Designing a Secure Multi-VPC Architecture with AWS Transit Gateway and IGW

-

 Preface

In an AWS cloud Proof of Concept (PoC), Transit Gateway (TGW) and Internet Gateway (IGW) are key to secure, scalable and efficient communication between different VPCs and external networks. Transit Gateway (TGW) is a central routing hub where multiple VPCs can communicate without the complexity of multiple VPC peering connections. It simplifies network management, scales and enforces security policies through route tables to control traffic between connected VPCs. Internet Gateway (IGW) is required for outbound and inbound internet access for resources in public subnets. It allows public facing workloads like web servers and APIs to talk to external services while keeping private subnets secure through NAT Gateways. Together TGW and IGW provide a structured and controlled networking environment, so critical workloads are secure, isolated when needed and connected efficiently in a multi-VPC architecture.





POC 


The proposed Proof of Concept (PoC) focuses on establishing secure and controlled communication between multiple VPCs using AWS Transit Gateway (TGW) and Internet Gateway (IGW) in the US-EAST-1 region. The architecture consists of three VPCs: GTPL_NOC (10.1.1.0/24), GTPL_SOC (10.1.2.0/24), and GTPL_ADM (10.1.3.0/24), with TGW (GTPL_TGW_US-EAST-1) acting as the central routing hub. GTPL_NOC and GTPL_ADM are connected via TGW, enabling seamless communication, while GTPL_SOC remains isolated with no TGW attachment to enforce strict security policies. An Internet Gateway (GTPL_IGW_US-EAST-1) is attached to GTPL_NOC to facilitate external connectivity, allowing public-facing resources in the GTPL_NOC Public Subnet (10.1.1.0/28) to access the internet. Private subnets in GTPL_ADM (10.1.3.0/28) can leverage a NAT Gateway in GTPL_NOC for outbound internet access without exposing internal resources. By implementing TGW route tables and security policies, the setup ensures efficient inter-VPC communication while maintaining strict isolation for GTPL_SOC. This PoC serves as a scalable network foundation, enabling controlled access to internet services while securing sensitive workloads in a multi-VPC environment.


             AWS network architecture Diagram as per POC


Implementation steps of POC

Step-1: Create VPC for GTPL_NOC


Step-2: Create VPC for GTPL_SOC


Step-3: Create VPC for GTPL_ADMIN



Step-4: Create transit Gateway of GTPL_TGW


Step-5: Create Public subnet for GTPL_NOC 



Step-6: Create Public subnet for GTPL_SOC



Step-7: Create Private subnet for GTPL_ADMIN



Step-8 Attach GTPL_NOC_VPC with TGW


Step-9 Attach GTPL_ADMIN_VPC with TGW



STEP-10 create security group with inbound and outbound traffic rule of GTPL_NOC 



STEP-11 Associate GTPL_NOC Security Group with GTPL_ADMIN_VPC


STEP-12 Create VM /EC2 instance for GTPL_NOC





STEP-13 Create GTPL_NOC_IGW for outbound traffic towards internet





STEP-14 Select GTPL_NOC VPC and attached with GTPL_NOC_IGW





Step-15 Associate GTPL_NOC_VPC with GTPL_ADMIN_SG



wrap-up: 


✅ GTPL_NOC → IGW for Internet Access
❌ GTPL_SOC → No IGW, Fully Isolated
❌ GTPL_ADM → No IGW, Use NAT if needed


1. Previous all steps need to be followed from Admin department towards NOC department except IGW.

2. Here, SOC department remains isolated.

3. As per requirement wise need to apply Inbound and outbound traffic policy then create security group appropriately.

4. As per Policy and POC wise VPC need to attach with security group.

5. Virtual Machine/workload/EC2 instance need to attach with VPC.

6. with the help of ICMP reachability we can cross-verify architecture wise POC.



Comments

Post a Comment

Popular posts from this blog

Configuring NNI Interface Policies and Container Integration in Nokia SR and Juniper AG Networks

-
Image
 Objective: - This blog aims to give a comprehensive overview of the process for integrating containerized network services in a multi-vendor setting, specifically using Nokia Service Routers (SR) and Juniper Aggregation Routers (AG). It emphasizes the importance of NNI interface policies for facilitating smooth communication between different network segments and provides guidance on configuring management interfaces and routing to optimize connectivity and traffic flow. The goal of this guide is to help network engineers implement scalable and interoperable solutions while making complex network operations easier to manage. Scenario :- In Vodafone ISP, Pune location 2 SR non-production devices need to be launched in production. Router R1 acts as a primary and Router R2 acts as a secondary back up router. Both routers aggregate traffic combines at uplink Nasik Aggregate router. This uplink is connected with IXR router at Mumbai location. To automate process flow AWS containers are...
Read more

AI in NOC: A New Era for Capacity Planning and Network Management

-
Image
   Introduction :- Predicting router interface traffic in modern network management is critical to achieve optimal network performance, resource allocation, and proactively eliminate bottlenecks. This case study suggests using machine learning on network datasets to develop a model that predicts an actual router’s interface traffic versus an ideal router’s traffic. By evaluating historical data of network traffic and utilizing well-established machine learning API-based algorithms like Neural Networks, Decision Trees, and Ensemble Methods, this analysis reviews the formation possibilities of a strong prediction model with grand accuracy. At the end of the study, this paper reviews multiple factors and features related to the traffic in the interface such as the hour in the day, the day’s sequence in the week, the network protocol, the application, and the structure of the network. Additionally, it explores the machine learning algorithms to compare the accuracy of the ML model...
Read more