Last Updated: 14/05/2024
Another one of those Architectures where I’ve seen the Good, the Bad and the Ugly. This is one of the most common Architectures that I see designed poorly and doesn’t work as intended and that’s because there are a fair few concepts on Transit Gateways. If you still don’t quite know how to design Transit Gateways and its Route Tables – you’re in the right place.
Q: Why do you only have one Transit Gateway, surely thats a single point-of-failure?
A: Nope, under the hood they are highly redundant. For a Multi-AZ deployed Transit Gateway, AWS offer a 99.99% SLA and for a Single-AZ deployed Transit Gateway, AWS offer a 99.9% SLA.
Q: I want to separate out my Production and Non-Production Traffic, should I use multiple Transit Gateways?
A: No need. All you need to do is not propagate the Production and Non-Production VPC CIDRs to the Route Table associated with Production and Non-Production Transit Gateway Route Table. If you have want to allow this on an exceptional base, but still inspect the traffic via a Next-Generation Firewall, this is possible. In the TGW Route Table associated with your two attachments you will need put a static route in for each others CIDRs with the next hop as the Inspection VPCs Transit Gateway Attachment. Once Inspected and returned back to the Transit Gateway, it should use a different Route Table, lets call it the Inspection TGW Route Table. Within the Inspection TGW Route Table you will propagate the Production and Non-Production VPC CIDRs (from the TGW Attachments) which allow the return traffic. One super important note, you need to enable Appliance-Mode on the Inspection VPCs Transit Gateway Attachment, which can only be done via AWS CLI. This ensures the traffic is symmetrically routed back via the Firewall, otherwise it will cause asynchronous routing and the traffic will be dropped. You can enable this with the following command: aws ec2 modify-transit-gateway-vpc-attachment --transit-gateway-attachment-id <tgw-attach-xyx> --options ApplianceModeSupport="enable"
Update 14/05/2024: Appliance Mode can now be enabled via the AWS Console, AWS SDK and even CloudFormation when creating the attatchment!
Q: Shall I migrate my Firewalls to use the Gateway Load Balancer instead of having IPSEC tunnels to the Transit Gateway?
If you can, yes. IPSEC tunnels come with bandwidth limitations of 1.25Gbps, though on Transit Gateways you can scale this using ECMP with multiple tunnels. The Gateway Load Balancer was created to address some of these architectural challenges by leveraging the GENEVE Encapsulation Protocol, and the GWLB presents itself as a routable target (via GWLB VPC Endpoints) on VPC Route Tables – which is not possible with ALB or NLBs. This is because ALB and NLBs have the concept of listeners and given there’s 65,000+ ports – bit of a problem. With GENEVE, this isn’t an issue as the traffic is encapsulated and forwards all traffic to the Firewall over UDP 6081.