Aviatrix Answers

How to enable inter-spoke connectivity in an AWS Global Transit Network?


How-to Guide
13 minute read

AWS started to provide the VPC peering connection within a region or inter regions in late 2017. The inter region peering encrypts the traffic while the intra region VPC peering does not. As mentioned here the VPC peering can be used to connect two spoke VPCs when needed in a global transit network. The Cisco CSR transit VPC solution supports inter spoke connectivity at the transit gateway by default. It is not desirable architecture for most deployments where spoke VPCs need to be segmented or isolated. This short article will show how the inter spoke VPC peering can be managed with the Aviatrix Secure Networking Platform.

How to add an AWS VPC peering connection?

The AWS VPC peering is integrated in Aviatrix Secure Networking Platform in the release 3.1. Both GUI and API/Terraform can be used to manage the connection. Here we only demonstrate the GUI capability. The GUI screenshot below illustrates how a VPC peering can be built with a few simple clicks. It is more streamlined than using the AWS management console where you have to navigate the request and acceptance process. Multiple regions or account console accesses are needed for inter region peering or across account peering setup.

We can build inter region VPC peering for two AWS accounts using the following wizard.

After account, region, and VPC information are entered, the peering connection can be established in less than 10 seconds after clicking the “OK” button. The connection will show up in the table. It can be deleted using the “Delete” button.

What if I need the encrypted VPC peering in a region, or AWS native VPC peering is not available in the region?

Aviatrix Secure Networking Platform supports the encrypted VPC peering in all regions. It has been widely deployed well before the native AWS VPC peering was available. The Aviatrix encrypted peering supports the peering HA as it is supported in the transit network between the spoke VPC and transit VPC. It can be used to meet your security and compliance requirements.

The following topology diagram illustrates a transit network built by the Aviatrix transit network wizard, including one transit VPC hub and 3 spoke VPCs. Further below, 5 peering connections are shown in the (Aviatrix Controller) GUI’s encrypted peering page. The connection HA status indicates if a connection is active or backup. We will show how to add a pair of encrypted peering connections with HA support.

In the following screenshot, we build a pair of VPC peering connections between two spokes: VPC-001 and VPC-002 using Aviatrix encrypted peering wizard.

Within a minute, a pair of redundant peering connections are up after the “OK” button is clicked. The Controller (GUI) displays the peered connections and confirms a successful bidirectional ping test (below).

The topology shown below is after a pair of inter spoke peering connections are added between two spoke VPCs. No extra gateway is required in the spoke VPC.

How does the peering HA work?

When the active inter spoke VPC peering connection fails, an automatic failover to the backup connection takes place in both peered VPCs. The status of the peering connections between the spoke VPC and transit VPC remains unchanged. Their traffic is not impacted during the failover. The following peering connection topology illustrates the network after a failover.

The Key Takeaways

Aviatrix Secure Networking Platform can complement AWS native VPC peering by providing the encrypted peering connection in a region with a redundant peering connection for higher availability. The native AWS peering integration enhances the user/admin experience with the streamlined connection setup wizard. It allows the user to flexibly select the appropriate inter spoke peering options to meet the architectural and security requirements.