One of more Connect SD-WAN/third-party network appliance
Transit Gateway Routing
Transit Gateway routes IPv4 and IPv6 packets between attachments using transit gateway route tables.
Route tables can be configured to propagate routes from the route tables for the attached VPCs, VPN connections, and Direct Connect gateways.
When a packet comes from one attachment, it is routed to another attachment using the route that matches the destination IP address.
VPC attached to a TGW must be added a route to the subnet route table in order for traffic to route through the TGW.
Transit Gateway Peering
AWS Transit Gateway supports the ability to establish peering connections between Transit Gateways in the same and different AWS Regions.
Inter-region peering enables customers to extend this connectivity and build global networks spanning multiple AWS Regions.
Intra-region peering simplifies routing and inter-connectivity between VPCs and on-premises networks that are serviced and managed via separate Transit Gateways
Traffic using inter-region Transit Gateway peering always stays on the AWS global network and never traverses the public internet, thereby reducing threat vectors, such as common exploits and DDoS attacks.
Inter-region Transit Gateway peering encrypts inter-region traffic with no single point of failure.
Transit Gateway High Availability
Transit Gateway must be enabled with multiple AZs to ensure availability and to route traffic to the resources in the VPC subnets.
AZ can be enabled by specifying exactly one subnet within the AZ
TGW places a network interface in that subnet using one IP address from the subnet.
TGW can route traffic to all the subnets and not just the specified subnet within the enabled AZ.
Resources that reside in AZs where there is no TGW attachment cannot reach the TGW.
Transit Gateway Appliance Mode
For stateful network appliances in the VPC, appliance mode support for the VPC attachment can be enabled in which the appliance is located.
Appliance Mode ensures that network flows are symmetrically routed to the same AZ and network appliance
Appliance Mode ensures that the same AZ for that VPC attachment is used for the lifetime of a flow of traffic between source and destination.
Appliance Mode also allows the TGW to send traffic to any AZ in the VPC, as long as there is a subnet association in that zone.
Transit Gateway Connect Attachment
Transit Gateway Connect attachment can help establish a connection between a TGW and third-party virtual appliances (such as SD-WAN appliances) running in a VPC.
A Connect attachment supports the Generic Routing Encapsulation (GRE) tunnel protocol for high performance and Border Gateway Protocol (BGP) for dynamic routing.
Transit Gateway Network Manager
AWS Transit Gateway Network Manager provides a single global view of the private network.
includes events and metrics to monitor the quality of the global network, both in AWS and on-premises.
Event alerts specify changes in the topology, routing, and connection status. Usage metrics provide information on up/down connection, bytes in/out, packets in/out, and packets dropped.
seamlessly integrates with SD-WAN solutions
Transit Gateway Best Practices
Use a separate subnet for each transit gateway VPC attachment.
Create one network ACL and associate it with all of the subnets that are associated with the TGW. Keep the network ACL open in both the inbound and outbound directions.
Associate the same VPC route table with all of the subnets that are associated with the YGW, unless your network design requires multiple VPC route tables (for example, a middle-box VPC that routes traffic through multiple NAT gateways).
Use BGP Site-to-Site VPN connections, if the customer gateway device or firewall for the connection supports multipath, enable the feature.
Enable route propagation for AWS Direct Connect gateway attachments and BGP Site-to-Site VPN attachments.
are highly available by design and do not need additional TGWs for high availability,
Limit the number of TGW route tables unless your design requires multiple transit gateway route tables.
For redundancy, use a single TGW in each Region for disaster recovery.
For deployments with multiple TGWs, it is recommended to use a unique ASN for each of them.
supports intra-Region peering.
Transit Gateway vs Transit VPC vs VPC Peering
AWS Certification Exam Practice Questions
Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
Open to further feedback, discussion and correction.
A company is using a VPC peering strategy to connect its VPCs in a single Region to allow for cross-communication. A recent increase in account creations and VPCs has made it difficult to maintain the VPC peering strategy, and the company expects to grow to hundreds of VPCs. There are also new requests to create site-to-site VPNs with some of the VPCs.
A solutions architect has been tasked with creating a centrally managed networking setup for multiple accounts, VPCs, and VPNs.Which networking solution meets these requirements?
Configure shared VPCs and VPNs and share with each other.
Configure a hub-and-spoke VPC and route all traffic through VPC peering.
Configure an AWS Direct Connect connection between all VPCs and VPNs.
Configure a transit gateway with AWS Transit Gateway and connect all VPCs and VPNs
A company hosts its core network services, including directory services and DNS, in its on-premises data center. The data center is connected to the AWS Cloud using AWS Direct Connect (DX). Additional AWS accounts are planned that will require quick, cost-effective, and consistent access to these network services. What should a solutions architect implement to meet these requirements with the LEAST amount of operational overhead?
Create a DX connection in each new account. Route the network traffic to the on-premises servers.
Configure VPC endpoints in the DX VPC for all required services. Route the network traffic to the on-premises servers.
Create a VPN connection between each new account and the DX VPC. Route the network traffic to the on-premises servers.
