
Networking Many VPCs: Transit and Shared Architectures - NET404 - re:Invent 2017Networking Many VPCs: Transit and Shared Architectures - NET404 - re:Invent 2017
Networking Many VPCs: Transit and Shared Architectures - NET404 - re:Invent 2017Amazon Web Services
 
Networking and Edge Services on AWS
Networking and Edge Services on AWSNetworking and Edge Services on AWS
Networking and Edge Services on AWSAmazon Web Services
 
VPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCVPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCAmazon Web Services
 
AWS Networking for Migration and Hybrid Environments
AWS Networking for Migration and Hybrid EnvironmentsAWS Networking for Migration and Hybrid Environments
AWS Networking for Migration and Hybrid EnvironmentsAmazon Web Services
 
Architecting Advanced Network Security Across VPCs with AWS Transit Gateway
Architecting Advanced Network Security Across VPCs with AWS Transit GatewayArchitecting Advanced Network Security Across VPCs with AWS Transit Gateway
Architecting Advanced Network Security Across VPCs with AWS Transit GatewayCynthia Hsieh
 
AWS PrivateLink: Fundamentals - SRV211 - Anaheim AWS Summit
AWS PrivateLink: Fundamentals - SRV211 - Anaheim AWS SummitAWS PrivateLink: Fundamentals - SRV211 - Anaheim AWS Summit
AWS PrivateLink: Fundamentals - SRV211 - Anaheim AWS SummitAmazon Web Services
 
AWS PrivateLink: Fundamentals - SRV211 - Toronto AWS Summit
AWS PrivateLink: Fundamentals - SRV211 - Toronto AWS SummitAWS PrivateLink: Fundamentals - SRV211 - Toronto AWS Summit
AWS PrivateLink: Fundamentals - SRV211 - Toronto AWS SummitAmazon Web Services
 
Extending Data Centers to the Cloud: Connectivity Options and Best Practices ...
Extending Data Centers to the Cloud: Connectivity Options and Best Practices ...Extending Data Centers to the Cloud: Connectivity Options and Best Practices ...
Extending Data Centers to the Cloud: Connectivity Options and Best Practices ...Amazon Web Services
 
Designing Network Architectures with Direct Connect for Multiple Traffic Stre...
Designing Network Architectures with Direct Connect for Multiple Traffic Stre...Designing Network Architectures with Direct Connect for Multiple Traffic Stre...
Designing Network Architectures with Direct Connect for Multiple Traffic Stre...Amazon Web Services
 

Similar to [NEW LAUNCH!] AWS Transit Gateway and Transit VPCs - Reference Architectures for Many VPCs (NET402) - AWS re:Invent 2018 (20)

Connecting Many VPCs: Network Design Patterns at Scale (ARC405) - AWS re:Inve...
Connecting Many VPCs: Network Design Patterns at Scale (ARC405) - AWS re:Inve...Connecting Many VPCs: Network Design Patterns at Scale (ARC405) - AWS re:Inve...
Connecting Many VPCs: Network Design Patterns at Scale (ARC405) - AWS re:Inve...
 
DevNetOps: Automating large-scale hybrid cloud architectures - AWS Summit Cap...
DevNetOps: Automating large-scale hybrid cloud architectures - AWS Summit Cap...DevNetOps: Automating large-scale hybrid cloud architectures - AWS Summit Cap...
DevNetOps: Automating large-scale hybrid cloud architectures - AWS Summit Cap...
 
Everything You Wanted to Know about Firewalls and Middle Boxes on AWS (NET406...
Everything You Wanted to Know about Firewalls and Middle Boxes on AWS (NET406...Everything You Wanted to Know about Firewalls and Middle Boxes on AWS (NET406...
Everything You Wanted to Know about Firewalls and Middle Boxes on AWS (NET406...
 
AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...
AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...
AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...
 
高度規模化、可信賴的混合雲網路 (Level 300-400)
高度規模化、可信賴的混合雲網路 (Level 300-400)高度規模化、可信賴的混合雲網路 (Level 300-400)
高度規模化、可信賴的混合雲網路 (Level 300-400)
 
Become an AWS VPN and AWS Direct Connect Expert (NET306-R1) - AWS re:Invent 2018
Become an AWS VPN and AWS Direct Connect Expert (NET306-R1) - AWS re:Invent 2018Become an AWS VPN and AWS Direct Connect Expert (NET306-R1) - AWS re:Invent 2018
Become an AWS VPN and AWS Direct Connect Expert (NET306-R1) - AWS re:Invent 2018
 
Planificación de arquitecturas de red de AWS - MXO211 - Mexico City Summit
Planificación de arquitecturas de red de AWS - MXO211 - Mexico City SummitPlanificación de arquitecturas de red de AWS - MXO211 - Mexico City Summit
Planificación de arquitecturas de red de AWS - MXO211 - Mexico City Summit
 
