Skip to main content

The Secret Life of AWS: The Hub and Spoke (AWS Transit Gateway)

-

 

The Secret Life of AWS: The Hub and Spoke (AWS Transit Gateway)

How to scale your network without building a bowl of spaghetti.

#AWS #TransitGateway #Networking #VPC



Part 44 of The Secret Life of AWS

Timothy was staring at a whiteboard covered in lines.

His architecture had grown. He now had five Virtual Private Clouds (VPCs): Checkout, Inventory, Analytics, Shared Services, and Development. He was trying to map out the VPC Peering connections required so they could all communicate privately.

"Checkout needs to talk to Inventory," Timothy muttered, drawing a line. "And Analytics needs to talk to Checkout. But Analytics also needs to talk to Inventory..."

Margaret walked in and looked at the whiteboard. "You are building a Full Mesh network," she observed.

"I have to," Timothy replied, frustrated. "AWS VPC Peering is non-transitive. If Analytics is peered with Checkout, and Checkout is peered with Inventory, Analytics still cannot talk to Inventory through Checkout. I have to draw a direct line between every single one."

"Correct," Margaret said. "Transitive routing is forbidden in VPC Peering for security reasons. Every relationship must be an explicit, one-to-one handshake."

"But the math is terrible!" Timothy pointed to the board. "For 5 VPCs, I need 10 peering connections. If we grow to 10 VPCs, I'll need 45 connections. Every time I add a new VPC, I have to go into the route tables of every other VPC and update them. It is going to look like a bowl of spaghetti."

"It doesn't scale," Margaret agreed. "Point-to-point connections are for small architectures. When you need to scale, you must move to a Hub-and-Spoke model. We need a central router."

The Central Router (AWS Transit Gateway)

Margaret opened the AWS Console and navigated to the VPC dashboard.

"We are going to deploy an AWS Transit Gateway (TGW)," she said. "A Transit Gateway is a highly available, managed cloud router. Instead of peering every VPC to each other, you connect every VPC to the Transit Gateway."

She clicked Create Transit Gateway.

"In a Hub-and-Spoke architecture, the Transit Gateway is the Hub," she explained. "Your VPCs are the spokes. If you have 10 VPCs, you don't need 45 peering connections anymore. You just need 10 attachments to the Hub."

The Attachments

"How do we plug the VPCs into it?" Timothy asked.

"Through Transit Gateway Attachments," Margaret replied.

She navigated to the Attachments tab and created a new one for the Checkout VPC. She selected the VPC and specified which subnets the Transit Gateway should use to route traffic into that specific environment. She repeated this process for the Inventory and Analytics VPCs.

"Each VPC now has a single, dedicated link to the central router," she noted.

Simplifying the Route Tables

"But what about the route tables?" Timothy asked. "I still have to tell the VPCs how to find each other."

"That is the best part," Margaret smiled. "The VPC routing becomes incredibly simple."

She opened the Route Table for the Checkout VPC. Instead of adding a dozen specific CIDR blocks for every other VPC in the company, she added a single summary route:

  • Destination: 10.0.0.0/8 (The entire corporate IP space).
  • Target: tgw-0123456789abcdef0 (The Transit Gateway ID).

"This rule tells the Checkout VPC: 'If you are trying to reach any internal network, just send the packet to the Transit Gateway. The router will figure it out'."

"Notice," Margaret added, "this only works because we designed our AWS organization with a consistent, non-overlapping IP strategy. If our CIDR blocks overlapped, the router wouldn't know where to send the packets."

"Wait," Timothy leaned forward. "If all the VPCs are blindly forwarding traffic to the Transit Gateway, how does the Gateway know where to send it?"

"Because the Transit Gateway has its own Transit Gateway Route Table," Margaret explained. "When you create an attachment, the CIDR block of that VPC propagates into the Gateway's routing table. The router maintains a master map of the entire network."

Control and Expansion

"But what if I don't want the Development VPC talking to the Production VPCs?" Timothy asked. "If it's a hub, isn't everything connected?"

"Not necessarily," Margaret said. "You can create separate routing domains inside the Transit Gateway, or you can add a Blackhole Route to intentionally drop traffic between specific spokes. You still dictate the security boundaries."

Timothy looked at his whiteboard. He erased the chaotic web of 10 intersecting lines. He drew a single circle in the middle—the Transit Gateway—and drew five clean, straight lines pointing to it.

