Making VPCs + On-premises talk to each other - Networking 101

VPC Peering

• Privately connect two VPCs using the AWS network.
• Make them behave as if they were in the same network
• Two VPCs peering with each other need to have IPs that must not overlap CIDRs.
• VPC peering connection is not support transitive. Example: A peer with B, B peer C. A and C is not implicit peering.

When configuring peering need to update the route table in each VPC so that they can talk to each other.

Point to know

• VPC peering cross accounts/regions are supported.
• You can reference security in peered VPC (work cross account, same region)

• VPC Peering is free, charge only applies for data transfer cross AZs, and regions.
• Adding a route table for each VPC for the network to go through a Peering connection.

VPC endpoints

• By default when a resource in your VPC connects with AWS manage services need to go through the internet for communication. Which is insecure and increases latency. Also, the data transfer through the Internet will be charged
• Suppose you have an EC2 instance in private subnet which need to communicate with Amazon SNS. It need to go through NAT gateway -> internet gateway -> Amazon SNS. This will consume the bandwidth of NAT GW, comsume data tranfer over internet it will cost you money.

• There are two types of VPC Endpoint: VPC Gateway Endpoint (support S3, DynamoDB free of charge), and VPC Interface Endpoint (cost $).

• VPC Endpoint(powered by AWS Private Link) allow you to connect to AWS services using a private network instead of public internet.
• VPC Endpoints are redundant and scale horizontally
• They remove the need of an Internet Gateway, NAT gateway to access AWS Services which help to simplify your architecture.
• In case of issues: need to check DNS Setting Resolution in your VPC and route table.

Interface Endpoints (powered by Private Link)

• Provision an ENI (private IP address) as an entry point (must attach a security group)
• Support most AWS Services
• Cost $ per hour and per GB of data processed.
• It cost about 8.76$ per month per AZ and 0.01 GB while NAT cost 37.96$ per month per AZ plus 0.052$ per GB.

Gateway Endpoints

• Provision a gateway and must be used as target in a route table (does not use security group)
• Supports both S3 and DynamoDB
• Free

Connect to on-premises and more than that (Site to site VPN, Virtual Private Gateway, Customer Gateway)

• When you have an on-prem data center you want to connect it to AWS. For this you need Customer Gateway at on-prem, VPN Gateway on VPC side. With this setup we need to have Site To Site VPN Connection which flow the traffic on the public internet in encrypted form.

Virtual Private Gateway (VGW)

• This is created and attached to VPC from which you want to create the Site-to-Site VPN connection.
• Pricing: you pay 36$ per month for connection fee, for the data out first 100GB are free then 0.09$ per GB

Customer Gateway (CGW)

• Software or physical device on customer side to establish a VPN connection.

Site-to-Site VPN Connection

• For the Customer Gateway device (on-premises): If it has public IP address it would be simple, but if the Customer Gateway has private IP and is behind a NAT device that enabled for NAT tranversal (NAT-T) use the public IP address of the NAT device.
• The important step: need to enable Route Propagation for Virtual Private Gateway in the route table that associate with your subnets
• If you need to ping for your EC2 instances from on-premises make sure the ICMP protocol on the inbound rule of your security is allowed.

AWS VPN CloudHub

• You have a VPC with a Virtual Private Gateway set up. You have multiple customer networks that want to talk with your VPC and want to talk with each other.
• CloudHub is the solution for this use case.
• The connections between networks are encrypted, flown through the public internet
• Low cost for hub-and-spoke model for primary and secondary network connectivity between different locations (VPN only)

Direct Connect (DX)

• Provide a dedicated private connection from a remote network to your VPC.
• Dedicated connection must be setup between your data center and AWS Direct Connect locations.
• You need to set up a virtual private gateway on your VPC.
• With this setup you can have access to public resources (S3) and private EC2 instance on the same connection.
• Use cases: Increase bandwidth throughput - when working with large data sets - and lower network cost when transfer data over DX. Provide consitent network connection use for application that need stable network connection. Can use in hybrid environment (on-prem + cloud)
• The data will never flow over the public internet.

• There are two type of connection: connect with VPC using private virtual interface, connect with amazon S3 using public virtual interface.
• If you want to set up a Direct Connect to one or more VPC in many regions (same account) you must use a Direct Connect Gateway.

You need to set up a Direct Connect on one VPC link from Direct Connect with VPC via private virtual interfaces and Direct Connect Gateway.

Transit Gateway

Peering connections between VPCs would be complicated in terms of network topology. We can make use of Transit gateway for make this communation of these VPCs more simpler.

• It a regional resource, can work with cross region, can share across account via Resource Access Manager.
• You can peer transit gateway across region
• Route tables: limit which VPC can talk with other VPC.
• Work with Direct Connect Gateway, VPN connections
• It is the only service that supports IP Multicast (which is not supported by other AWS Services).

Share Direct Connect between multiple accounts

With Transit Gateway we can connect two or more VPCs from multiple account together. This helps sharing Direct Connection.