AWS Global Transit Hub
Quick Start Deployment

Aviatrix, an AWS Advanced and Network Competency Partner, offers a Next-Generation Global Transit Hub solution for AWS public cloud. It simplifies the way you enable a global transit network by automating the entire deployment - both transit hub and spoke VPCs - and configures one central console (Aviatrix Controller) for ongoing monitoring and troubleshooting all aspects of your AWS connectivity.

This Aviatrix for AWS Quick Start is a fully automated solution that utilizes AWS APIs to deploy a Global Transit Hub in minutes. The topology diagram below illustrates the transit VPC and spoke architecture enabled when using the AWS CloudFormation template available below.

A typical AWS Global Transit VPC architecture which includes a Transit Hub VPC connecting many Spoke VPCs to facilitate communication between the Spoke VPCs and on-premises network.

  1. This highly available design deploys the Aviatrix Controller and (2) Aviatrix Gateway instances into separate Availability Zones of a dedicated Global transit hub VPC, which will act as the hub of your global transit network. The Gateway instances allow for IPsec VPN termination, routing and security policies. The Aviatrix Controller provides ongoing monitoring, and troubleshooting.
  2. This solution automatically adds spoke VPCs in any AWS Region to your global transit network by simply tagging your VPC's - the VPN connection will automatically be established between the tagged spoke VPC and the global transit hub VPC, using a combination of CloudFormation and Lambda scripts. Multiple AWS accounts are supported. All scripts were written and are fully supported by Aviatrix, and verified by the AWS Quick Start team.
  3. Once you have established your global transit VPC, you can extend beyond the AWS Cloud and automate configuration of VPN connections to network providers or on-premises infrastructure - or even other public cloud providers - via the Aviatrix Controller.
  4. Aviatrix allows you to optionally expand your global transit architecture to include a Shared Services layer with direct peering for better support of cloud/devops teams who require a shared services or management VPC for common services in the cloud (such as firewall, NAT, or egress filtering).

Download the PDF "Quick Start Deployment Guide"

What is unique about the Aviatrix Global Transit Solution?

Centralized Controller

Point-and-click, centralized management console (with REST API support) manages distributed gateways and can easily be operated by both cloud ops and network engineers. No deep networking skills required (No CLI). Additionally, changes or customizations can quickly and easily be implemented through the Controller UI.

BGP is Required in Transit VPC only

The Aviatrix offering is API-based and uses policy-based routing from the spokes to the transit hub VPC. The Spoke VPC routes are advertised to the Aviatrix Gateway in the Transit VPC by the Aviatrix Controller. The Aviatrix Gateway in the Transit VPC then exchanges routes with the on-premises network using Border Gateway Protocol (BGP) via the VGW. The learned routes from the Aviatrix Transit Gateway are sent to the Controller for propagation to the spoke VPCs.

Simplified Troubleshooting

Integrated diagnostic tools make troubleshooting much easier than traditional networking products that use BGP everywhere. Integrated EC2 FlightPath troublesho0ting tool helps identify EC2 Connectivity problems faster to minimize business downtime.

Built-in Security

VPC Isolation and segmentation are created by design - with spoke to spoke connectivity through the transit hub. With encrypted links, an integrated stateful firewall for policy enforcement, and fully qualified domain name filtering (FQDN), Aviatrix ensures security is fully integrated with your global transit network. Aviatrix also supports VPC-to-VPC direct peering allowing direct spoke-to-spoke connectivity (eliminating the transit hop). This configuration can be enabled via the Controller.

Monitoring and Visibility

Central dashboard provides visual representation of your global transit network, and monitors, displays and alerts on link status, performance and link latency for transit hubs and spoke VPCs.

Fully Supported Solution

To ensure a successful deployment, Aviatrix provides customer support for all components of the solution, including the automation scripts.

Get Started

What You’ll Accomplish

Aviatrix Global Transit Hub Quick Start solution enables a highly secure Global Transit Hub architecture using Aviatrix Controller and Aviatrix Gateways that are deployed in a high availability configuration. The Transit Hub VPC can be a new VPC or an existing VPC.

This highly available design deploys the Aviatrix Controller and two Aviatrix Gateway instances into separate Availability Zones of a dedicated Global Transit Hub VPC, which will act as the hub of your global transit network. The gateway instances allow for IPsec VPN termination, routing and security policies. Aviatrix Controller provides a user-friendly interface to further customize the Transit VPC architecture that is deployed by this Quick Start, as well as monitoring and cloud network visualization.

This Quick Start solution also automatically adds spoke VPC's in any AWS Region to your global transit hub by simply tagging your VPC's - the VPN connection will automatically be established between the tagged spoke VPC and the global Transit Hub VPC, using a combination of CloudFormation and Lambda scripts. Multiple AWS accounts are also supported. This Quick Start allows you to deploy Spoke VPCs in up to two AWS accounts. Adding more than two accounts to your Global Transit Hub architecture is supported using the Aviatrix Controller that gets deployed by this Quick Start.

What You’ll Need Before Starting

An AWS account

You will need an AWS account to begin provisioning resources.