"This is amazing," Timothy said. "What if we acquire a company and their VPC is in a completely different AWS account?"

"You can share the Transit Gateway across accounts using AWS Resource Access Manager (RAM)," Margaret replied. "You can even attach a VPN or Direct Connect to it, making it the perfect landing zone for an on-premises data center."

"If I add a 6th VPC tomorrow," Timothy realized, "I just attach it to the Transit Gateway. I don't have to touch the route tables of the other 5 VPCs at all."

"Exactly," Margaret said. "You have centralized your network management. You are no longer laying point-to-point cables. You have built an enterprise network backbone."

Key Concepts

  • AWS Transit Gateway (TGW): A managed cloud router that connects VPCs and on-premises networks through a central hub, simplifying network topology.
  • Hub-and-Spoke Architecture: A network design where multiple networks (spokes) connect to a central routing location (hub), rather than connecting directly to each other.
  • Full Mesh Topology: A network design where every node connects directly to every other node. It scales poorly, as the number of connections grows exponentially ().
  • Transitive Routing: The ability to route traffic through an intermediate network to reach a final destination. VPC Peering does not support this; Transit Gateway does.
  • Blackhole Route: A routing rule explicitly designed to drop traffic, ensuring strict isolation between specific networks when needed.
  • AWS Resource Access Manager (RAM): A service that allows you to easily and securely share AWS resources (like a Transit Gateway) across different AWS accounts.

Aaron Rose is a software engineer and technology writer at tech-reader.blog and the author of Think Like a Genius.

Comments

Post a Comment

Popular posts from this blog

The New ChatGPT Reason Feature: What It Is and Why You Should Use It

-
Image
The New ChatGPT Reason Feature: What It Is and Why You Should Use It Offers More Than Just a Simple Answer ChatGPT continues to evolve, constantly introducing new features that make user interactions more tailored and insightful. One of the latest additions is the Reason option, which you can access through the slash menu. At its core, this feature gives you more control over the depth of responses, specifically when you’re looking for more than just a simple answer. In this article, we’ll explore what the Reason feature is, where it originated, why it matters, and how you can make the most of it. What Is the Reason Feature? The Reason option prompts ChatGPT to provide a detailed, structured explanation that dives into the reasoning behind an answer. It focuses on giving a logical breakdown of how the conclusion was reached, rather than just providing a surface-level response. Essentially, it’s a way of saying, "I want to understand not just the answer, but the reasoning behind it...
Read more

Insight: The Great Minimal OS Showdown—DietPi vs Raspberry Pi OS Lite

-
Image
Insight: The Great Minimal OS Showdown—DietPi vs Raspberry Pi OS Lite When you're building a headless server, IoT device, or lightweight project box, the last thing you want is bloatware eating your precious resources. Enter the world of minimal operating systems—where every megabyte matters and efficiency reigns supreme. Two contenders dominate this space: DietPi and Raspberry Pi OS Lite. Both promise lean, mean computing machines that boot straight to the command line. But scratch beneath the surface, and you'll find they take fundamentally different approaches to the "less is more" philosophy. The Minimalist's Dilemma Picture this: You've got a Raspberry Pi 3B+ sitting on your desk, destined to become a home media server. Do you go with the familiar comfort of Raspberry Pi OS Lite, or venture into DietPi's optimized territory? The choice isn't just about personal preference—it's about understanding what "minimal" means to each operatin...
Read more

Raspberry Pi Connect vs. RealVNC: A Comprehensive Comparison

-
Image
Raspberry Pi Connect vs. RealVNC:  A  Comprehensive Comparison The Raspberry Pi has revolutionized the way we interact with computers, providing a low-cost, highly adaptable platform for countless applications. One critical aspect of using a Raspberry Pi, especially for remote management and control, is the ability to access it from another device. Historically, RealVNC has been the go-to solution for this purpose. However, the recent introduction of Raspberry Pi Connect offers an integrated alternative. This article will compare Raspberry Pi Connect and RealVNC, exploring their features, requirements, and practical applications. Introduction to Raspberry Pi Connect Raspberry Pi Connect is a new VNC service directly integrated into Raspberry Pi OS 12. Designed for simplicity and ease of use, Connect aims to provide a seamless remote desktop experience for Raspberry Pi users. Currently in beta, Raspberry Pi Connect is free to use and requires a Raspberry Pi 4, 400, or 5 running...
Read more