Thursday, January 17, 2019

AWS: On-prem to cloud using Transit VPC or Transit Gateway, difference?

Hi!

I want to deep-dive into two products from AWS - coming from only using their regular Virtual Private Gateway with lots of IPSec VPN tunnels, per AWS region. With BGP routing.
I'm very familiar with Google Cloud's "Cloud Router" and what it can do, and their shared VPC (old name XPN) with the option of using Global Dynamic Routing.

In late november 2018, Amazon released a feature called "Transit Gateway":
https://aws.amazon.com/blogs/aws/new-use-an-aws-transit-gateway-to-simplify-your-network-architecture/

Which is currently not available in all regions, and it does not support Direct Connect at the moment.
The article does say "Direct Connect – We are working on support for AWS Direct Connect" though.

Then there's the "standard" way called "Transit VPC":
https://aws.amazon.com/answers/networking/aws-global-transit-network/

Which is available everywhere AFAIK, and does support Direct Connect.

This is my current understanding of the two:
- Transit Gateway is a new, easier option for smaller businesses who might want to connect a datacenter and a couple of branch offices. There may not be a dedicated network team in-house.
It has limitations such as 1.25 Gbit/s per VPN tunnel (scaled through ECMP, more tunnels) - but keep in mind that a single flow will always be limited to 1.25 Gbit/s. I'm wondering if this is dedicated capacity per Transit Gateway though, or shared with other customers?
Another limitation is 10 000 routes.

- Transit VPC is a more scalable and advanced option, involving Cisco CSR1000V (virtual) routers.
Multiple datacenters with production traffic between on-prem and cloud, multiple branch offices. Probably only dynamic routing. Definitely has a dedicated network team in-house.
In terms of limitations, the CSR1000V performance depends on what instance size you deploy it on.
For IPSec VPN, it for example mentions "c4.4xlarge for up to 4.5Gbps".
The instance is controlled, and dedicated to, the customer.
Not sure of route limits.

Do you think this is a good understanding?
When should a customer choose the new Transit Gateway over traditional Transit VPC? Or possibly even combine them?
Another thought is that Google Cloud has come much further in terms of connecting on-prem to their cloud.

For anyone reading this, I found that this existing thread is also interesting:
https://www.reddit.com/r/aws/comments/71nl8p/thoughts_on_transit_vpcs/



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)