[ AWS Transit VPC ]: Introduction to Transit VPC inside AWS

Estimated Reading Time: 2 minutes

Word Count: 548

This blog is part 1 of 4, in a series of 4 blog posts on the topic of Transit VPCs. In this 4-part series of blog posts, we will be covering the following topics:

  • Definition of Transit VPCs
  • The business use cases of having Transit VPCs
  • The technical use cases of having Transit VPCs
  • The way Transit VPCs are configured
  • Other similar Transit VPC solutions out there
  • Why we chose to use Juniper vSRX as our hub firewall
  • How we pieced it all together.

Transit VPC is a concept of having a Virtual Private Cloud (VPC) network with virtualized firewalls hosted inside Amazon.com’s cloud computing platform, Amazon Web Services (AWS). The Transit VPC acts as the Hub to all the traffic passing between the Spoke VPCs and the On-Premise customer datacenter. Thus, traffic between Spoke-VPC-A and On-Premise datacenter passes through the Transit VPC; as well as the traffic between Spoke-VPC-C to Spoke-VPC-F.

At a high level, the diagram below shows the hub & spoke representation between the Transit VPC, the Spoke VPCs and the On-Premise datacenter owned by the customer. The On-Premise customer datacenter too is a “Spoke” from the perspective of the firewall inside the Transit VPC, with similar security and routing policies applied to it.

The Transit VPC (just like any other VPC created inside an AWS environment) consists of a VPC network and is defined by a supernet that is split into two or more subnets. Each of these subnets is then, in turn, associated with its own route tables and security groups.

The Transit VPC is defined for an AWS Region, with the VPC subnets being equally divided amongst two Availability Zones per Region. This helps provide redundancy and high-availability for the purposes of maintaining that high availability.

The Transit VPC is orchestrated and brought online using custom CloudFormation templates. The parameters for creating the components of Transit VPC are defined in the CloudFormation template.

In the upcoming blog posts, we’ll be covering the following topics:

  • Various use cases for Transit VPC
  • The configuration of Transit VPC using CloudFormation
  • The configuration of the vSRX firewall inside the Transit VPC
  • Bringing up the connectivity towards the Spoke VPC Virtual Private Gateways

To continue to Blog 2, click here.

About the Author

Shreyans is a Solutions Engineer at Serro since early 2014. He has a Master of Science in Electrical Engineering from San Jose State University.  His experience includes enterprise, data center and service provider routing, switching and security solutions across multiple vendors – Juniper Networks, Cisco, Palo Alto Networks, Brocade and Huawei; as well as cloud computing solutions like Amazon Web Services and OpenStack. In his free time, Shreyans takes pictures of landscapes around the Bay Area, with the Golden Gate Bridge being his muse. He can be found on social media on LinkedIn, and on Instagram.