Concepts
AWS provides various services and features that allow users to set up complex network topologies. One key service is Amazon Virtual Private Cloud (VPC), which allows you to provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.
Within a VPC, subnets allow you to partition your network and route traffic accordingly. Network Access Control Lists (NACLs) and Security Groups act as firewalls, controlling inbound and outbound traffic at the subnet and instance level, respectively.
Route Tables
Route Tables are used within VPCs to determine where network traffic is directed. Each subnet in a VPC must be associated with a route table, which specifies the routes for outbound traffic. You can leverage multiple route tables within a VPC to precisely control the flow of traffic between subnets, Internet Gateways (IGW), Virtual Private Gateways (VGW), and other networking services.
Example of Route Table configuration for public and private subnets:
Destination | Target |
---|---|
10.0.0.0/16 | local |
0.0.0.0/0 | igw-id |
pl-xxxxxxxx | vgw-id |
(for public subnets)
(for private subnets with VPN access)
AWS Transit Gateway
AWS Transit Gateway is a service that simplifies network architecture by allowing you to connect multiple VPCs and on-premises networks through a central hub. This eliminates complex peering relationships and reduces the operational burden. Transit Gateways support routing tables for fine-grained control over the traffic passing through the gateway, and they can scale horizontally for large workloads.
The Transit Gateway acts as a Regional virtual router, and each VPC or VPN connection is like a spoke connected to this router. The main advantage of using AWS Transit Gateway over VPC peering is its ability to manage a large number of connections in a more simple and scalable manner.
VPC Peering
VPC Peering is a networking connection between two VPCs that enables you to route traffic between them using private IP addresses. Instances in either VPC can communicate with each other as if they are within the same network. However, VPC peering has limitations, such as lack of transitive peering; if VPC A is connected to VPC B, and VPC B is connected to VPC C, VPC A cannot communicate with VPC C unless there’s a direct peering connection between them.
Comparison table between Transit Gateway and VPC Peering:
Feature | AWS Transit Gateway | VPC Peering |
---|---|---|
Transitive routing | Supported | Not supported |
Route tables | Multiple route tables supported | Single route table per VPC |
Scalability | Designed for high scalability | Best for fewer peering connections |
Inter-Region peering | Supported | Supported (with limitations) |
Centralized management | Central hub for multiple connections | Decentralized, direct connections only |
Ease of network changes | Easier to manage and modify | More complex to manage and modify |
AWS Direct Connect can also be used in combination with these services for establishing a dedicated network connection from on-premises to AWS. This can reduce network costs, increase bandwidth throughput, and provide a more consistent network experience than internet-based connections.
When you design an AWS network for the Solutions Architect Associate exam, it is important to consider factors such as the number of VPCs you’ll be connecting, whether you have on-premises environments to connect, and the complexity of your network routing.
For example, if you are planning to connect multiple VPCs across different AWS accounts and regions, and you must also connect on-premises data centers, AWS Transit Gateway would be the preferred choice due to its scalability and ease of management. On the other hand, for simple infrastructures where just a couple of VPCs need to communicate, VPC peering might be sufficient.
By understanding the capabilities and limitations of network routing, topology, and peering options like AWS Transit Gateway and VPC peering, you can make informed decisions and design solutions that meet the needs of your architecture. This knowledge is a vital part of preparing for the AWS Certified Solutions Architect – Associate exam.
Answer the Questions in Comment Section
True or False: AWS Transit Gateway allows you to connect VPCs and on-premises networks through a central hub.
- Answer: True
Explanation: AWS Transit Gateway serves as a hub that controls how traffic is routed among all the connected networks which act like spokes.
True or False: VPC peering connections support transitive peering relationships by default.
- Answer: False
Explanation: VPC Peering connections do not support transitive peering, which means you cannot route packets through a peered VPC to a third VPC.
True or False: In AWS, each subnet must be associated with exactly one route table.
- Answer: True
Explanation: Each subnet in AWS is associated with one and only one route table at any given time, though it can change to a different route table.
Which AWS service enables DNS resolution between linked VPCs?
- A) AWS PrivateLink
- B) AWS Transit Gateway
- C) AWS Direct Connect
- D) VPC Peering
Answer: D) VPC Peering
Explanation: VPC Peering allows DNS resolution between linked VPCs for their private IP addresses when enabled.
When you create a VPC peering connection, which of the following is not automatically configured?
- A) Route table entries
- B) Security group rules
- C) Network Access Control Lists (ACLs)
- D) Peering connection itself
Answer: A) Route table entries
Explanation: After creating a VPC peering connection, you need to manually add route table entries to facilitate the routing of traffic between the peered VPCs.
True or False: AWS Transit Gateway inter-region peering encrypts all traffic with IPsec by default.
- Answer: True
Explanation: AWS Transit Gateway does indeed encrypt all traffic with IPsec by default when using inter-region peering.
Which of the following topologies are not possible with VPC peering?
- A) Star topology
- B) Mesh topology
- C) Ring topology
- D) All of the topologies are possible
Answer: C) Ring topology
Explanation: Due to the non-transitive nature of VPC peering, a ring topology cannot be achieved because each VPC connection only operates between two VPCs.
True or False: AWS Transit Gateway supports multicast traffic.
- Answer: True
Explanation: AWS Transit Gateway supports multicast traffic, enabling you to build multicast applications in the cloud and operate them across your Amazon VPCs.
The maximum number of VPCs that can be interconnected with an AWS Transit Gateway is?
- A) 100
- B) 500
- C) 1000
- D) 5000
Answer: D) 5000
Explanation: AWS Transit Gateway supports the attachment of up to 5000 VPCs, allowing for massive scale of interconnected networks.
Which AWS service would you use to connect your VPC to your corporate datacenter?
- A) AWS Transit Gateway
- B) VPC Peering
- C) AWS Direct Connect
- D) AWS VPN
Answer: C) AWS Direct Connect
Explanation: AWS Direct Connect provides a dedicated connection from an on-premises network to AWS, which is ideal for connecting a VPC to a corporate datacenter.
True or False: AWS Transit Gateway allows sharing of connectivity with multiple AWS accounts.
- Answer: True
Explanation: AWS Transit Gateway can be used to share connectivity across multiple AWS accounts using AWS Resource Access Manager (RAM).
What is the effect of deleting a VPC peering connection?
- A) The VPCs will be deleted.
- B) The route table entries associated with the peering connection remain but are inactive.
- C) Instances in either VPC will lose their public IP addresses.
- D) All inter-VPC traffic will be immediately dropped.
Answer: D) All inter-VPC traffic will be immediately dropped.
Explanation: Deleting a VPC peering connection will drop all existing traffic between the VPCs. You would also need to manually remove any route table entries or security group rules referencing the deleted peering connection.
Great explanation on AWS Transit Gateway and its benefits for network routing!
Thanks, this blog helped me understand VPC peering configurations better.
Can someone clarify the difference between AWS Transit Gateway and Direct Connect?
How does Transit Gateway scaling work? Does it automatically scale based on traffic?
This is a valuable resource for preparing for the AWS Certified Solutions Architect exam. Appreciate it!
Does anyone have experience integrating Transit Gateway with on-premise network through VPN?
Excellent! Helped clear up so many doubts. Thanks!
I think Transit Gateway is a bit overpriced for small setups. Anyone else feels the same?