Planning advanced AWS networking architectures - SVC304 - Chicago AWS Summit
Planning advanced AWS networking architectures - SVC304 - Chicago AWS SummitPlanning advanced AWS networking architectures - SVC304 - Chicago AWS Summit
Planning advanced AWS networking architectures - SVC304 - Chicago AWS Summit
 
Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018
Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018
Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018
 
Creating Your Virtual Data Center - VPC Fundamentals and Connectivity Options...
Creating Your Virtual Data Center - VPC Fundamentals and Connectivity Options...Creating Your Virtual Data Center - VPC Fundamentals and Connectivity Options...
Creating Your Virtual Data Center - VPC Fundamentals and Connectivity Options...
 
Networking Many VPCs: Transit and Shared Architectures - NET404 - re:Invent 2017
Networking Many VPCs: Transit and Shared Architectures - NET404 - re:Invent 2017Networking Many VPCs: Transit and Shared Architectures - NET404 - re:Invent 2017
Networking Many VPCs: Transit and Shared Architectures - NET404 - re:Invent 2017
 
Networking and Edge Services on AWS
Networking and Edge Services on AWSNetworking and Edge Services on AWS
Networking and Edge Services on AWS
 
VPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCVPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPC
 
AWS Networking for Migration and Hybrid Environments
AWS Networking for Migration and Hybrid EnvironmentsAWS Networking for Migration and Hybrid Environments
AWS Networking for Migration and Hybrid Environments
 
Architecting Advanced Network Security Across VPCs with AWS Transit Gateway
Architecting Advanced Network Security Across VPCs with AWS Transit GatewayArchitecting Advanced Network Security Across VPCs with AWS Transit Gateway
Architecting Advanced Network Security Across VPCs with AWS Transit Gateway
 
AWS PrivateLink: Fundamentals - SRV211 - Anaheim AWS Summit
AWS PrivateLink: Fundamentals - SRV211 - Anaheim AWS SummitAWS PrivateLink: Fundamentals - SRV211 - Anaheim AWS Summit
AWS PrivateLink: Fundamentals - SRV211 - Anaheim AWS Summit
 
AWS PrivateLink Fundamentals
AWS PrivateLink FundamentalsAWS PrivateLink Fundamentals
AWS PrivateLink Fundamentals
 
AWS PrivateLink: Fundamentals - SRV211 - Toronto AWS Summit
AWS PrivateLink: Fundamentals - SRV211 - Toronto AWS SummitAWS PrivateLink: Fundamentals - SRV211 - Toronto AWS Summit
AWS PrivateLink: Fundamentals - SRV211 - Toronto AWS Summit
 
Extending Data Centers to the Cloud: Connectivity Options and Best Practices ...
Extending Data Centers to the Cloud: Connectivity Options and Best Practices ...Extending Data Centers to the Cloud: Connectivity Options and Best Practices ...
Extending Data Centers to the Cloud: Connectivity Options and Best Practices ...
 
Designing Network Architectures with Direct Connect for Multiple Traffic Stre...
Designing Network Architectures with Direct Connect for Multiple Traffic Stre...Designing Network Architectures with Direct Connect for Multiple Traffic Stre...
Designing Network Architectures with Direct Connect for Multiple Traffic Stre...
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

[NEW LAUNCH!] AWS Transit Gateway and Transit VPCs - Reference Architectures for Many VPCs (NET402) - AWS re:Invent 2018

