The AWS transit VPC is used to create a global network transit hub that interconnects geographically separated remote networks and your VPCs. transit VPCs reduce the number of connections needed when interconnecting VPCs and remote networks by eliminating the need to create mesh connections between VPCs.
transit VPCs and Transit Gateway service instances have a lot in common with the difference being that Transit Gateway is an AWS service and the transit VPC is a network architecture.
The transit VPC acts as a central routed network hub to route traffic from your VPCs and on-premises networks. This hub supports networking features such as Network Address Translation (NAT) to address overlapping IP address blocks, packet inspection and filtering, cross-account connections, intrusion detection/prevention, and simplified integrated network management.
The architecture of a transit VPC is hub-and-spoke, where the transit is the hub and all the other VPCs and remote sites are the spokes that route through the hub. BGP is the common routing protocol, and the interconnects are IPSec-based VPNs. The transit VPN contains an EC2 compute instance running VPN software in the hub that is the overlay that performs the routing between the spoke VPCs. This enables VPC transitive routing and single regional support, which are limitations when using traditional VPC-to-VPC peer connections.
There are, however, limitations and potential downsides when implementing a transitive VPC architecture. You must absorb the cost of the EC2 instances needed to run the VPN applications. There is the VPN throughput limit of 1.25 Gbps per tunnel, which is a hard bandwidth limit. AWS does not manage the VPN service, so the configuration overhead becomes your responsibility. If you choose to implement a high-availability design, there will be a corresponding higher cost.
Wide-area networks are a key component in the AWS Advanced Networking objectives. We have touched on many different aspects of WANs so far in this book including Direct Connect, VPNs, BGP, and interconnecting VPCs over wide areas such as between AWS regions.
In this section, you will learn about some of the technology used in wide-area networks such as MPLS and SD-WANs.
These are not specific AWS services but are used behind the scenes when establishing WANs, and it is important for network engineers to understand these technologies.
A software-defined wide-area network, or SD-WAN, is an automated, programmable wide-area network framework that can dynamically and securely route traffic based on network conditions, policies, or the priority of WAN circuits. The SD-WAN uses specialized SDN application technology to connect cloud, on-premises, and Internet sites that use automated, programmable functions that automate and manage your company’s network connections and to enforce policies, manage security, and control costs.
The SD-WAN provides a single point of management, security monitoring, and visibility for your complete network that may comprise multiple WANs from different carriers.
AWS offers a managed SD-WAN as a service through its technology partners in the AWS Marketplace using its Transit Gateway Connect service covered earlier in the chapter.
WAN traffic is now able to automatically and dynamically be forwarded over the WAN path based on network conditions and defined policies such as application QoS requirements (low latency for voice, high bandwidth for video), security, circuit costs, or any other defined criteria. An example of the dynamic capabilities of an SD-WAN network would be where all your organization’s Voice over IP (VoIP) traffic is sent over the company’s MPLS network. However, if there is an impairment on that network, the SD-WAN Orchestrator can reroute the traffic over a 5G wireless or Internet connection. SD-WAN offers load balancing, congestion management, and forwarding over the lowest-cost paths.
While traditional WAN offerings usually have a fixed bandwidth capacity, SD-WAN services provide scalability and flexibility that can automatically adjust to traffic loads, network congestion, and outages. By implementing intelligent SD-WAN controllers, integrated security services, artificial intelligence monitoring your traffic flows, and dynamic real-time networking using automation can be achieved.
SD-WAN automates the operation of a WAN by decoupling the networking hardware from its control mechanisms. The SD-WAN is a virtualized WAN software layer that sits on top of your physical WAN network for a central point of control.
If your SD-WAN connections use the Internet as their transport, network performance cannot be guaranteed. However, using private MPLS VPN WAN services from service providers, your traffic will not traverse the Internet and comes with service-level agreements that define end-to-end performance metrics.
The SD-WAN architecture of an SD-WAN consists of the WAN edge, WAN gateway, SD-WAN controller, and SD-WAN orchestrator, as shown in Figure 8.9. The SD-WAN edge is either hardware or virtualized software that sits at the edge of the SD-WAN in central and remote enterprise locations, data centers, and cloud providers such as AWS. The SD-WAN edge connects multiple WAN connections, monitors link conditions, and determines how to route your traffic over the optimal link based on the current traffic conditions.
FIGURE 8.9 SD-WAN basic architecture
SD-WAN gateways provide access to the SD-WAN service and are a distributed network of gateways supplied by the SD-WAN service provider. The gateways are located at external locations that reduce back-haul traffic to your central site.
The SD-WAN orchestrator is the management tool for configuration, provisioning, and management operations.
The SD-WAN controller makes the forwarding decisions for each application flow in your network. The controller can reside in the orchestrator, in the SD-WAN gateway, on-premises, or hosted by an AWS SD-WAN partner.
The SD-WAN edge classifies incoming IP packets into application flows that are then grouped together. Once the traffic is classified, policies are applied to make SD-WAN traffic forwarding decisions. The classification process determines the route and performance requirements of each classification.