In a previous post, we discussed the Transit Gateway managed service from Amazon Web Services (AWS). AWS Transit Gateways act as a hub for connecting multiple Virtual Private Clouds (VPCs) and virtual private network (VPN) connections within a single region. They enable a hub-and-spoke model with centralized control of traffic routed among VPCs.
As we explained previously, Transit Gateways have some limitations — for one thing, you won’t be able to use route aggregation, so your routing table is going to get bigger and bigger. That’s why larger companies often use multiple Transit Gateways to connect VPCs.
Figure: Thanks to AWS
Let’s take a software development company as an example. They have a production environment, a QA environment, and a development environment. If we use just one Transit Gateway, there will be a lot of routes, which will be hard to manage. Instead, you can use one Transit Gateway for production, one for QA and one for development. By using multiple Transit Gateways, you can decrease the size of the routing table, so you don’t need a big team to manage your AWS cloud.
You can also segregate the environment by the department, just as you would in the on-premises data center. With a single Transit Gateway, it would be very hard to segregate traffic between production, QA and development. Multiple Transit Gateways provide isolated sections within the VPC, with resources launched in a virtual network.
You can set up a VPN connection to the Transit Gateway for remote access to the cloud instances, or you can use the AWS Direct Connect site-to-site VPN to connect to VPCs within the same region. The administrator gains greater visibility and complete control over the routing table and the IP range in use. In this way, multiple Transit Gateways improve security.
You can also combine multiple Transit Gateways with the concept of transit VPCs. A transit VPC is the old way of connecting multiple VPCs with remote resources. You set up a VPC with a firewall or routing instance in the center to create a global network. In our case, you can use that as a security add-on — your firewall or edge device will be connected to multiple Transit Gateways.
Finally, the use of multiple Transit Gateways allows you to aggregate bandwidth. A single Transit Gateway supports up to 50kbps. In our scenario, in which we’re using three Transit Gateways, we get up to 150kbps of bandwidth.
The use of multiple Transit Gateway is most suitable for large companies — customers who host their data center primarily in the cloud and want to segregate their cloud by the department. A large enterprise is going to have hundreds or even thousands of AWS accounts and rapid growth.
Each VPC instance is associated with a specific account, so you have to have a way to connect them. Traditionally, you could use VPC peering, but with that, you need to manage access control lists (ACLs). That’s very costly. With multiple Transit Gateways, it becomes easy — you don’t have to deal with as many routing and ACL parts. You have one link instead of three. If there is a new instance or VPC, you can easily attach to it without the need to update the routing table. It is cost-effective because the infrastructure management overhead is reduced.
Large enterprises with a substantial and growing number of VPC instances can save time and money with multiple Transit Gateways. Contact the Rahi Systems network engineering team for help in architecting a solution.
Author: Shreyans Desai
Shreyans Desai is a Solutions Architect at Rahi Systems, on the Networking PSE team. Prior to Rahi Systems, he was a Solutions Engineer focusing on networking automation and systems. His experience includes enterprise data center and service provider routing, switching, and security solutions for multiple vendors (Juniper Networks, Cisco, Palo Alto Networks, Arista, and Huawei), and also has a deep understanding of cloud computing solutions from Amazon Web Services (AWS) and OpenStack.