AWS Transit Gateway - Amazon EC2 Overview and Networking Introduction for Telecom Companies

AWS Transit Gateway

As you grow the number of workloads running on AWS, you'll need to be able to scale your networks across multiple accounts and VPCs. Previously, you had to connect pairs of VPCs using VPC peering. Recently, AWS introduced AWS Transit Gateway, which provides a more scalable way for interconnecting multiple VPCs. Telecom services that has low latency requirements can be achieved via AWS Transit Gateway as it supports connectivity to the attached VPCs from the on-premises network via both AWS Site-to-Site VPN and AWS Direct Connect services using Border Gateway Protocol.

With AWS Transit Gateway, you only need to create and manage a single connection from the central gateway to each Amazon VPC, on-premises data center, or remote office across your network. AWS Transit Gateway acts as a hub that controls how traffic is routed among all the connected networks, which act like spokes. This hub-and-spoke model significantly simplifies management, and reduces operational costs because each network only has to connect to AWS Transit Gateway and not to every other network. Any new VPC is simply connected to the gateway and is then automatically available to every other network that is connected. This ease of connectivity makes it easy to scale your network as you grow. The following before-and-after diagrams illustrate the benefit of using AWS Transit Gateway:

Diagram showing network connectivity before introducing AWS Transit Gateway
Diagram showing network connectivity after introducing AWS Transit Gateway

Figure 12 – Network connectivity before and after introducing AWS Transit Gateway

Transit Gateway (TGW) supports inter-regional connectivity via TGW peering, simplifying the connectivity between VPCs in different regions and on-premises networks.

Diagram showing TGW Inter-Region Peering

Figure 13 - TGW Inter-Region Peering

Transit Gateway supports on-premises connectivity via both Transit Vif (DX connection) and site-to-site IPsec VPN tunnels. A single VPN tunnel can achieve up to 1.25 Gbps bandwidth. TGW allows Equal Cost Multi Path (ECMP) which is used to scale VPN throughput with additional VPN tunnels associated with the TGW. More information: https://aws.amazon.com/blogs/networking-and-content-delivery/scaling-vpn- throughput-using-aws-transit-gateway/

Diagram showig TGW using ECMP with multiple VPN tunnels

Figure 14 – TGW using ECMP with multiple VPN tunnels

Finally, Elastic Load Balancing allows incoming traffic to be equally distributed across multiple EC2 instances in a VPC and increases the availability of your application. While Elastic Load Balancing supports Application, Classic, and Network Load Balancers, typically only Network Load Balancers will be used for telecom workloads. Network Load Balancers function at Layer 4 of the OSI model, support both TCP and UDP traffic, and can handle millions of requests per second.

Network load balancer supports Elastic IPs which remains unchanged as the load balancer scales internally.

TGW also support Intra region peering with other TGWs in the customer network. With intra- region peering capability, customers no longer need to create bridge VPCs between multiple transit gateways or attach a single VPC to multiple Transit Gateways for routing traffic between different Transit Gateways in the same AWS Region. Intra-region peering simplifies

routing and interconnectivity between VPCs and on-premises networks that are serviced and managed via separate Transit Gateways. This feature allows customers the flexibility to deploy multiple Transit Gateways with separate administrative domains, while providing an easy way to interconnect these Transit Gateways in a more native manner. Using intra-region peering, you can build flexible network topologies and easily integrate your network with a third-party or partner-managed network in the same AWS Region. If you are already familiar with Transit Gateway inter-region peering, it works exactly the same way except that the peered Transit Gateways are in the same AWS Region.

Architecture diagram showing TGW attachments

Figure 15 – TGW attachments

Customers can deploy flexible topologies to fit the use-cases, AWS recommends setting up a full mesh architecture if you have multiple Transit Gateways as shown in the following diagram.

Diagram showing TGW inter-region mesh connectivity

Figure 16 – TGW inter-region mesh connectivity

Centralized network traffic inspection could be facilitated by either AWS Network Firewall or an AWS Gateway Load Balancer and setting up an inspection VPC in the architecture. Using static routes in the route-table associated with the intra-region peering attachment, customers can steer traffic coming from the third-party transit gateway to the security inspection VPC. TGW has to be set with appliance mode enabled on the inspection VPC's Transit Gateway attachment to keep traffic symmetry in both directions as shown in the following diagram.

Diagram showing TGW in appliance mode with AWS Network Firewall and Gateway load balancer

Figure 17 – TGW in appliance mode with AWS Network Firewall and Gateway load balancer

Transit Gateway Connect

TGW connect is a native support to connect SD WAN infrastructure with AWS via TGW. SD-WAN network appliances no longer require IPsec VPNs with TGW and TGW connect support Generic Routing Encapsulation for higher bandwidth performance compared to a VPN connection. TGW Connect supports Border Gateway Protocol (BGP) for dynamic routing which simplifies network design and reduces operational costs. Integration with TGW Network Manager enables increased visibility and access to performance metrics and telemetry data from both virtual appliances in AWS and the branch appliances.