Transit VPC advantages over Multiple VPC Peering
Transit VPCs can solve some of the shortcomings of VPC peering by introducing a hub and spoke design for inter-VPC connectivity. In a transit VPC network, one central VPC (the hub VPC) connects with every other VPC (spoke VPC) through a VPN connection typically leveraging BGP over IPsec. The central VPC contains EC2 instances running software appliances that route incoming traffic to their destinations using the VPN overlay (Figure 3).
Transit VPC peering has the following advantages:
- Transitive routing is enabled using the overlay VPN network — allowing for a simpler hub and spoke design.
- When using 3rd party vendor software on the EC2 instance in the hub transit VPC, vendor functionality around advanced security (layer 7 firewall/IPS/IDS) can be leveraged. If customers are using the same software on-premises, they benefit from a unified operational/monitoring experience.
Transit Gateway vs Transit VPC
AWS Transit Gateway provides a hub and spoke design for connecting VPCs and on-premises networks as a fully managed service without requiring you to provision virtual appliances like the Cisco CSRs. No VPN overlay is required, and AWS manages high availability and scalability.
Transit Gateway provides a number of advantages over Transit VPC:
- abstracts away the complexity of maintaining VPN connections with hundreds of VPCs.
- removes the need to manage and scale EC2 based software appliances as AWS is responsible for managing all resources needed to route traffic.
- removes the need to manage high availability by providing a highly available and redundant Multi-AZ infrastructure.
- improves bandwidth for inter-VPC communication to burst speeds of 50 Gbps per AZ.
- streamlines user costs to a simple per hour per/GB transferred model.
- decreases latency by removing EC2 proxies and the need for VPN encapsulation.
Transit Gateway vs VPC Peering
For simple setups where you are connecting a small number of VPCs then VPC Peering remains a valid solution
- Lower cost — With VPC peering you only pay for data transfer charges. Transit Gateway has an hourly charge per attachment in addition to the data transfer fees.
- No bandwidth limits — With Transit Gateway, Maximum bandwidth (burst) per Availability Zone per VPC connection is 50 Gbps. VPC peering has no aggregate bandwidth. Individual instance network performance limits and flow limits (10 Gbps within a placement group and 5 Gbps otherwise) apply to both options. Only VPC peering supports placement groups.
- Latency — Unlike VPC peering, Transit Gateway is an additional hop between VPCs.
- Security Groups compatibility — Security groups referencing works with intra-Region VPC peering. It does not currently work with Transit Gateway.
AWS Private Links
The choice between Transit Gateway, VPC peering, and AWS PrivateLink is dependent on connectivity.
AWS PrivateLink — Use AWS PrivateLink when you have a client/server set up where you want to allow one or more consumer VPCs unidirectional access to a specific service or set of instances in the service provider VPC. Only the clients in the consumer VPC can initiate a connection to the service in the service provider VPC. This is also a good option when client and servers in the two VPCs have overlapping IP addresses as AWS PrivateLink leverages ENIs within the client VPC such that there are no IP conflicts with the service provider. You can access AWS PrivateLink endpoints over VPC Peering, VPN, and AWS Direct Connect.
VPC peering and Transit Gateway — Use VPC peering and Transit Gateway when you want to enable layer-3 IP connectivity between VPCs.
Amazon VPC Sharing
Sharing VPCs is useful when network isolation between teams does not need to be strictly managed by the VPC owner, but the account level users and permissions must be. With Shared VPC, multiple AWS accounts create their application resources in shared, centrally managed Amazon VPCs.
Figure 6 – Example set up – shared VPC
VPC sharing benefits:
- Simplified design — no complexity around inter-VPC connectivity
- Fewer managed VPCs
- Segregation of duties between network teams and application owners
- Better IPv4 address utilization
- Lower costs — no data transfer charges between instances belonging to different accounts within the same Availability Zone