AWS DX – DXGW with AWS Transit Gateway, Multi-Regions (more than 3) - Hybrid Connectivity

AWS DX – DXGW with AWS Transit Gateway, Multi-Regions (more than 3)

This model is constructed of the following:

  • Multi AWS Regions (more than 3)

  • Dual on-premises data centers

  • Dual AWS Direct Connect Connections across to independent DX locations per Region

  • AWS DXGW with AWS Transit Gateway

  • High scale of VPCs per Region

  • Full mesh of peering between AWS Transit Gateways

AWS DX – DXGW with AWS Transit Gateway, Multi-Regions
              (more than 3)

Figure 1 – AWS DX – DXGW with AWS Transit Gateway, Multi-Regions (more than 3)

Connectivity model attributes

  • Has the lowest operational overhead

  • Uses AWS DX public VIF to access AWS public resources, such as Amazon S3, with DynamoDB directly over the AWS DX connections.

  • Provides the ability to connect to VPCs and/or DX connection(s) in other Regions in the future.

  • Has the ability to achieve full or partial mesh connectivity between the VPCs, with AWS Transit Gateway connected to VPCs.

  • Cross-Region VPC communication is facilitated by AWS Transit Gateway peering.

  • Offers flexible design options to integrate 3rd party security and SD-WAN virtual appliances with AWS Transit Gateway. See: Centralized network security for VPC-to-VPC and on-premises to VPC traffic.

Scale considerations

  • The number of routes to and from AWS Transit Gateway are limited to the maximum supported number of routes over a Transit VIF (inbound and outbound numbers vary). For more information about the scale limits, see AWS Direct Connect quotas. We recommend route summarization to avoid going over this limit.

  • Scale up to thousands of VPCs per AWS Transit Gateway over a single BGP session per DXGW (assuming the provided performance by the provisioned AWS DX connections is sufficient).

  • Up to three AWS Transit Gateways can be connected per DXGW.

  • If more than three Regions need to be connected using AWS Transit Gateway, then additional DXGWs are required.

  • Single Transit VIF per AWS DX

  • Additional AWS DX connections can be added as desired.

Other considerations

  • Incurs additional AWS Transit Gateway processing cost for data transfer between on-premises site and AWS.

  • Security groups of a remote VPC cannot be referenced over AWS Transit Gateway. If security group referencing is a requirement, we recommend that you consider VPC peering.

  • VPC peering can be use instead of AWS Transit Gateway to facilitate the communication between the VPCs. However, this adds operational complexity to build and manage large number of VPC point-to-point peering at scale.

The following decision tree covers the scalability and communication model considerations:

Scalability and communication model decision tree

Figure 2 – Scalability and communication model decision tree

Note: If the selected connection type is VPN, typically at the performance consideration, the decision should be made whether the VPN termination point, is AWS VGW or AWS Transit Gateway for the AWS S2S VPN connection. Otherwise, you can consider the required communication model between the VPC along with the number of required VPC to be connected to the VPN connection(s) to help you to make the decision.