AWS Transit Gateways



Transit Gateways are a new introduction within AWS architecture to connect different VPCs together to achieve a more controlled routing behavior. This was earlier being achieved by Transit VPC AWS architecture.

Transit gateway is a regional object and can be understood as a centralized router to which different VPCs connect. AWS IAM can be used to allow access to users to a Transit Gateway.

Presently at the time of writing this article,
  • Maximum of  5000 Attachments are supported per Transit Gateway.
  • Maximum of 5 Transit Gateway attachments are supported per VPC


Following components are required to establish a Transit Gateway:

  • ASN (Autonomous System Number)

This is required to ensure routing between different AS number.
  • Transit Gateway Attachments


There are different ways to connect a VPC or an On-Premise devices to a Transit Gateway. These are called Attachments. There are 2 types of attachments:

VPC Attachment
VPCs can be attached to a Transit Gateway. Only 1 subnet per Availability Zone in a VPC can be connected to a Transit gateway. This remains internal to AWS and can support more bandwidth in comparison to a VPN Attachment. (Maximum bandwidth supported is 50Gbps presently.)

VPN Attachment
This is same as the Site to Site VPN that gets created. This is created to establish connectivity between a Transit Gateway and a virtual appliance within a VPC or a customer gateway and Transit gateway. (Maximum bandwidth supported is 1.25Gbps presently.) 

  • Transit Gateway Route Table


Route Table Association
Transit Gateway Route Table are associated to an Attachment. These provide the next hop attachment details to the associated attachments. A Route Table can be associated with zero to many attachments. But an attachment can be associated with only one Route Table.


Route Table Propagation is used to take care of reverse routing. This helps in ensuring the VPC subnets which can be propagated to an attachment.



  • Direct Connect connectivity with a Transit Gateway
Direct Connect can be connected in 2 different ways to a Transit Gateway. The approach adopted depends on the bandwidth of the Transit gateway. Maximum of 20 AWS Direct Connect gateway per Transit Gateway and 3 Transit Gateway per Direct Connect is supported presently.


For >1Gbps 
Transit Gateway connects to Direct Connect gateway which further connects to Direct Connect Transt Virtual Interface which is associated with a Direct Connect. BGP protocol runs between Direct Connect gateway and the customer router.

For Sub 1Gbps (<1Gbps)
Direct Connects connect to Transit Gateway directly via Public VIFs. This is because Transit VIFs (Virtual Interface) are not possible for sub 1 Gbps rate.


Transit Gateway Creation


VPN ECMP support: Required to combine multiple VPN bandwidth together.

Route Table association: Unchecking the box means no default route table association.

Route Table propagation: Unchecking the box means no default route table propagation.

With this no VPC can talk to each other by default through Transit Gateway.

VPC metrics

Cloudwatch can be used to monitor the following associated Transit gateway metrics :

  • Number of bytes received or sent by Transit Gateway.
  • Number of packets that have gone in or out.
  • Packets dropped because of blackhole.
  • Packets dropped because they didn't have a route.


Comments

Post a Comment

Popular posts from this blog

BUM traffic flow in ACI

Image
BUM traffic flow in ACI (Single Pod) Below article details the insights on the BUM traffic flow within ACI. The article is based on the assumption that reader is aware of the ACI basic terminology. Cisco ACI as understood uses the hardware VTEP Leaf/Spine architecture. Both Leaf and Spine are allocated the VTEP address assigned dynamically from the pool provided in the APIC configuration. ACI works efficiently in a way to reduce the flooding within the ACI fabric. The bridge domain is defined as the broadcast domain within the  ACI architecture. There can exist different EPGs within the same bridge domain. The EPGs within the same bridge domain can be associated with different VLANs. Thus inspite of being in different VLANs the EPGs associated in the same bridge domain are bound to experience flood traffic within the same Bridge domain unlike to the traditional architecture where every VLAN is a different broadcast domain. ACI works on the concept of n...
Read more

Wireless Classification Types

Image
Classification Types Based on Distance  Wireless Personal Area Network (WPAN) Personal Area Network is usually defined as anything at one arm distance from a person. It extends upto 30feet / 10m. Applications such as Infra red, Bluetooth, Passive RFIDs are generally considered in this. Wireless Local Area Network (WLAN) Extending PAN by 10 times approx. makes it within the boundaries of LAN thereby defining its range upto 300 feet / 100m. Cordless phones and Zigbees are its typical examples. Wireless Metropolitan Area Network (WMAN) There is no specific range defined for this but it generally extends to few kms/miles. Cellular, WiMAX are few of its examples. Wireless Wide Area Network (WWAN) This exists beyond a country or nation or entire world. It is generally extended to several hundreds/thousand miles/km. Typical examples include Satellite communication, long range cellular communications.  2.  Based on Modes ...
Read more

Traffic flow within NSX

Image
Below article details the traffic flow that happens within NSX Host preparation process during NSX installation creates the VXLAN (netcpa) and firewall (vsfwd) capabilities within every host or cluster. Thus every host gets ready to operate NSX attributes. Transport Zone are considered as the boundary of the VXLANs or the logical switches. Whenever a logical switch is created it is attached to a Transport Zone (Global or Universal). Since the hosts or the clusters are VXLAN ready thus they communicate with NSX Controllers through User World Agent (UWA) process that operates via netcpa services. NSX Controllers are privotal in NSX architecture and are part of control plane of NSX architecture as they build and retain VTEP table, MAC table and ARP table for every VNI or VXLAN. In case any host that is not having any of these information first contacts NSX Controllers to gain respective destination MAC/IP details. NSX Controllers on the other hand build these tables (VTEP tabl...
Read more