Transit Gateway – Connecting On-Premises Networks – ANS-C01 Study Guide

Transit Gateway

The AWS Transit Gateway service is a central regional virtual router that is used to connect VPCs with on-premises facilities. The Transit Gateway service acts as a centralized core router for your hybrid network. The hub is designed to reduce the complexity of connecting multiple locations and VPCs by making only a single connection to the network and using the service to route to all connected VPCs and private data center locations. The gateway interconnects multiple regions to simplify VPC peering configurations as each VPC requires only a single connection to the gateway to reach all other connected VPCs. Software-defined wide-area networking (SD-WAN) allows third-party solutions to be integrated with the service so your enterprise network can be integrated with your Transit Gateway cloud-based network deployment. The Transit Gateway is a fully managed AWS service that scales based on the traffic load.

The AWS Transit Gateway is included in the VPC networking objectives and will be covered more extensively with interconnecting VPCs and multi-account networks in Chapter 8.

PrivateLink

The AWS PrivateLink service bypasses the public Internet to establish a direct connection from a VPC to AWS services as if they were inside of your VPC. It’s an internal AWS connection from your private VPC subnets to AWS services that reside outside of the VPC. By restricting access to the Internet from the private subnets, you can control all external access to AWS services such as API endpoints, remote sites, and services. PrivateLink will be covered in greater detail in Chapter 8.

Resource Access Manager

The AWS Resource Access Manager (RAM) is an AWS management utility that allows you to share the AWS resources created in one AWS account and make them available to other AWS accounts. This makes your operations much more efficient, reduces overhead, and lowers costs by creating a resource one time and then using RAM to share it to other accounts instead of replicating the service in each account. External users can access the originating AWS service in the AWS console or use API operations as if those resources were native in the user’s account.

When your accounts are managed by AWS organizations, you can share resources with other accounts in the organization or limit the scope to accounts contained in one or more organizational units (OUs) that you define. You can also share resources and services by using account IDs if you are not using organizations or an account is not part of an organization. The account that owns the resource is responsible for paying for the services used.

The Resource Access Manager is integrated with CloudWatch and CloudTrail for management and monitoring visibility. Security uses a single set of policies instead of many for the single, shared resource; this means users of the shared RAM resource are managed by a single set of policies and permissions. The resource owners can monitor which external entities have access to each individual shared resource.

If you need to share resources with accounts outside of your organization, the Resource Access Manager sends an invitation to the remote account. The recipient account then must accept the invitation before accessing the shared resources. Because of this initial step of sharing within your organization, all future sharing with those accounts in the organization doesn’t require any additional invitations.

RAM supports many different AWS resources, but they will change over time and by region as AWS expands its capabilities. It’s always a good idea to check the AWS online documentation for the latest list of services that RAM supports. The following are AWS resources that can currently be shared using the Resource Access Manager:

  • App Mesh
  • Amazon Aurora
  • AWS Private Certificate Authority
  • CodeBuild
  • EC2
  • EC2 Image Builder
  • Glue
  • License Manager
  • Migration Hub Refactor Spaces
  • Network Firewall
  • Outposts
  • S3 on Outposts
  • Resource Groups
  • Route 53
  • SageMaker
  • Service Catalog AppRegistry
  • Systems Manager Incident Manager
  • VPCs
  • Cloud WAN