1. The document provides an overview of restructuring an AWS network architecture to improve complexity, security, and costs. 2. The original architecture had issues with peering complexity between multiple VPCs and accounts, multiple route tables, VPNs in every VPC, and high costs from multiple internet gateways. 3. The restructured architecture migrates to transit gateways for cross-VPC connectivity, centralizes routing with the transit gateway, uses direct connects instead of VPNs, enforces public/private subnet security, and uses a single internet gateway for all internet access.

1. AWS Network Architecture
October, 2020
Olaf Reitmaier Veracierta
An Example of Restructuration and Clean-Up

2. Agenda
• AWS Network
• Concepts
• Problems
• Solutions
• Restructuration
• Exception to the Rules
• Cheat Sheet for Engineers
• Key Take Away (Reminders)
• Q&A
Intention:
• Arise curiosity
• Give overview
• Serve as basic
reference for
what & where

3. AWS Network Basic Concepts
VPC ⇢ Account (Team) ⇢ Organization
Magic
VPC – 10.0.0.0/8
REGION (EU-CENTRAL-1)
Other
Network
Gateways

4. Other
VPC(s)
Default
VPC
Default
VPC
VPN
IGW
IGW
Other
VPC(s)
NAT GW
Peerings
Complexity
O(N*M)
X Account
Root Account
NAT GW
IGW
IGW VPN
Problems:
1. Peering Complexity
2. Multiple Route Tables
3. GW/VPN everywhere
4. Security (Pub./Priv.)
5. Costs (GWs)
Example
Solutions?:

5. http://aws-reinvent-
audio.s3-website.us-east-
2.amazonaws.com/2019/2
019_presentations.html
https://aws-de-marketing.s3-eu-central-
1.amazonaws.com/Field%20Marketing/Summit-Berlin-
2019/Presentations/AWS_Summit_Berlin_2019_Feb27
_AWS_Networking%20_Advanced_Concepts_%20Ne
w_Capabilities.pdf
https://d1.awsstatic.com/events/reinvent/201
9/REPEAT_3_From_one_to_many_Diving_dee
per_into_evolving_VPC_design_ARC304-
R3.pdf
1) 2)

6. https://d1.awsstatic.com/events/reinvent/2019/
REPEAT_3_From_one_to_many_Diving_deeper_
into_evolving_VPC_design_ARC304-R3.pdf
1) State-Of-The-Art & Referential => We Took Small Seed!

7. Problems => Solutions
1. Complexity => Migrate to TGW
2. Route Tables => Central TGW + TF
3. VPNs => Carriers + Direct Connect
4. Security => Enforce Pub/Priv. Subnets
5. Costs (GWs) => Single Internet Exit
---
• ETA/Effort => O(N), where N ~ Months.
• Downtime => Progressive / Phased.
• Terraform => Rework / Split.

8. Old
VPC(s)
Default
VPC
Default
VPC
VPN
IGW
IGW
Peerings
Between
Accounts
X Account
Root
Account
NAT GW
IGW
Start

9. Old
VPC(s)
Default
VPC
New VPC
(Production)
New VPC
(Staging)
TGW
(Production)
TGW
(Staging)
New VPC
(Production)
New VPC
(Staging)
Default
VPC
VPN
IGW
IGW IGW
IGW
Egress VPC(s)
(Internet Exit)
Peerings
Between
Accounts
X Account
NAT GW
VPN
NAT GW DC IGW
IGW
IGW
IGW
Root Account
Dual

10. New VPC
(Production)
New VPC
(Staging)
TGW
(Production)
TGW
(Staging)
New VPC
(Production)
New VPC
(Staging)
IGW
IGW
Egress VPC(s)
(Internet Exit)
DC
X Account
Root Account
IGW IGW
NAT GW IGW
End

11. New VPC
(Production)
New VPC
(Staging)
TGW
(Production)
TGW
(Staging)
New VPC
(Production)
New VPC
(Staging)
IGW
IGW
Egress VPC(s)
(Internet Exit)
DC
X Account
Root Account
Avoid Exceptions
(e.g. “Unique” Tools)
Rely on Pub. API
IGW IGW
NAT GW IGW
Exception

12. IGW
Public Subnet
Private Subnet
Acc. X
AWS Network Cheat Sheet
[Staging env. is a arch. mirror]
VPC (Prod)
No VPN Access
No TGW Access
0.0.0.0/0 => IGW
VPN Access
TGW Cross-Account
0.0.0.0/0 => TGW
Acc. Y
ELB
ELB
IGW
Public Subnet
Private Subnet
VPC (Prod)
No VPN Access
No TGW Access
0.0.0.0/0 => IGW
VPN DUS DC
TGW Cross-Account
0.0.0.0/0 => TGW
ELB
ELB
IGW
Public Subnet
Private Subnet
Acc. Root (Parent)
VPC (Prod)
No VPN Access
No TGW Access
0.0.0.0/0 => IGW
VPN Access
TGW Cross-Account
0.0.0.0/0 => TGW
ELB
ELB
Egress VPC (Prod)
Private Subnet
NAT GWs
0.0.0.0/0 => NAT GW
Single Internet Exit for Navigation
TGW
(Prod)
Internet
Internet
Internet
Internet
Jump/Bastion
Host
Jump/Bastion
Host
NOTES: 1) Security Groups for resources on public subnets must be restricted to Office IPs unless accessed by customers or external services. For security reasons, PUBLIC
SUBNETS ARE NOT ABLE TO REACH neither NAT GWs (instead use the account Internet GW), Transit GW, private VPNs / Direct Connect or any other Cross-Account
VPC/Subnets/Resources both public and private. 2). Indeed, public subnets are restricted within the VPC where they are defined and meant to be used for: AWS EC2 instances
like jump/bastion hosts, some frontends setups (able to work within the same VPC), Elastic Load Balancers, jump/bastion hosts. Remember, that NAT GWs IP from root
(parent) account should be whitelist if external services maintains a whitelist of AWS NAT GW public IPs. 3) Additionally, Jump/bastion hosts can be easily replaced with AWS
System Manager https://aws.amazon.com/blogs/mt/replacing-a-bastion-host-with-amazon-ec2-systems-manager to save money and reducing security risks (not urgent).
Public Subnet Public Subnet
Private Subnet
IGW
Internet
MK
GW
VPN
0.0.0.0/0 => IGW
VPN VPC (Prod & Stg)
Direct
Connect
(DC)

13. Key Takeaways - Reminders
1. Save/Print the Cheat Sheet.
2. Do not use Default VPC (If you still have one)
3. Migrate from Old VPCs and prefer new VPCs overall
4. New VPCs (Stage/Production) and 2-3 Availability Zones
5. Don’t deploy servers and/or applications on Public Subnets (Use
Network/Application ELB instead).
6. New single Internet exit through the AWS Root Account
(Whitelist Root Account NAT Gateways IPv4 to external service
providers).
7. Whitelist AWS NAT GWs IPs on your Security Groups.