I was discussing AWS VPC networking and how network traffic come in/out to a VPC from different destinations with my team. Then later I though – lets put it on my blog – this will help others as well. I am discussing VPC gateways from a typical network engineer’s point of view.
There are many different type of gateways (network routers) on AWS VPC networking. Each of them have different roles – you put together different gateways to make a complete solution. Gateways are key components of a routing table – here I will show all the gateway items available on a “VPC routing table”.
Following diagram shows all the different types of gateways/routers on AWS VPC platform (follow the traffic path arrow head):
Lets discuss the key attributes (what are they? what they can do?) of the VPC gateways:
i. Virtual Private Gateway (VGW-nn)
This is a multi-purpose network gateway appliance provides in/out routing to a VPC. Key attributes of VGW:
- this is a multi-purpose network gateway appliance provides in/out routing to a VPC
- the destination networks can be via AWS DirectConnect to a self-managed data centre or can be over IPSec VPN (via AWS VPN connections)
- for IPSec VPN – an AWS “VPN connection” object need to be attach to VGW
- for IPSec VPN – supported routing protocols are BGP and Static
- for AWS DirectConnect connection – VLAN tagged virtual interfaces (VIFs) are needs to be created for IP routing and attached to VGW
- for AWS DirectConnect connection – BGP is only supported routing protocol
- when more then one interfaces available ECMP is configured by default for both IPSec VPN and DirectConnect while sending traffic from AWS to a remote destination
- BGP path selection can be manipulated by “AS path prepending” sending from the source to AWS
- “VGW” instances are available within VPC routing table to be set as target
ii. Customer Gateway (CGW-nn)
CGW are part of IPSec VPN connectivity to a VPC. Key attributes are following:
- CGW represent remote end VPN gateway
- AWS “VPN Connections” are required to attached a CGW to itself
- without having a CGW “AWS VPN Connection doesn’t know where to send traffic to
iii. Internet Gateway (IGW-nn)
Key attributes of IGW are following:
- provides internet in/out (both way) to a VPC and its contents
- provides inbound Internet to Elastic Load Balancer
- provides internet access to L4-L7 network appliances (F5 BIP-IP, Cisco ASAv, Juniper SRX etc)
- provides internet access to VPC NAT GW
- outbound traffic from a VPC can be sent out via either IGW or via VPC NATGW (will discuss this in next part2 – VPC routing tables and subnets)
- AWS Elastic IP address rateability to an VPC object are done via IGW
- “IGW” instances are available within VPC routing table to be set as target
iv. VPC NAT Gateway (NAT-nn)
Key attributes of VPC NATGW are following:
- provides NAT outbound only (one direction) to VPC and its contents
- NAT Internet access is done via an IGW
- NAT can not access Internet directly (without having an IGW)
- “NAT” instances are available within VPC routing table to be set as target
There are lot security requirement scenarios where you allow internet access for systems/servers only via NATGW; no inbound are permitted and local systems are kept fully local only.
v. Layer4-Layer7 network appliances as Gateway
These are basically an EC2 instance with 2 or more NICs providing network connectivity.
Key attributes are following:
- cloud network admins have flexibility to deploy their own network appliance (F5, Cisco, Juniper, Sophos, Barracuda etc)
- even an EC2 instance of any OS (Linux/Windows) with 2 x NICs can be converted to a routing device/NAT appliance (need to disable Source/Destination Check under EC2 Networking)
- this type of device rely on IGW to route traffic to internet (just like the NAT gateways)
- this type network appliance can provide both in/out traffic (via NAT translation or Proxy) to VPC and its contents
- this type network appliances (EC2 instances) are available within VPC routing table to be set as target
vi. VPC Peering (PCX-nn)
A special type of gateway for inter-VPC communication. VPC peering are used when creating inter-connect between VPCs. Following are attributes of VPC peering network:
- provides peer-to-peer connectivity to two VPCs only
- in a scenario where “VPC A” peers to > “VPC B” and “VPC B” peer to > “VPC C” – “VPC A” can not talk to “VPC C”
- does not provides transit path
- in above scenario “VPC B” cannot be used as a transit route for VPC A to > VPC C
- “pcx” are available within VPC routing table to be set as target
In the next part I will be discussing VPC “subnets” and “routing tables” which are capable to cater complex segregated routing requirements on AWS platform.