Aviatrix Answers

How do I connect SaaS applications to customer on-premise sites using AWS Transit Gateway (TGW)?


Key Concepts
5 minute read


Vendors hosting SaaS applications in AWS often require secure connectivity to customer premises. This connection might be required for accessing on-prem data sources from the cloud application or for connecting on-premise clients to cloud instances.

Traditionally, customers have used AWS managed Virtual Private Gateways (VGWs) to create IPsec tunnels for this reason. The VGW comes with several limitations detailed here. To overcome these limitations and provide their customers with a complete solution, SaaS vendors have used Aviatrix Gateways for “secure customer connectivity”.

As the SaaS solution evolves, there are new architectural requirements. Some of these new requirements have networking consequences. An example of this transition is the SaaS solution starting to span multiple VPCs. Now, every customer needs to have access to multiple VPCs. Depending on whether the application is multi-tenant or single tenant, multiple customers will need to access their respective VPCs and this access needs to be policy controlled.

This is where the AWS Transit Gateway (TGW), becomes valuable. This AWS native gateway allows you to connect hundreds (and thousands) of VPCs together and connect those VPCs to edge locations. It also provides the concept of route domains (loosely equivalent to VRFs, for you networking folks) to segregate VPCs from each other.

When connecting multiple sets of VPCs to multiple clients via a central hub, there are key requirements that need to be met:

  1. Ability to expose only the required VPC instances/subnets to the customer premises.
  2. Ensure segregation between VPC groups that belong to different tenants.
  3. Create encrypted communication (IPsec tunnels) to customer locations.
  4. Ability to mask internal IP spaces from customer networks.
  5. Ability to monitor, alert and troubleshoot on connectivity changes.
  6. Ability to insert 3rd party firewalls for advanced threat detection.

The native AWS Transit Gateway (TGW) alone does not meet all these requirements. For example, there is no way to NAT or mask your IP ranges from customer networks using the AWS Transit Gateway (TGW). The operations of the TGW also leave functional gaps, such as no method to log packets or troubleshoot problems. For these precise reasons, AWS recommends Aviatrix’s easy to use AWS Transit Gateway (TGW) Orchestrator to fill these critical gaps.

The diagram below represents a proven way to implement SaaS connectivity requirements. The Aviatrix Controller completes AWS Transit Gateway (TGW) operations with security domains and connection policies. The Aviatrix Edge VPC provides your SaaS connectivity architecture a place to insert network constructs like source NAT and 3rd party firewalls.

If applications are multi-tenant, you can lay out your security domains in terms of applications that need to be delivered.

If your security requirements dictate advanced threat detection and packet inspection to be placed on the edge, you can also introduce third party firewalls. There are no IPsec requirements on these firewall instances. So, these firewall instances can deliver high performance. They can also be be scaled out for much higher aggregate performance. The diagram below shows how you can introduce 3rd party firewalls in the Edge VPC.

For more information, please visit: