Module 8 | AWS Cloud Architecting

AWS Cloud Architecting

Network Design of Multiple VPC's

Full Mesh

Hub-and-Spoke

Regular Peering is non-transitive, meaning you must connect all of them together

AWS Transit Gateway

Is a centralized, Regional router to connect VPCs and on-premises networks based on hub-and-spoke architecture
Is a managed AWS service that automatically scales based on the volume of network traffic
Can be peered with other transit gateways in other AWS Regions and AWS accounts
Incurs cost charges based on the number of connections and amount of traffic throughput
Has a Transit Gateway Flow Logs feature to publish transit gateway traffic logs

Centralized routing pattern for outbound traffic

Transit Gateway Peering

Transit gateway example

You must configure the routing tables regardless if it is with a transit gateway or regular peering

VPC Peering

AWS Site-to-Site VPN

Creates a secure connection between an on-premises customer gateway and AWS virtual private gateway (or transit gateway) for VPC access
Creates two encrypted IPsec VPN tunnels for each connection across multiple Availability Zones
Charges for each VPN connection-hour

Creation process (Wilmer Edition <3)

Create a Virtual Private Gateway
1. Attach to a VPC
Create a Customer Gateway
1. If it's a big network BGP may be needed
Create the VPN connection with the Site-to-Site object
1. choose the VPGW
2. Choose the Customer GW
3. Choose the local network it will be on
4. Choose the remote network it will be communicating with
Download the S2S VPN configuration file (a txt file with instructions)
Configure on firewall/edge router

AWS gives the option to create two tunnels (two firewalls or two ISP's)

AWS Global Accelerator

One branch in Canada, one in Zimbabwe:

This can be used to accelerate your Site-to-Site VPN connection.
It uses Global Accelerator to route traffic from your on-premises network to an AWS edge location that is closest to your customer gateway device
Network traffic will be using the AWS backbone infrastructure to efficiently route traffic from the edge location to the transit gateway

Isolating VPCs with full VPN access by using Transit Gateway

AWS Direct Connect

Dedicated connection with optic fiber.
Is a dedicated, private, virtual local area network (VLAN) connection that extends the on-premises network to include AWS resources
Provides a consistent network experience with predictable performance and increased bandwidth and throughput

We can have higher availability using Direct Connect and a VPN... or two Direct Connects.

Provision for redundancy and fault tolerance