Aviatrix Answers

How do Aviatrix Security Domains and Connection Policies help orchestrate and simplify cloud network connectivity when using native AWS Transit Gateway?


Key Concepts
10 minute read


AWS Transit Gateway (TGW) is a service that enables connectivity across multiple VPCs and on-premise networks. It also helps in network segmentation by allowing users to group VPCs together into defined route domains.

When using TGW, multiple VPCs can be grouped together into route domains. Similar to virtual routing and forwarding (VRFs) in traditional networks, a route domain is conceptual group of VPCs and/or VPNs attached to a single route table. Via route propagation, a user could enable VPCs in that route domain to talk to each other. Each route domain has a route table associated with it in the TGW. Every time a new spoke VPC is added to that route domain, the VPC route table would need to be updated so that instances in the newly added spoke VPC can talk to instances in other spoke VPCs in the same route domain. Or course, the route domains also provide isolation from other route domains.

Updating route tables, every time a new VPC or a new route domain is added to the current network setup, is cumbersome and time consuming. This problem increases dramatically, if you have multiple VPCs and TGWs that need to be connected.

Another problem arises when there is a need for two different route domains to talk to each other. Although you can connect route domains using AWS propagation, you still need to manually update all the associated TGW route tables and VPC route tables to enable communication across route domains.

Aviatrix makes the route domain and propagation process much simpler using the Aviatrix Software-Defined Cloud Router (using the AVX Controller console) which includes full orchestration of the AWS TGW by using Aviatrix Security Domain and Connection Policy concepts.

A Security Domain is an enforced network of member VPCs attached to the same route table. Member VPCs have connectivity to each other. VPCs outside of the domain cannot connect. A Security Domain is an instantiation of the TGW Route Domain concept. This enables VPC segmentation through TGW. For example, you can have “dev”, “prod” and “test” security domains to isolate your development, production and test environments in your AWS cloud. In this scenario, the VPCs in dev security domain cannot talk to VPCs in prod and test security domains. A security domain can have one or more spoke VPCs as its members. VPCs within a security domain can communicate to each other via TGW.

Now, every time a new spoke VPC is added to a Security domain, Aviatrix will automatically propagate the routes and perform all route table updates so that all instances in the newly added spoke VPC can talk to instances in other spoke VPCs within that security domain. Also, if there is a need for route domains to talk to each other, Aviatrix will establish the connectivity and update all the associated route tables.

By default, security domains are independent and not connected to each other i.e. the spoke VPCs in one security domain cannot talk to spoke VPCs in other domains. However, if required, Aviatrix can enable the connectivity among security domains by enabling policy-based route updates by using connection policies.

A Connection Policy is an enforced cross-Security Domain connectivity. Uses TGW route table propagation. If two security domains are connected through a connection policy, then spoke VPCs in both the security domains can talk to each other. The connection policy can be applied at a security domain level to avoid specifying connections at individual VPC level.

A simple way to think about this is:

Aviatrix Security Domain = TGW Route Domain + Dynamic Route Propagation of Spoke VPCs
Aviatrix Connection Policy = TGW Route Table Propagation + Policy based route updates

When a TGW is created by using AVX Controller, three security domains are created by default.

  • Default Security Domain – A default security domain is created whenever you create TGW using Aviatrix controller. If you do not plan on building any VPC network segmentation, you can use the default domain for inter Spoke VPC and hybrid communications. This will essentially create a mesh network where every VPC can talk to each other
  • Shared Service Security Domain – When a TGW is created by the AVX Controller, the Shared Service Security Domain is created, and a corresponding route table is created on TGW. You can attach a Spoke VPC to this domain and host your shared service instances such as your DevOps tools. Shared Service Security Domain is always connected to default security domain and edge security domain
  • Aviatrix Edge Security Domain – When a TGW is created by the AVX Controller, the Aviatrix Edge Domain is created, and a corresponding route table is created on TGW. Aviatrix Edge Domain is designated for connecting VPCs to on- premise network. There must be one VPC attached to this domain. In the VPC, an Aviatrix Transit GW is deployed that is used for data traffic forwarding between Spoke VPCs and on-premise network. Aviatrix Edge Security Domain is always connected to the Shared Service Security Domain and the Default Security Domain

In addition to the above three security domains, you can easily create additional security domains based on your network needs and establish connection policies among them.

In summary, Aviatrix orchestrator (available in the AVX Controller) simplifies and extends the AWS TGW by using dynamic route propagation, policy abstraction and simplifying operations through a single pane of glass.

For a demo, or to dive deeper into this topic, email Info@aviatrix.com or visit www.aviatrix.com and start a web chat conversation with an expert now.