AWS Transit Gateway
As you grow the number of workloads running on AWS, you'll need to be able to scale your networks across multiple accounts and VPCs. Previously, you had to connect pairs of VPCs using VPC peering. Recently, AWS introduced AWS Transit Gateway, which provides a more scalable way for interconnecting multiple VPCs. Telecom services that has low latency requirements can be achieved via AWS Transit Gateway as it supports connectivity to the attached VPCs from the on-premises network via both AWS Site-to-Site VPN and AWS Direct Connect services using Border Gateway Protocol.
With AWS Transit Gateway, you only need to create and manage a single connection from the central gateway to each Amazon VPC, on-premises data center, or remote office across your network. AWS Transit Gateway acts as a hub that controls how traffic is routed among all the connected networks, which act like spokes. This hub-and-spoke model significantly simplifies management, and reduces operational costs because each network only has to connect to AWS Transit Gateway and not to every other network. Any new VPC is simply connected to the gateway and is then automatically available to every other network that is connected. This ease of connectivity makes it easy to scale your network as you grow. The following before-and-after diagrams illustrate the benefit of using AWS Transit Gateway:
Transit Gateway (TGW) supports inter-regional connectivity via TGW peering, simplifying the connectivity between VPCs in different regions and on-premises networks.
Transit Gateway supports on-premises connectivity via both Transit Vif (DX connection) and site-to-site IPsec VPN tunnels. A single VPN tunnel can achieve up to 1.25 Gbps bandwidth. TGW allows Equal Cost Multi Path (ECMP) which is used to scale VPN throughput with additional VPN tunnels associated with the TGW. More information: https://aws.amazon.com/blogs/networking-and-content-delivery/scaling-vpn- throughput-using-aws-transit-gateway/
Finally, Elastic Load Balancing allows incoming traffic to be equally distributed across multiple EC2 instances in a VPC and increases the availability of your application. While Elastic Load Balancing supports Application, Classic, and Network Load Balancers, typically only Network Load Balancers will be used for telecom workloads. Network Load Balancers function at Layer 4 of the OSI model, support both TCP and UDP traffic, and can handle millions of requests per second.
Network load balancer supports Elastic IPs which remains unchanged as the load balancer scales internally.
TGW also support Intra region peering with other TGWs in the customer network. With intra- region peering capability, customers no longer need to create bridge VPCs between multiple transit gateways or attach a single VPC to multiple Transit Gateways for routing traffic between different Transit Gateways in the same AWS Region. Intra-region peering simplifies
routing and interconnectivity between VPCs and on-premises networks that are serviced and managed via separate Transit Gateways. This feature allows customers the flexibility to deploy multiple Transit Gateways with separate administrative domains, while providing an easy way to interconnect these Transit Gateways in a more native manner. Using intra-region peering, you can build flexible network topologies and easily integrate your network with a third-party or partner-managed network in the same AWS Region. If you are already familiar with Transit Gateway inter-region peering, it works exactly the same way except that the peered Transit Gateways are in the same AWS Region.
Customers can deploy flexible topologies to fit the use-cases, AWS recommends setting up a full mesh architecture if you have multiple Transit Gateways as shown in the following diagram.
Centralized network traffic inspection could be facilitated by either AWS Network Firewall or an AWS Gateway Load Balancer and setting up an inspection VPC in the architecture. Using static routes in the route-table associated with the intra-region peering attachment, customers can steer traffic coming from the third-party transit gateway to the security inspection VPC. TGW has to be set with appliance mode enabled on the inspection VPC's Transit Gateway attachment to keep traffic symmetry in both directions as shown in the following diagram.
Transit Gateway Connect
TGW connect is a native support to connect SD WAN infrastructure with AWS via TGW. SD-WAN network appliances no longer require IPsec VPNs with TGW and TGW connect support Generic Routing Encapsulation for higher bandwidth performance compared to a VPN connection. TGW Connect supports Border Gateway Protocol (BGP) for dynamic routing which simplifies network design and reduces operational costs. Integration with TGW Network Manager enables increased visibility and access to performance metrics and telemetry data from both virtual appliances in AWS and the branch appliances.