  • 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Transit Gateway and Transit VPCs Reference Architectures for Many VPCs Nick Matthews Principal Solutions Architect AWS N E T 4 0 2 nickpowpow
  • 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What to expect How it works Transit VPC Transit Gateway Build out a reference architecture: Account Strategy VPN WAN AWS Direct Connect Transit VPC Network Services Connectivity WAN Shared Services Multi-Region Options Segmentation Model
  • 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC management differences Ease of creation Access models Diverse ownership
  • 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Our starting point VPN WAN AWS Direct Connect Virtual private gateway Dev Prod
  • 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Challenge: Adding more VPCs VPN WAN AWS Direct Connect Lots of connections Dev Prod Dev Prod Dev Prod
  • 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Challenge: Peering VPCs VPN WAN AWS Direct Connect Dev Prod Dev Prod Dev Prod Connect dev and prod VPC peering Connect the green environment How does this scale? Let’s:
  • 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPN WAN AWS Direct Connect Dev Prod Dev Prod Dev Prod Dev Prod Dev Prod Dev Prod Scaling connections? Scaling VPC peering? Shared services? Firewall and services?
  • 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Transit VPC VPN WAN AWS Direct Connect Transit VPC Dev Prod Dev Prod Dev Prod Dev Prod Dev Prod Dev Prod
  • 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPN WAN AWS Direct Connect Transit Gateway AWS Transit Gateway Dev Prod Dev Prod Dev Prod Dev Prod Dev Prod Dev Prod
  • 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPN WAN AWS Direct Connect Transit VPC Transit VPC Mechanics
  • 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Route table Destination Target 10.2.0.0/16 Local 10.1.0.0/16 VGW Route table Destination Target 10.2.0.0/16 Local 0.0.0.0/0 VGW Transit VPC: Routing Virtual private gateway (VGW) Virtual Private Network (VPN) Transit VPC 10.0.0.0/16 10.1.0.0/16 10.2.0.0/16 Internet The VPN Instances advertise routes to each VGW with BGP. This can be a default route or individual routes.
  • 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why doesn’t peering work? VPC peering Transit VPC 10.0.0.0/16 10.1.0.0/16 10.2.0.0/16 Route table Destination Target 10.2.0.0/16 Local 0.0.0.0/0 PCX Internet
  • 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why doesn’t peering work? VPC peering Transit VPC 10.0.0.0/16 10.1.0.0/16 10.2.0.0/16 Route table Destination Target 10.2.0.0/16 Local 0.0.0.0/0 PCX Internet Destination: Internet Traffic must either originate or terminate on a network interface in the VPC Transitive routing
  • 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why does VPN work? Transit VPC 10.0.0.0/16 10.1.0.0/16 10.2.0.0/16 Route table Destination Target 10.2.0.0/16 Local 0.0.0.0/0 VGW Internet Destination: Internet Virtual Private Network (VPN) Traffic must either originate or terminate on a network interface in the VPC Transitive routing
  • 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Transit VPC: Availability Virtual Private Gateway (VGW) Virtual Private Network (VPN) Transit VPC 10.0.0.0/16 10.1.0.0/16 10.2.0.0/16 Route Table Destination Target 10.2.0.0/16 Local 0.0.0.0/0 VGW BGP and Dead Peer Detection (DPD) detect the failure The VGW route automatically fails over to the other tunnel Internet Spoiler: We’ll use this again with Transit Gateway later
  • 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Transit VPC: Performance Virtual private gateway (VGW) Virtual Private Network (VPN) Transit VPC 10.0.0.0/16 10.1.0.0/16 10.2.0.0/16 The VGW will only choose a single tunnel for outbound traffic (1.25 gbps) The VGW accepts packets on any tunnel or connection Internet The VPN instance must forward all traffic, the maximum is based on instance size. ~1-3 gbps on M4 and C4 families. Spoiler: We’ll need to know this for Transit Gateway also
  • 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Transit VPC: Security Services Virtual Private Network (VPN) 10.0.0.0/16 10.1.0.0/16 10.2.0.0/16 Active/Passive AS-path prepend
  • 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What is the AWS Transit Gateway?
  • 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Introducing: Transit Gateway AWS Region Transit Gateway ENIs VPN Routing domain Routing domain AWS Direct Connect * Regional router Scalable Flexible routing Available Q1 2019
  • 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS HyperPlane and AWS Transit Gateway AWS Region VPC A VPC B VPC A VPC B VPC A VPC B AWS HyperPlane Attachments
  • 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Transit Gateway example time! Flat: Every VPC should talk to every VPC! Isolated: Don’t let anything talk! Send everything back over VPN!
  • 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Flat: Transit Gateway route domains (route tables) Transit Gateway Route Destination 10.1.0.0/16 vpc-att-1xxxxxxx 10.2.0.0/16 vpc-att-2xxxxxxx 10.3.0.0/16 vpc-att-3xxxxxxx 10.4.0.0/16 vpc-att-4xxxxxxx Default routing domain Route Destination 10.1.0.0/16 Local 10.0.0.0/8 tgw-xxxxxxxxx Per VPC
