Hello everyone!
The objective of this theme is to share a network architecture tip and how to implement it within the AWS Cloud in order to centralize Internet output instead of having multiple NAT Gateways and Internet Gateways scattered throughout the environment.
The goal is to achieve the following benefits:
Simplify the network architecture by routing all outgoing traffic through a centralized point, the AWS Transit Gateway.
Reduce costs by centralizing network management and reducing the number of necessary Internet gateways.
Improve security by having a single point of control for Internet access, reducing the attack surface and allowing centralized security policies.
Note: In this post, I will not comment on the function of each network resource. If desired, comment here because I can develop another post or share AWS documentation explaining about each resource.
So, let's get started?
Objectives:
1 - Create the Internet Gateway and attach it;
2 - Create a NAT Gateway for each zone and attach it;
3 - Create the Transit gateway (TGW);
4 - Create the Transit gateway attachments with each VPCs;
5 - Create the Transit gateway route table for each Transit gateway attachment;
6 - Adding the routes on the TGW route tables;
7 - Adding the routes on the VPC route tables of each AWS account;
8 - Testing the connection to the internet.
Network diagram purpose:
This project consists of three AWS Accounts. The Core Network AWS Account will provide the interface to the internet for the PROD and QA AWS Accounts that do not have access to the internet through themselves, that is, they will need to Core Network AWS Account to update them Operation System and access the services outside of the AWS environment.
I consider that the VPC, subnets (private and public), and route tables have already been deployed so we can focus on the Transit Gateway, NAT Gateway, Internet Gateway, and also update the routes on the route tables.
With based on this diagram, let's deploy this environments step-by-step.
1 - Create the Internet Gateway and attach it to the vpc-core-network on the Core Network AWS Account.
On the AWS console, go to the VPC dashboard, click on the Internet gateways, and Create internet gateway botton.
Define the Internet gateway name, and click on the Create internet gateway.
After created Internet gateway, let's attach it to the vpc-core-network VPC
Now let's update the public subnets' routing table with a default route (0.0.0.0/0) as the next hop to the internet gateway created in the previous steps. Then, go to the Route Tables, select the route table and edit the routes.
Create the default route, and set the Internet gateway as target, after that save the change.
2 - Create a NAT Gateway for each zone (us-east-1a and us-east-1b), and attach it for its respective public subnets on the Core Network AWS Account.
- AWS NAT Gateway is a zone resource, which mean that it has high availabilty in the Availability Zone (AZ) where it was deployed, but if there is a issue on the AZ where the NAT Gateway was deployed the resource on that zone will lose the internet access, that's why we are going to create a NAT Gateway in two AZs to ensure higy availability.
So, go to the NAT Gateway dashboard and click on the Create NAT Gateway botton
Define a name, select the public subnet that belong to the us-east-1a AZ, allocate a Elastic IP (public ip) and create NAT Gateway.
Now, let's create the NAT Gateway to the subnet that belong to the us-east-1b AZ.
The NAT Gateways created.
3 - Create the Transit Gateway (TGW) on the Core Network AWS Account and sharing it to the PROD and QA AWS Accounts
On the AWS console, go to the VPC dashboard, click on the Transit gateways, and Create transit gateway botton.
Define the Transit gateway name, uncheck the "Default route table association" and "Default route table propagation" options, check the "Auto accept shared attachments" option, keep the other settings as default and the click on the Create transit gateway.
Note: the "Default route table association" and "Default route table propagation" options will associate and propagate the routes, but some case there is a requirement where some environments can't establish a connection. Then, when this options is disable Network team there will have more control between communication of the environments.
Transit gateway available.
Now, let's share the Core Network Account's TGW to the PROD and QA AWS Accounts.
Type RAM on the search bar, and choose the "Resource Access Manager".
On the session "Shared by me", click in "Shared resources", and Create resource share botton.
On the Step 1, define the a name to the resource that will be share, select "Trasit Gateway" as resource that will share, select it on the Selected resources, and click in Next at the botton of the page.
On the Step 2, keep these default settings, and click in Next.
On the Step 3, as my other AWS Account belong of the same Organization, the "Allow sharing only within your organization" option was selected, but you can shared to anothe AWS Account that doesn't part of the owner Organization. Select the AWS Account, type AWS Account IDs, in this case it was added and selected the PROD and QA AWS Accounts as you can see on the diagram. After that, click in Next.
On the last Step, make a review, and click on the "Create resource share" at the botton of the page.
The sharing process can take a while, but once it's done, you can see its status on the "Resource shares".
4 - Create the Transit gateway attachments with each VPCs.
Still in Core Network AWS Account, go back to the VPC dashboard, and in Transit Gateway session select the "Transit gateway attachments" option. Click on the Create transit gateway attachments to assign the TGW to the vpc-core-network VPC.
On the first part of the settings, define a name for the TGW attachment, select the TGW-01 created on the previeus step, and as the attachment will be with VPC, select the VPC, but there is other options of attachment (feel free to see the other options).
On this last part, select the "vpc-core-network" VPC, the subnets will be load, and select Private subnets related to the each AZ as you on can see on the diagram.
Transit gateway attachment created.
Now, sign into each AWS account (PROD and QA account) and repeat the same Transit gateway attachment procedure for their respective VPC. As this is a simulation/study environment, the PROD and QA accounts only have one subnet (according to the diagram) in the part of selecting the subnets you will see only one subnet to select.