Configure AWS Transit Gateway between the accounts. Assign DX to the transit gateway and route network traffic to the on-premises servers.
VPC endpoint provides a private connection from VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.
Instances in the VPC do not require public IP addresses to communicate with resources in the service. Traffic between the VPC and the other service does not leave the Amazon network.
VPC Endpoints are virtual devices and are horizontally scaled, redundant, and highly available VPC components that allow communication between instances in the VPC and services without imposing availability risks or bandwidth constraints on the network traffic.
VPC Endpoints are of two types
Interface Endpoints – is an elastic network interface with a private IP address that serves as an entry point for traffic destined to supported services.
Gateway Endpoints – is a gateway that is a target for a specified route in your route table, used for traffic destined to a supported AWS service. Currently only Amazon S3 and DynamoDB.
provides private connectivity between VPCs, AWS services, and your on-premises networks without exposing your traffic to the public internet.
helps privately expose a service/application residing in one VPC (service provider) to other VPCs (consumer) within an AWS Region in a way that only consumer VPCs initiate connections to the service provider VPC.
With ALB as a target of NLB, ALB’s advanced routing capabilities can be combined with AWS PrivateLink.
enables networking connection between two VPCs to route traffic between them using private IPv4 addresses or IPv6 addresses
connections can be created between your own VPCs, or with a VPC in another AWS account.
enables full bidirectional connectivity between the VPCs
supports inter-region VPC peering connection
uses existing underlying AWS infrastructure
does not have a single point of failure for communication or a bandwidth bottleneck.
VPC Peering connections have limitations
cannot be used with Overlapping CIDR blocks
does not provide Transitive peering
does not support Edge to Edge routing through Gateway or private connection
is best used when resources in one VPC must communicate with resources in another VPC, the environment of both VPCs is controlled and secured, and the number of VPCs to be connected is less than 10
AWS VPN CloudHub allows you to securely communicate from one site to another using AWS Managed VPN or Direct Connect
AWS VPN CloudHub operates on a simple hub-and-spoke model that can be used with or without a VPC
AWS VPN CloudHub can be used if you have multiple branch offices and existing internet connections and would like to implement a convenient, potentially low cost hub-and-spoke model for primary or backup connectivity between these remote offices.
AWS VPN CloudHub leverages VPC virtual private gateway with multiple gateways, each using unique BGP autonomous system numbers (ASNs).
A transit VPC is a common strategy for connecting multiple, geographically disperse VPCs and remote networks in order to create a global network transit center.
A transit VPC simplifies network management and minimizes the number of connections required to connect multiple VPCs and remote networks
Transit VPC can be used to support important use cases
Private Networking – You can build a private network that spans two or more AWS Regions.
Shared Connectivity – Multiple VPCs can share connections to data centers, partner networks, and other clouds.
Cross-Account AWS Usage – The VPCs and the AWS resources within them can reside in multiple AWS accounts.
Transit VPC design helps implement more complex routing rules, such as network address translation between overlapping network ranges, or to add additional network-level packet filtering or inspection.
supports Transitive routing using the overlay VPN network — allowing for a simpler hub and spoke design. Can be used to provide shared services for VPC Endpoints, Direct Connect connection, etc.
supports network address translation between overlapping network ranges.
supports vendor functionality around advanced security (layer 7 firewall/Intrusion Prevention System (IPS)/Intrusion Detection System (IDS) ) using third-party software on EC2
leverages instance-based routing that increases costs while lowering availability and limiting the bandwidth.
Customers are responsible for managing the HA and redundancy of EC2 instances running the third-party vendor virtual appliance
AWS Direct Connect helps establish a dedicated private connection between an on-premises network and AWS.
Direct Connect can reduce network costs, increase bandwidth throughput, and provide a more consistent network experience than internet-based or VPN connections
Direct Connect uses industry-standard VLANs to access EC2 instances running within a VPC using private IP addresses
Direct Connect lets you establish
Dedicated Connection: A 1G, 10G, or 100G physical Ethernet connection associated with a single customer through AWS.
Hosted Connection: A 1G or 10G physical Ethernet connection that an AWS Direct Connect Partner provisions on behalf of a customer.
Direct Connect provides the following Virtual Interfaces
Private virtual interface – to access a VPC using private IP addresses.
Public virtual interface – to access all AWS public services using public IP addresses.
Transit virtual interface – to access one or more transit gateways associated with Direct Connect gateways.
Direct Connect connections are not redundant as each connection consists of a single dedicated connection between ports on your router and an Amazon router
Direct Connect High Availability can be configured using
Multiple Direct Connect connections
Back-up IPSec VPN connection
Direct Connect link aggregation group (LAG) is a logical interface that uses the Link Aggregation Control Protocol (LACP) to aggregate multiple connections at a single AWS Direct Connect endpoint, allowing you to treat them as a single, managed connection.
LAGs need the following
All connections in the LAG must use the same bandwidth.
A maximum of four connections in a LAG. Each connection in the LAG counts toward the overall connection limit for the Region.
All connections in the LAG must terminate at the same AWS Direct Connect endpoint.