Wednesday, August 7, 2019

Main Advantages of Using Transit Gateway in Amazon AWS

  • Per region VPN Tunnels: Instead of building tunnels every time we a new VPC is created . It allows to simply attach the VPC to the transit gateway within the region which will already have a VPN established. Once attached, it will simply be a matter of adding routing propagations to establish the connectivity of the VPC with VPN.

  • Attach to Transit Gateway once rather than peer to multiple VPCs: Every time a new VPC is created , It often times required to peer that VPC with other accounts and shared environments. With the Transit gateway, you can simply attach the VPC to the transit gateway and associate that attachment with the right routing domain and allow routes to propagate which will give that new VPC access to multiple VPCs and vice-versa. 

The known limitation of the AWS Transit gateway is the fact that it does not support the cross region support for which Inter-region Vpc peering is required. Though is in the future pipeline and rather the correct direction to be implemented once the AWS releases this functionality in the near future.

The best practice to deploy the AWS transit gateway is by using the Infrastructure as code practices tool like Terraform. Code i will share in the future post so stay tuned and subscribe to our blog.

Why to use the Terraform Instead of Cloudformation
  • Terraform is cloud neutral i.e. It can manage not only AWS but also Google Cloud, Microsoft Azure should the need be arized in the future.
  • Usually the transit gateway is created in a central Account and all the other accounts are than connected to the transit gateway for getting access to Vpn. Terraform does much better job at orchestrating the Environment across multiple account than the cloudformation.
  • Creating a Central account specific for transit gateway will allow to restrict and audit all the actions in relation to change in networking related to transit gateway.
Resource Access Manager (RAM) for Transit Gateways
Transit Gateways are shared to other AWS accounts within the organization via a technology called Resource Access Manager. Resource Access Manager shares are deployed as a part of the Terraform code that deploys a Transit Gateway. We deploy one share per Transit Gateway with the same name as the Transit Gateway and designate the AWS Accounts code. 

Some important notes about Resource Access Manager:

We enabled a feature within our AWS organization that will auto accept resource shares from one account to another; this allowed for end-to-end Infrastructure as Code functionality .
When a VPC attaches to the Transit Gateway, that attachment will not be auto-accepted in the network account, a person with the right level of access to the respective AWS account will need to allow this. This prevents unauthorized people from attaching things to the Transit gateway. 


Post a Comment