  • 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Flat: Transit Gateway route domains (route tables) Transit Gateway Route Destination 10.1.0.0/16 vpc-att-1xxxxxxx 10.2.0.0/16 vpc-att-2xxxxxxx 10.3.0.0/16 vpc-att-3xxxxxxx 10.4.0.0/16 vpc-att-4xxxxxxx Default routing domain Route Destination 10.1.0.0/16 Local 10.0.0.0/8 tgw-xxxxxxxxx Per VPC
  • 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Isolated: Transit Gateway route domains Transit Gateway Route Destination 0.0.0.0/0 VPN Routing domain for VPN Route Destination 10.1.0.0/16 Local 0.0.0.0/0 tgw-xxxxxxxxx Per VPC VPN Routing domain for VPCs Route Destination 10.1.0.0/16 vpc-att-1xxxx 10.2.0.0/16 vpc-att-2xxxx Route Destination 10.3.0.0/16 vpc-att-3xxxx 10.4.0.0/16 vpc-att-4xxxx
  • 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Isolated: Transit Gateway route domains Transit Gateway Route Destination 0.0.0.0/0 VPN Route Destination 10.1.0.0/16 Local 0.0.0.0/0 tgw-xxxxxxxxx Per VPC VPN Route Destination 10.1.0.0/16 vpc-att-1xxxx 10.2.0.0/16 vpc-att-2xxxx Route Destination 10.3.0.0/16 vpc-att-3xxxx 10.4.0.0/16 vpc-att-4xxxx Attach go Propagate routes can reach Routing domain for VPN Routing domain for VPCs
  • 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Isolated: Transit Gateway route domains Transit Gateway Route Destination 0.0.0.0/0 VPN Route Destination 10.1.0.0/16 Local 0.0.0.0/0 tgw-xxxxxxxxx Per VPC VPN Route Destination 10.1.0.0/16 vpc-att-1xxxx 10.2.0.0/16 vpc-att-2xxxx Route Destination 10.3.0.0/16 vpc-att-3xxxx 10.4.0.0/16 vpc-att-4xxxx Routing domain for VPN Routing domain for VPCs
  • 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Quick comparison: Transit Gateway and Transit VPC VPN WAN AWS Direct Connect Transit VPC Transit VPC Transit Gateway
  • 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Transit Gateway details Find on YouTube NET 331: NEW LAUNCH: Introduction to Transit Gateway
  • 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Are there any reasons to use a Transit VPC?
  • 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. We’re only adding things You can use all existing options with Transit Gateway: • VPC peering • AWS Direct Connect • Elastic Load Balancing • AWS PrivateLink • AWS CloudWatch metrics • AWS CloudFormation • Transit VPC
  • 33. Reference Network Architecture Account Account Account Account Account Account Account Account Account Account Account Account VPN AWS Direct Connect * Account Account Account Account IAM, cross-account roles Route tables Route tables Transit Gateway Available Q1 2019
  • 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Architecture walk through Account strategy VPN WAN AWS Direct Connect Transit VPC Network services Connectivity WAN Shared services Multi-region options Segmentation model
  • 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Account Strategy Network Services ConnectivityShared Services Multi-Region Options Segmentation Model
  • 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automation of infrastructure AWS Direct Connect and VPN standards Subnet and routing standards AWS Identity and Access Management Strict security groups and routing Identifying resources with tags S m a l l e r V P C s o r a c c o u n t sL a r g e r V P C s o r a c c o u n t s Account and VPC segmentation Infrastructure and NetworkingPolicy and IAM
  • 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. both? Provide granular account control with centralized infrastructure
  • 38. VPC Sharing and Resource Access Manager Share subnets between accounts in an AWS Organization Account Account Account Account Resource Share Resource Share Infrastructure account
  • 39. VPC Sharing and Resource Access Manager Account owners only see subnets and their resources Account Account
  • 40. VPC Sharing and Resource Access Manager Account owners only see subnets and their resources Account Account
  • 41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC Sharing benefits Less unused resources • Higher density subnets, add up to 5 additional CIDRs • More efficient use of VPN and AWS Direct Connect Separation of duties • Infrastructure strictly controls routing, IP addresses, and VPC structure • Developers own their resources, accounts, and security groups Decouple accounts and networks • Account protection and billing without additional infrastructure • Many accounts with fewer networks • Avoid VPC peering charges
  • 42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Other account considerations One size does not need to fit all • Example: production may use separate VPCs, development can use a shared VPC • AWS Transit Gateway can handle large amounts of VPCs if needed VPC Sharing works within an AWS Organization VPC Sharing doesn’t restrict resource utilization • NAT gateways, VPN, subnet address space, and security groups have shared limits • VPC Sharing doesn’t change any VPC limits, only account limits • Give highly scalable services like AWS Lambda dedicated IP space
