All you need to know about Networking in AWS VPC - Part 2

In the last 2 blogs, we have covered topics on AWS VPC and the networking. Today we will be looking into some of the advanced networking features available in VPC.

VPC peering

VPC peering in AWS connects two Virtual Private Clouds (VPCs), allowing them to communicate using private IP addresses. It is a one-to-one relationship between 2 VPCs. This connection can be made within the same AWS region or across different regions.

Follow the below steps to establish a VPC peering connection:

1. Owner sends a request to create VPC peering connection.

2. Owner of peer VPC accepts connection request to activate.

3. To enable flow of traffic, add a route pointing to IP address range of peer VPC.

4. Update security group rules.

There is a limit on the number of active and pending VPC peering connections that you can have per VPC. VPC peering does not support transitive peering relationships. In a VPC connection peering, your VPC will not have access to any other VPCs that the peer VPC might be peered with. This includes VPC peering connections that are established entirely within your own account.

You can't have more than one VPC peering connection between the same two VPCs at the same time. Maximum Transition Unit(MTU) across a VPC peering connection is 1500 bytes. A placement group can span peered VPCs. However you will not get full bisection bandwidth between instances in peered VPCs. Unicast reverse path forwarding in VPC connections is not supported.

Benefits of VPC peering:

cost-efficiency: No data transfer fees for traffic between peered VPCs in the same region. Inter-region peering incurs standard inter-region data transfer costs.

Simplified Networking: Creates a flat network design where resources in different VPCs can communicate seamlessly.

Virtual Private Network (VPN):

A VPN in AWS VPC is a secure connection between your own-premises network(or another VPC) and your AWS VPC over internet. It ensures that data transmitted between these networks is encrypted and secure.

Types of VPN:

1. Site-to-Site VPN: Connects your on premises network to your AWS VPC

2. Client VPN: Allows remote clients to securely connect to AWS resources.

Configuration components of VPN:

1. Customer Gateway (CGW): It represents the on-premises device on AWS.

2. Virtual Private Gateway (VGW): It is the VPN concentrator on the AWS side of the VPN connection.

3. VPN connection: The actual VPN tunnel established between VGW and CGW.

How to configure a VPN connection -

1. Create a customer gateway.

2. Create a Virtual Private Gateway and attach it to your vPC.

3. Establish a VPN connection between the CGW and VGW. This includes configuring the IPSec parameters.

4. Update Route tables to ensure the route tables in your VPC direct traffic though VPN connection.

5. Setup your own-premised device using the configuration details provided by AWS (including IP addresses, pre-shared keys and tunnel parameters).

Routing options for VPN:

1. Static Routing: Manually specify the routes for your VPN connection.

2. Dynamic Routing: Use BGP to automatically exchange routing information.

By using a VPN in AWS VPC, you can securely connect your own-premises infrastructure to your AWS resources, creating a cohesive and secure hybrid network environment.

AWS Direct Connect

AWS Direct Connect is a service that falls under the category of Hybrid Cloud Connectivity. It provides a dedicated, private network connection from your on-premises data center or office to AWS.

Configuration components of Direct Connect:

1. Direct Connect Location: It is a physical location where AWS Direct Connect is available.

2. Virtual Interfaces: Logical Interfaces used to connect to AWS services. There are 2 types:

Private VIF: Connects to a VOC

Public VIF: Connects to public AWS ervers such as s3 or EC2 over public IP addresses.

3. Direct Connect Gateway: It allows you to connect multiple VPCs across different regions from a single Direct Connect Connection.

How to configure Direct Connect-

1. Order a Direct Connect connection through AWS management console.

2. Work with a network provider to establish the physical connection to the Direct Connect Location.

3. Set up private or public virtual interfaces to connect to your VPC or other AWS services.

4. Configure your on-premises network to connect to AWS through the Direct Connect connection.

5. Use AWS management console and cloudwatch to monitor and verify the performance and status of the connection.

AWS managed VPN supports upto 1.25 Gbps throughput per VPN tunnel. If AWS Direct Connect fails, internet backup for public VIF connections, VPN backup for private VIF connections.

AWS Transit Gateway:

It is a network transit hub that enables you to connect multiple VPCs and on-premises networks via a single gateway. It simplifies your network architecture by allowing VPCs to communicate through a central hub, reducing the need of complex peering relationships.

Transit Gateways supports AWS Direct Connect and VPN Connections, providing scalable ans secure communication.It also facilitates inter-region VPC peeering and shared services access. Using the route tables, you can manage traffic flows and control connectivity.This service is ideal for large-scale and complex network topologies.

VPC best practises:

1. Choose CIDR or IP address ranges wisely.

2. Use subnets to divide resource based on access.

3. Use multi-AZ deployments in VPC for high availability.

4. Use security groups to control traffic between resources.

5. Use VPC flow logs to track and monitor your VPC traffic.

6. Check the health of your VPN link via API calls or the AWS management console.