This article introduces AWS Transit Gateway service that peers many VPCs together with low-latency, scalable, and simpler than traditional VPC Peering method.
A transit gateway enables you to attach VPCs and VPN connections in the same Region and route traffic between them. A transit gateway works across AWS accounts, and you can use AWS Resource Access Manager to share your transit gateway with other accounts.
1. What’s VPC Peering?
Before introducing about AWS Transit Gateway, I want to mention VPC Peering first.
VPC Peering provides a solution to connect 2 or more VPCs together. In case of AWS, VPCs connect to each other with AWS backbone network so that data is transferred among VPCs with low-latency, high efficiency than public network.
However, when the number of VPC peering connections is increased, it takes quite much effort to design and maintain the architecture. Although we use Hub and Spoke model which simplifies the complexity it increases the network latency because 2 VPCs must connect each other through a middle-VPC.
To solve this problem, AWS provides a new solution for peering VPC is AWS Transit Gateway.
2. AWS Transit Gateway
AWS Transit Gateway is a service that enables customers to connect their Amazon Virtual Private Clouds (VPCs) and their on-premises networks to a single gateway. This ease of connectivity makes it easy to scale your network as you grow.
AWS Transit Gateway provides benefits:
- Improve security;
- Easier connectivity;
- Flexible multicast;
- On-demand bandwidth;
- Better visibility and control.
Transit Gateway also uses Hub and Spoke model that any new VPC is simply connected to the Transit Gateway and is then automatically available to every other network that is connected to the Transit Gateway. You only need to maintain network routing at the Hub (Transit Gateway).
3. Use case: Connect 2 VPCs through a Transit Gateway
For easy visualization, I will use Transit Gateway to peer 2 VPCs with architecture below:
I’m going to implement use case by 3 Steps:
- Step 1: Create 2 VPCs.
- Step 2: Create Transit Gateway and attach 2 VPCs above.
- Step 3: Check connection.
This example will use Terraform – Infrastructure as Code to provision services on AWS.
Step 1: Create 2 VPCs
2 VPCs are created by using Terraform, the source code stays here (https://github.com/KhoaNPA/terraform_simple_vpc). This repo includes a tutorial for the one who is new with Terraform (Don’t worry, you can skip it).
After cloning the project, run below commands to create 2 VPCs at ap-southeast-1:
$ cd terraform_simple_vpc/2_vpcs
$ terraform init
$ terraform plan
$ terraform apply
The above commands will output VPC_ID, Route_ID, Subnet_ID for using in the next step.
Step 2: Create Transit Gateway and attach 2 VPCs above
Clone the source code here (https://github.com/KhoaNPA/terraform_tgw). Then go to
terraform_tgw/dev/main.tf and replace the value at the previous step to variables. Use the same commands as the first step to creating our infrastructure on AWS:
$ cd terraform_tgw/dev
$ terraform init
$ terraform plan
$ terraform apply
The source code will create Transit Gateway Attachment for each VPC by its VPC_ID, Subnet_ID. The Attachment will be associated with Transit Gateway for creating connection.
Step 3: Check connection
As the first step, I created 2 VPCs with Security Group for instance with ICMP (Ping method), so you can use Ping to check the connection between 2 VPCs above.
SSH to 2 public instances of each VPC, then ping each other by their AWS_Private_IP.
4. Transit Gateway or VPC Peering?
If your number of VPC connection is small and your network stays inside AWS, VPC Peering still fits your usage and also saves cost (VPC Peering is also supporting VPN, but quite complex).
However, when the number of VPC connect is increased, your AWS Network need to connect other cloud network or on-premise network via VPN and it needs; VPC Peering may become overburden with this case and Transit Gateway now is a right solution.
|VPC Peering||Transit Gateway||Notes|
|Data transferred||$0.01/GB||$0.02/GB||VPC Peering doesn’t provide transparent peering, Transit Gateway does.|
|Transit Gateway attachment||N/A||$0.07/attachment/hour|
By using Transit Gateway, you can quickly set up your network among VPCs, accounts, and VPN within a couple of minutes. Transit Gateway pricing is also reasonable, details can be found here (https://aws.amazon.com/transit-gateway/pricing/).
Nguyen Phuoc Anh Khoa – FHO.STU
FPT TechInsight is now officially introducing the new corner – “READER OPINION”, where you can share your own writings on new technologies, programming experiences, previous projects… to the tech-lover community. Quality posts will be selected to publish on the FPT TechInsight’s website, with attractive royalties sent to the authors, as thanks for their contributions.
We welcome all contributing ideas and writings sent to [email protected]. Please clarify in the email title as “Reader opinion – Full name”. Hotline: +84 853 543 538