  • 43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Account Strategy Network Services ConnectivityShared Services Multi-Region Options Segmentation Model
  • 44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Segmentation: Decision inputs Relationship between accounts, VPCs, and tenants? • Do accounts and tenants trust each other? • Is the current network segmentation intentional or a side effect? Who owns security and networking? • Each team or a centralized team? Compliance and governance requirements? • Scope can be reduced at an account or a VPC level
  • 45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Baseline security IAM Security groups Segmentation options: Layers Account Account Account Account Account Account Account Account Inside the account At the VPC ACLs Network security Route tables Network ACLs Separate VPCs Tenant and infrastructure Shared Security line
  • 46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Segmentation options: Layers Account Account Account Account VPN AWS Direct Connect * Route tables Route tables Transit Gateway Transit Gateway Security services Inside the account At the VPC Account Account Account Account Available Q1 2019
  • 47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Segmentation in a Shared VPC with network ACLs Account Account Account Account Resource share Resource share Inbound network ACL # Source Action 100 10.0.1.0/24 ALLOW 101 10.0.101.0/24 ALLOW 200 10.0.0.0/16 DENY 300 0.0.0.0/0 ALLOW Mimic behavior of a single VPC:
  • 48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Flat: Transit Gateway route domains Transit Gateway Route Destination 10.1.0.0/16 vpc-att-1xxxxxxx 10.2.0.0/16 vpc-att-2xxxxxxx 10.3.0.0/16 vpc-att-3xxxxxxx 10.0.0.0/8 VPN Default routing domain All routes and attachments are in a single route table
  • 49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Isolated: Transit Gateway route domains Transit Gateway Shared services VPN VPC Route Destination 10.1.0.0/16 vpc-att-1xxxx 10.2.0.0/16 vpc-att-2xxxx Route Destination 10.3.0.0/16 vpc-att-3xxxx 10.4.0.0/16 vpc-att-4xxxx Route Destination 10.0.0.0/8 VPN 10.4.0.0/16 vpc-att-4xxxx VPCs attach to a route table with routes to shared resources Shared resources attach to a route table with routes to all resources
  • 50. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Segmentation considerations: Where to start Security groups and IAM are effective and proven • Encourage IAM and security group use and monitor security configuration Shared VPCs • Tenants should limit access from the internet and other tenants • VPCs using VPC peering are likely to benefit from Shared VPCs • Design around resource and limit contention Separate VPCs • Often the best security decision is the simplest. Separate VPCs are simple. • Use separate VPCs for strong network segmentation and resource isolation • Transit Gateway removes the scaling issues with many VPCs (peering, VPN, routes) Transit Gateway route tables define multi-VPC policy • Consider isolating environments (dev and prod) and allow access to shared resources
  • 51. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Network Services ConnectivityShared Services Multi-Region Options Segmentation ModelAccount Strategy
  • 52. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Shared services connectivity options VPC peering • One-to-one connectivity • Scales to 100 VPCs • Security groups across VPCs • Inter-region peering Transit VPC • Shared services as a spoke • Bandwidth constrained • Complex management • Instance and licensing costs VPN WAN AWS Direct Connect Transit VPC Shared Services AWS Transit Gateway • Many-to-many or one-to-many with route tables • Highly scalable • Hourly per AZ endpoint costs Account Account Account Account Development Account Account Account Account Testing Account Account Account Account Production Shared Services Route Tables Route Tables Transit Gateway AWS PrivateLink • One-to-many connectivity • Highly scalable • Supports overlapping CIDRs • Uses Elastic Load Balancing • Load balancing and hourly endpoint costs
  • 53. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Shared services connectivity options at scale VPC Peering • 1-to-1 connectivity • Scales to 100 VPCs • Security groups across VPCs • Inter-region peering Transit VPC • Shared services as a spoke • Bandwidth restricted • Complex management • Instance and licensing costs AWS Transit Gateway • Many-to-many or one-to-many with route tables • Highly scalable • Hourly per AZ endpoint costs Account Account Account Account Development Account Account Account Account Testing Account Account Account Account Production Shared Services Route Tables Route Tables Transit Gateway AWS PrivateLink • One-to-many connectivity • Highly scalable • Supports overlapping CIDRs • Uses Elastic Load Balancing • Load balancing and hourly endpoint costs
  • 54. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Shared services with Transit Gateway Extensible for many VPCs if needed Account Account Account Account Development Account Account Account Account Testing Account Account Account Account Production Shared services Route tables Route tables Transit Gateway Works with flat or isolated segmentation Account Account Account Account Acquisition Example applications • Authentication • Logging • DevOps tools • Security resources
