This is really exciting for anybody that’s dealing with large, complex AWS environments, or has a sizable networking environment that they manage on-premise today.
There’s been a problem with moving to AWS:
AWS’s best practices for how to set up a large, complex environment conflicted with their networking capabilities.
They always wanted people to have multiple accounts. They wanted you to deploy your applications with a production account, a test account, and a dev account – but they didn’t allow for networking between those, because you couldn’t create VPC peering relationships.
You couldn’t create networking relationships easily between VPCs from different accounts. There was also no way to centrally manage or monitor all of the traffic that a large organization or complex application would flow through all of these different accounts. So you would have to set up multiple places of monitoring, or multiple ways to collect, clean, and secure your traffic.
This was, as you can imagine, overly complicated and prone to issues.
This is all solved with the AWS Transit Gateway.
The Transit Gateway can stand up a new VPC as the center hub of your network in Amazon.
This will be an auto-scaling, auto-sizing service, so you don’t need to worry about how much traffic you’re flowing through it. AWS will take care of it.
It’s also a dynamic routing environment. It will use AWS routing rules to route different network spaces between your VPCs, and it will also peer, via BGP, with your existing on-premise architecture. So your routing can flow from your traditional networks all the way through your AWS environment.
It’s massively scalable. Right now, they’re saying it will connect thousands of VPCs together. It will work for multiple accounts, but I’ll cover that in a second.
It’s available in many regions and going to scale, it sounds like, to all of the regions very shortly.
It also allows for central traffic control and monitoring in AWS. Because now that you have a central place where all routing happens, you can set up routing rules to take specific types of traffic or all of your traffic and send it out to a specific VPC or instance to have it cleaned or monitored or tracked and then brought back, or bring all of the traffic coming through your organization through a choke point.
It will make your security people and anybody working on the operations side very happy.
Monitoring cloud environments will be considerably easier.
The final point is that you can now do this across multiple accounts, and I think this is the big lead.
There are many of us in the networking space taking a collective sigh of relief.
AWS just simplified a lot of the complexity in our world.
So for Gateway to work, they launched the AWS Resource Manager Service, which the Transit Gateway is the first real service to take advantage of. It was initially announced using Route 53 for DNS, but now, with Transit Gateway, it’s going to allow you to basically have a master account control service, like the Transit Gateway, and then that account can authorize other accounts to flow traffic through them. So you will be able to have all of those services controlled by one separate, unique account.
It’s a big change.
This is the first time we’re seeing AWS decouple ownership from access when it comes to the services and accounts.
We expect the Transit Gateway will be the first of many in the roadmap that they’re going to do this with.
I think all of us who are deploying large environments or any complex environments into AWS are going to start seeing the ability to embrace their best practices model of setting up multiple accounts to allow and limit the blast radius of failures and issues, while still giving us all the rich features and controls and monitoring we expect in a world-class architecture.
We have customers that can use this today, and it will be a great addition to the AWS portfolio.