Skill level

This solution is intended for cloud engineers, network engineers, architects, devops, and cloud/IT infrastructure who are familiar with AWS cloud. Your deployment of any Aviatrix solution - including changes or customizations to this Global Transit Hub Quick Start Deployment - are always fully supported by our AWS-certified technical experts.

Aviatrix Pricing and Licensing

This solution includes licensing up to 5 spokes and the global transit VPC. The solution can be expanded to support an unlimited number of spoke VPCs. This Quick Start includes configuration parameters that you can customize. Some of the settings, such as instance type, will affect the cost of deployment.

As of the date of publication, the cost for running a transit VPC with this solution's default settings in the US East (N. Virginia) Region is as shown in the table below (prices subject to change).

Aviatrix Transit VPC License Cost per hour
Global Transit VPC and 5 Spoke/Tunnel License (Available on the AWS Marketplace) $0.70/Hour, plus AWS instance charges for the Aviatrix Controller (T2 Medium) and Gateways (T2 Micro)
Bring-your-own-license (Purchase from Aviatrix) Starting at $0.16/hour, plus AWS instance charges for the Aviatrix Controller (T2 Medium) and Gateways (T2 Micro)

This Quick Start requires one of the two licensing options shown in the table above.

The AWS Marketplace offer with license included is available here: Aviatrix Inter-Region VPC Peering 5 Tunnel License.

For BYOL license purchase, contact Aviatrix Sales at prior to using this Quick Start.

Deployment Options

This Quick Start provides two deployment options:

Deploy Aviatrix into a New VPC

This option builds a new AWS environment consisting of the Global Transit Hub VPC, subnets, Internet Gateway, Default Route and other infrastructure components, and then deploys an Aviatrix Controller and one Aviatrix Hub Gateway into this new VPC.

Deploy Aviatrix into an Existing VPC

This option provisions an Aviatrix Controller, one Aviatrix Hub Gateway and other infrastructure components into an existing AWS VPC that will be designated as the Transit Hub VPC.

The Quick Start allows you to choose either of these options. It also lets you customize and configure CIDR blocks, instance types, and Aviatrix settings, as discussed later in this guide.

Solution FAQs

What is a transit hub VPC?

A transit hub VPC is a common strategy for connecting multiple, geographically disperse VPCs and remote networks in order to create a global network transit center. A transit hub VPC simplifies network management and minimizes the number of connections required to connect multiple VPCs and remote networks. For hybrid organizations, It's a recommended way to connect on premise environments with many AWS VPCs.

How is Aviatrix Global Transit Hub VPC different vs other solutions?

Aviatrix is the only cloud-native solution for creating a transit hub to enable simple point-and-click configuration of networking connections in AWS. The console (Aviatrix Controller) gives users the ability to implement Global Transit Hub VPC design via REST API (no CLI required). See the chart below for specific differences and advantages of Aviatrix versus other offerings. (See above for more information.)

Does the Aviatrix Solution offer High Availability?

Yes. The solution deploys dual gateways in both the Transit VPC and spoke VPCs. If one Aviatrix gateway fails, the standby Aviatrix gateway is automatically connected in seconds to reduce network downtime.

How long will it take to deploy the Aviatrix Global Transit Hub for AWS?

If you already have an AWS account, it should take less than 10 minutes to deploy the transit hub. The spokes are connected upon tagging the spoke VPC.

What is Aviatrix relationship with AWS?

Aviatrix is an AWS Advanced Partner and a Network Competency Partner. This Quick Start Reference Deployment Guide was created by Amazon Web Services (AWS) in partnership with Aviatrix Systems.

Comparing AWS Global Transit Offerings

Aviatrix Next-Generation Transit vs Cisco CSR and VGW

Business & Pricing Aviatrix Offering Cisco Offering w/CSR script
List Price for Hub & 5 Spokes $8K Starts at $10K, up to $25K depending on throughput
Unlimited Throughput Yes No, additional charges apply
Data Transfer Out Charges 1X with Aviatrix peering, 2X with transit hub 2X with transit hub, no direct peering available
AWS Network Competency Status Aviatrix is certified Cisco is not certified
Operational Features Aviatrix Offering Cisco Offering w/CSR script
Deployment Time Minutes Minutes
Central Controller Yes No
Troubleshooting Easy Difficult
Scale Out Automatic Automatic
Networking Skills to Maintain/Support Low High (CCIE Certification)
Instance Size Requirements T2.micro and above Default is C4 Large
API Driven Yes No
Customization Method Automated thru simple point-and-click Manual thru modification of the non-supported Lambda script
High Availability Yes, in real-time via single checkbox Yes, via manual effort; testing required
Integrated Monitoring Yes Not automated, requires additional work
Technical Features Aviatrix Offering Cisco Offering w/CSR script
Performance Maximum available AWS instance throughput Maximum available AWS instance throughput
Transit Hub Support Yes Yes
Full or Partial Mesh Support Yes No
VPC Security Control Yes Yes
Multi-cloud Support Yes No
Inter-region Yes – peered & transit Yes – thru transit only
Route Limit Entry No Limit Up to 100 Only
Network Segmentation & Isolation Yes No