  • 55. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Using Transit Gateway and PrivateLink AWS Transit Gateway • Many-to-Many or one-to-many with route tables • Highly scalable • Hourly per AZ endpoint costs Account Account Account Account Development Account Account Account Account Testing Account Account Account Account Production Shared Services Route Tables Route Tables Transit Gateway Scope Trust model Dependencies Scale Scope Trust model Dependencies Scale AWS PrivateLink • One-to-many connectivity • Highly scalable • Supports overlapping CIDRs • Uses Elastic Load Balancing • Load balancing and hourly endpoint costs
  • 56. Connecting on-premises Account Account Account Account Account Account Account Account Account Account Account Account VPN AWS Direct Connect * Route tables Route tables Transit Gateway Network Services Connectivity Multi-Region Options Account Strategy Shared ServicesSegmentation Model
  • 57. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Connecting to on-premises Virtual Private Gateway VPN AWS Direct Connect VPN WAN • Per VPC • 1.25 gbps per tunnel • Encrypted in transit • Per VPC (50 per port) • Multiple VPCs with Direct Connect gateway • No bandwidth restraint AWS Transit Gateway VPN VPN • Multiple VPCs • Add VPN connection as needed • 1.25 gbps per tunnel • Roadmap: AWS Direct Connect Amazon EC2 customer VPN VPN • Per VPC or multiple (Transit VPC) • Bandwidths vary by instance type • AWS Marketplace options • Scalability is generally limited by management complexity
  • 58. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Connecting to On-premises at Scale Virtual Private Gateway VPN AWS Direct Connect VPN WAN • Per VPC • 1.25 gbps per tunnel • Encrypted in transit • Per VPC (50 per port) • Multiple VPCs with Direct Connect gateway • No bandwidth restraint AWS Transit Gateway VPN VPN • Multiple VPCs • Add VPN connection as needed • 1.25 gbps per tunnel • Roadmap: AWS Direct Connect Amazon EC2 Customer VPN VPN • Per VPC or multiple (Transit VPC) • Bandwidths vary by instance type • AWS Marketplace options • Scalability is generally limited by management complexity
  • 59. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Direct Connect to Many VPCs AWS Region 10.1.0.0/16 WAN On-premises AWS Direct Connect location Private virtual interface (VIF) Customer router AWS router Customer router AWS router 10.2.0.0/16 Up to 50 VIFs per port AWS Direct Connect location 2
  • 60. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Direct Connect: Link Aggregation AWS Region 10.1.0.0/16 WAN On-premises Link aggregation (LAG) Private virtual interface (VIF) Customer router AWS router Customer router AWS router 10.2.0.0/16 Up to 4 ports in a LAG, each with 50 VIFs AWS Direct Connect location 2
  • 61. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Direct Connect gateway AWS Region 10.1.0.0/16 WAN On-premises AWS Direct Connect location Private virtual interface (VIF) Customer router AWS router Customer router AWS router 10.2.0.0/16 Up to 10 VGWs per direct connect gateway AWS Direct Connect location 2 Direct connect gateway Account
  • 62. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Direct Connect and Transit Gateway Use Direct Connect in parallel Use VPN over a Direct Connect public virtual interface (VIF) Account Account Account Account Account Account Account Account Account Account Account Account VPN AWS Direct Connect Route Tables Route Tables Transit Gateway Private virtual interfaces VPN AWS Direct Connect Route Tables Route Tables Transit Gateway Public virtual interface AWS Cloud Receive AWS public IP addresses Native Direct Connect support planned for Q1 2019
  • 63. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Direct Connect and Transit Gateway Use an edge services VPC in front of a private virtual interface Transit VPC Private virtual interface AWS Direct Connect Tunnels VPN 10.1.0.0/16 10.2.0.0/16 VPC A VPC B AWS Transit Gateway • More detail in the network services section • Also how used to migrate or extend existing Transit VPCs • Helpful for single-VIF (<1 Gbps) Direct Connect • Can be used for North-South inspection use- cases
  • 64. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPN With Transit Gateway VPN Route tables Route tables Transit Gateway Customer Gateway Consolidate VPN at the Transit Gateway (TGW) • VPN acts similar to the Virtual Private Gateway (VGW) • Bandwidth, configuration, APIs, cost, and experience • VPN is attached to a TGW instead of a VGW • Same 1.25 gbps bandwidth per tunnel applies Encryption to the edge of many VPCs • Traffic is encrypted until it’s inside the VPC • Does not natively encrypt traffic between VPCs • Inter-region VPC peering does