5 - Create the Transit Gateway route table for each Transit gateway attachment created in the previous step.
On the Core Network AWS Account, go to VPC dashboard and in the Transit Gateway click on the "Transit gateway route tables" option. Click in "Create transit gateway route table" botton to create a TGW route table for the vpc-core-network VPC.
Define a TGW route table name, select the TGW-01, and click in Create transit gateway route table button.
After created the TGW route table, let's assign the TGW attachment assigned the vpc-core-network VPC. Click on the Associations tab, and Create association button.
Select the TGW attachment assigned the vpc-core-network VPC, and click on the Create association.
Now, let's create a TGW route table for the PROD and QA accounts. Follw the table with TGW attachment ID respective for PROD and QA VPC.
PROD Account
Name: TGW-attachment-vpc-prod-us-east-1
ID: tgw-attach-09d24c8d49c4b0a76QA Account
Name: TGW-attachment-vpc-qa-us-east-1
ID: tgw-attach-09d24c8d49c4b0a76
Note: The TGW route table is created in the TGW's own account, so in this case it's the Core Network AWS Account.
PROD Account
Define a TGW route table name, select the TGW-01, and click in Create transit gateway route table button.
Let's associate the created TGW route table with the TGW attachment assigned to VPC vpc-prod-us-east-1.
QA Account
Define a TGW route table name, select the TGW-01, and click in Create transit gateway route table button.
Let's associate the created TGW route table with the TGW attachment assigned to VPC vpc-qa-us-east-1.
The three TGW route tables created.
6 - Adding the routes on the TGW route tables
With based on the network diagram, and the resources created let me shared some information that will help to set the routes on the TGW route tables.
- Core Network AWS Account
VPC Name: vpc-core-network - CIDR Block: 10.100.0.0/16
TGW Attachment name: TGW-attachment-vpc-core-network
TGW Attachment ID: tgw-attach-0dcf709522c248333- PROD AWS Account
VPC Name: vpc-prod-us-east-1 - CIDR Block: 10.10.0.0/16
TGW Attachment name: TGW-attachment-vpc-prod-us-east-1
TGW Attachment ID: tgw-attach-09d24c8d49c4b0a76- QA AWS Account
VPC Name: vpc-qa-us-east-1 - CIDR Block: 10.20.0.0/16
TGW Attachment name: TGW-attachment-vpc-qa-us-east-1
TGW Attachment ID: tgw-attach-0d3bd1d648be67976
On the Core Network Account, let's create two routes to reach the network that belong PROD AWS Account and QA AWS Account.
Select the "tgw-rtb-vpc-core-network", click on the Routes tab, and then click in Create static route button.
Define the PROD CIDR Block and PROD TGW Attachment ID.
Create a new one rote for QA AWS Account. Define the QA CIDR Block and QA TGW Attachment ID.
Routes created.
Now, on the "tgw-rtb-vpc-prod-us-east-1" and "tgw-rtb-vpc-qa-us-east-1" TGW route tables, let's create a default route (0.0.0.0/0) and define as target the Core Network AWS Account TGW Attachment Id. As you can see on the next screenshot.
7 - Adding the routes on the VPC route tables of each AWS account
On the Core Network Account, let's create the routes on the route table that is attached to the Public subnet and Private subnet.
On the Public Subnet (rtb-vpc-core-network-public-subnets), add these routes as you can see on the table, and screenshot.
CIDR Block | Next Hop
10.100.0.0/16 | local
10.10.0.0/16 | TGW-01
10.20.0.0/16 | TGW-01
0.0.0.0/0 | IGW
On the both Private Subnets, add these routes as you can see on the screenshots.
rtb-vpc-core-network-private-subnets-us-east-1a
As this route table belong to the private subnet of the eu-east-1a Zone, It should be used the NAT Gateway deployed on the eu-east-1a Zone as target.
rtb-vpc-core-network-private-subnets-us-east-1b
The same thing for the route table that belong to the private subnet of the eu-east-1b Zone, It should be used the NAT Gateway deployed on the eu-east-1b Zone as target.
Now, let's create a route on the PROD and QA Accounts.
Create a default route (0.0.0.0/0), and as target set the Transit gateway.
8 - Testing the connection to the internet
From QA Account, it was created a EC2 instance where I ran some commands as you can below on screenshot to show that a EC2 instance assigned to a private subnet can reach the internet throught on Core Network Account.
The "curl ifconfig.me" command come back with public IP address, and if you check the NAT Gateway public IP address will valideted that the public ip address belong to the NAT Gateway of the Core Network Account as you can see on the screenshot below.
Conclusion
NAT Gateway is a network resource that, when there is a lot of it, can bring high costs and your bill at the end of the month will get more expensive, in addition to leaving the Internet output from several places decentralized and also more complex to manage. Then, this proposed architecture comes to demonstrate a solution with high availability, low management complexity, having a single exit point and reducing the cost of the AWS account bill.
Well, I hope you enjoyed it!
Top comments (2)
@hugothomaz thanks for sharing! Can we make use of propagation at few places where we are adding static routes for PROD and QA account in Core Network account instead?
hi @nairpnv,
Sorry my delay. Yes, you can use propagation instead of create static routes for PROD and QA.