  • 65. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPN with Transit Gateway: Add more bandwidth VPN Route tables Route tables Transit Gateway Customer Gateway Support for spreading traffic across many tunnels • Equal Cost Multi-Path (ECMP) support with BGP multi- path • Tested up to 50 Gbps of traffic • Split traffic into smaller flows, multi-part uploads, etc. Check your on-premises configuration • Multi-path BGP • ECMP support, amount of equal paths, reverse-path forwarding/spoofing checks • Only supported with BGP, not static routing
  • 66. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 100.64.0.0/16 Transit VPC Transit VPC 1.1 Transit Gateway VPC route domain 10.1.0.0/16 10.2.0.0/16 Transit route domain Spoke route table Transit VPC route table VPC A VPC B Active/passive VPN BGP advertisement Route Destination 10.2.0.0/16 Local 10.0.0.0/8 tgw-xxxxxxxxx Route Destination 100.64.0.0/16 Local 10.0.0.0/8 tgw-xxxxxxxxx 0.0.0.0/0 igw-xxxxxxxxx BGP prefix Next hop 10.0.0.0/8 Local IP 10.0.0.0/8 Transit VPC VPN 10.1.0.0/16 vpc-att-a 10.2.0.0/16 vpc-att-b
  • 67. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Neat. But, why? ? ?
  • 68. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Network Services Connectivity Multi-Region Options Account Strategy Shared ServicesSegmentation Model
  • 69. Reference Network Architecture Account Account Account Account Development Account Account Account Account Testing Account Account Account Account Production Shared services Authentication, Monitoring VPN AWS Direct Connect * Route tables Route tables Transit Gateway Optional network services
  • 70. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Do I need to put service each into their own VPC?
  • 71. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 100.64.0.0/16 Outbound VPC SNAT SNAT Outbound services VPC Transit Gateway VPC route domain 10.1.0.0/16 10.2.0.0/16 Outbound route domain Spoke route table Outbound VPC route table VPC A VPC B ECMP VPN BGP advertisement Route Destination 10.2.0.0/16 Local 0.0.0.0/0 tgw-xxxxxxxxx Route Destination 100.64.0.0/16 Local 10.0.0.0/8 tgw-xxxxxxxxx 0.0.0.0/0 igw-xxxxxxxxx BGP prefix Next hop 0.0.0.0/0 Local IP 0.0.0.0/0 Outbound VPC VPN 10.1.0.0/16 vpc-att-a 10.2.0.0/16 vpc-att-b Apply SNAT outbound to the internet SNAT Use cases:
  • 72. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPN service insertion design notes Instance must be able to support: • VPN to the Transit Gateway • BGP to the Transit Gateway (ECMP requirement) • Source NAT to the internet Performance • IPsec overhead • Compatible with auto-scaling architectures • No cumulative bandwidth limit High availability • BGP and VPN Dead Peer Detection handle failover • No API calls required for fault tolerance • Optionally place instances in Amazon EC2 automatic recovery Stateful services • Use Source NAT to guarantee the return flow to the same instance Horizontally scalable service pattern Preferred method if the service supports BGP, VPN and NAT.
  • 73. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 100.64.0.0/16 Outbound VPC SNAT SNAT Outbound services VPC: Interface Transit Gateway VPC route domain 10.1.0.0/16 10.2.0.0/16 Outbound route domain Spoke route table Outbound VPC route table VPC A VPC B VPC Attachment route table, per AZ Route Destination 10.2.0.0/16 Local 0.0.0.0/0 tgw-xxxxxxxxx Route Destination 100.64.0.0/16 Local 10.0.0.0/8 tgw-xxxxxxxxx 0.0.0.0/0 igw-xxxxxxxxx Route Destination 0.0.0.0/0 eni-xxxxxxx 0.0.0.0/0 vpc-att-outbound 10.1.0.0/16 vpc-att-a 10.2.0.0/16 vpc-att-b Apply SNAT outbound to the internet SNAT
  • 74. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Interface service insertion design notes Instance must be able to support: • Source NAT to the internet Performance • No overhead (8500 MTU) • Limited to one Transit Gateway attachment per Availability Zone, so one route table • Traffic is forwarded within the same Availability Zone if possible • Likely that traffic isn’t evenly distributed across instances High availability • There are no built-in health checks for the VPC routes, requires monitoring and management • Optionally place instances in Amazon EC2 automatic recovery Stateful services • Use Source NAT to guarantee the return flow to the same instance Simpler performance pattern Stay within the performance of a single service instance (worst-case scenario) and configure your own high availability checks.
  • 75. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Edge services VPC: Ingress 100.64.0.0/16 Edge VPC Transit Gateway VPC route domain 10.1.0.0/16 Edge route domain Spoke route table Edge VPC route table VPC A ECMP VPN Route Destination 10.1.0.0/16 Local 100.64.0.0/16 tgw-xxxxxxxxx Route Destination 100.64.0.0/16 Local 10.0.0.0/8 tgw-xxxxxxxxx 0.0.0.0/0 igw-xxxxxxxxx BGP prefix Next hop 100.64.0.0/16 Local IP 100.64.0.0/16 Edge VPC VPN 10.1.0.0/16 vpc-att-a SNAT SNAT SNAT Use cases: Optional ELB
  • 76. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Edge services VPC: SD-WAN 100.64.0.0/16 Edge VPC Transit Gateway VPC route domain 10.1.0.0/16 Edge route domain Spoke route table Edge VPC route table VPC A ECMP VPN Route Destination 10.1.0.0/16 Local 0.0.0.0/0 tgw-xxxxxxxxx Route Destination 100.64.0.0/16 Local 10.0.0.0/8 tgw-xxxxxxxxx 0.0.0.0/0 igw-xxxxxxxxx BGP prefix Next hop Many prefixes Local IP Many Prefixes Edge VPC VPN 10.1.0.0/16 vpc-att-a SNAT SNAT SNAT Use cases: Tunnels Data Center, Branches, Clients, etc. Only stateful services require NAT Can be a summary or default route in each VPC and BGP
  • 77. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Reminder: Existing network services or DMZs may be convenient, but they may also be the problem. Remember to evaluate operational processes, alternatives, and automation
  • 78. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ECMP VPN SNAT SNAT SNAT VPC to VPC service insertion 100.64.0.0/16 Inline VPC Transit Gateway VPC route domain 10.1.0.0/16 10.2.0.0/16 Inline route domain Spoke route table Inline VPC route table VPC A VPC B BGP advertisement Route Destination 10.2.0.0/16 Local 10.0.0.0/8 tgw-xxxxxxxxx 100.64.0.0/16 tgw-xxxxxxxxx Route Destination 100.64.0.0/16 Local 10.0.0.0/8 tgw-xxxxxxxxx 0.0.0.0/0 igw-xxxxxxxxx BGP prefix Next hop 0.0.0.0/0 Local IP 0.0.0.0/0 Inline VPC VPN 10.1.0.0/16 vpc-att-a 10.2.0.0/16 vpc-att-b Apply SNAT between VPCs for flow affinity Use cases: VPCs will traffic as originated from the inline VPC CIDR
  • 79. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ECMP VPN VPC to on-premises service insertion 100.64.0.0/16 Inline VPC Transit Gateway VPC/VPN route domain 10.1.0.0/16 Inline route domain Spoke route table Inline VPC route table VPC A BGP advertisement Route Destination 10.2.0.0/16 Local On-premises tgw-xxxxxxxxx 100.64.0.0/16 tgw-xxxxxxxxx Route Destination 100.64.0.0/16 Local 10.0.0.0/8 tgw-xxxxxxxxx On-premises tgw-xxxxxxxxx 0.0.0.0/0 igw-xxxxxxxxx BGP prefix Next hop 0.0.0.0/0 Local IP 0.0.0.0/0 Inspection VPC VPN 10.1.0.0/16 vpc-att-a On-premises On-premises VPN SNAT SNAT SNAT Apply SNAT between VPCs for flow affinity VPCs will see traffic sourced from the inline VPC CIDR range due to SNAT On-premises BGP advertisement BGP prefix Next hop On-premises Local IP This forces VPC-to-VPC and between on-premises and VPCs through the inline VPC Using an edge services model with VPN terminated on the firewalls may be simpler
  • 80. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Transit Gateway launch partners O E I M O E I M O E I M O E I M O E I MO E I MO E I M O E I M O E I M
  • 81. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Orchestration: Dev & prod isolated transit network AVX Edge VPC AWS Direct Connect / Internet Spoke Spoke Spoke Spoke VGW Routing domain: Dev Routing domain: Prod Routing domain: Shared services Routing domain: Edge On Prem 1 On Prem 2 AVX Controller Shared Service VPC Transit Gateway
  • 82. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security VPC Check Point Auto-Scaling integration Transit Gateway VPC route domain Default route domain ECMP VPN 0.0.0.0/0 Check Point VPN ASG BGP Internet Use cases: Hybrid cloud secured connectivity Granular inter-VPC security inspection Internet bound traffic inspection
  • 83. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Xero TPZ est. 2015 Explicit proxy Threat Protection Zone (TPZ) VPC 172.16.0.0/23 pcx-xxxxx 0.0.0.0/0 igw-xxxxx Spoke route table Egress route to the Internet Static routing Proxy Cluster Internal External 10.1.0.0/16 pcx-xxxxx Internal routes for transit VPC A 10.2.0.0/16 pcx-xxxxxVPC B ProxyUrl": "http://proxy.internal:8080 Security inspection services
  • 84. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Xero TPZ future state TPZ Egress Transit Gateway Security inspection services Dynamic routing Security inspection services TPZ ingress
  • 85. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Region AWS Region Network Services Connectivity Multi-Region Options Account Strategy Shared ServicesSegmentation Model
  • 86. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Inter-region VPC peering AWS Region AWS Region VPC peering
  • 87. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multiple Regions WAN On-premises AWS Direct Connect location Private virtual interface (VIF) Customer router AWS router Customer router AWS router AWS Region AWS Direct Connect location 2 Direct Connect gateway Account AWS Region
  • 88. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Transit Gateway in multiple Regions Transit VPC VPN 10.1.0.0/16 10.2.0.0/16 VPC A VPC B AWS Transit Gateway 10.1.0.0/16 10.2.0.0/16 VPC A VPC B AWS Transit Gateway VPN AWS Region AWS Region VPC Peering Transit Gateway inter-region support coming soon!
  • 89. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 90. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Takeaways We have tools and architectures that horizontally scale to many VPCs There’s wiggle room for your specific use cases Use services in combination to meet scale and security requirements
  • 91. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Advice • Networking changes fast, no more crystal balls • Start simple! Stay simple. Reduce complexity to smaller scopes • Segment and modify as needed • Experiment and test
  • 92. Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Nick Matthews @nickpowpow
  • 93. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.