Task Statement 2.2: Implement routing and connectivity across multiple AWS accounts, Regions, and VPCs to support different connectivity patterns.
📘AWS Certified Advanced Networking – Specialty
1. What is Hub-and-Spoke Architecture?
A hub-and-spoke architecture is a network design where:
- A central hub connects multiple networks
- Multiple spokes (VPCs, accounts, or networks) connect to the hub
- Traffic between spokes goes through the hub
Key Idea:
Instead of connecting every VPC directly to every other VPC, all connections go through a central point.
2. Why Use Hub-and-Spoke in AWS?
In AWS environments, especially large ones, you may have:
- Multiple VPCs
- Multiple AWS accounts
- Multiple Regions
- On-premises networks
Problems Without Hub-and-Spoke:
- Too many connections (complexity)
- Difficult routing management
- Hard to enforce security policies
Benefits of Hub-and-Spoke:
- Centralized routing
- Centralized security inspection
- Easier scalability
- Reduced operational complexity
3. Two Main AWS Hub-and-Spoke Implementations
There are two important models:
3.1 AWS Transit Gateway (Modern Approach)
What is Transit Gateway?
AWS Transit Gateway (TGW) is a managed service that acts as a central network hub.
It connects:
- VPCs
- VPN connections
- Direct Connect gateways
Key Features:
- Highly scalable
- Fully managed by AWS
- Supports thousands of VPCs
- Built-in routing control
Architecture with Transit Gateway
- Hub = Transit Gateway
- Spokes = VPCs (attached to TGW)
Each VPC connects to the Transit Gateway using a VPC attachment.
How It Works
- Create a Transit Gateway
- Attach VPCs to the TGW
- Configure TGW route tables
- Update VPC route tables to send traffic to TGW
Components of Transit Gateway
1. Attachments
- VPC attachment
- VPN attachment
- Direct Connect attachment
2. Route Tables
- Control how traffic flows between attachments
- Can isolate or allow communication between VPCs
3. Associations & Propagations
- Association: Which route table an attachment uses
- Propagation: Routes learned dynamically
Example IT Use Case
- One VPC hosts shared services (DNS, logging, security tools)
- Other VPCs host applications
- All VPCs connect to TGW
- Traffic flows through TGW to access shared services
Advantages of Transit Gateway
- No need for full mesh peering
- Centralized control
- Easier to scale
- Supports multi-account environments
- Works across Regions (via peering)
Important Exam Points
- TGW is regional
- Supports inter-region peering
- Uses route tables for segmentation
- Supports multicast (special cases)
- Works with AWS Resource Access Manager (RAM) for sharing across accounts
3.2 Transit VPC (Legacy Approach)
What is Transit VPC?
A Transit VPC is a self-managed hub built using EC2 instances.
Before Transit Gateway existed, this was the main way to build hub-and-spoke.
Architecture with Transit VPC
- Hub = VPC with EC2 routers (e.g., VPN appliances)
- Spokes = Other VPCs connected via VPN
How It Works
- Create a central VPC (Transit VPC)
- Deploy VPN appliances (EC2 instances)
- Create VPN tunnels from spoke VPCs to Transit VPC
- Route traffic through the Transit VPC
Components
- EC2 instances acting as routers/firewalls
- VPN tunnels (IPsec)
- Route tables
- Security groups
Example IT Use Case
- Organization uses third-party firewall appliances
- Transit VPC hosts those appliances
- All traffic between VPCs goes through firewall
Limitations of Transit VPC
- Requires manual setup and management
- Limited scalability
- Higher operational overhead
- Depends on EC2 performance
Important Exam Points
- Considered legacy design
- Still used when:
- You need custom network appliances
- You need specific routing control not supported by TGW
4. Transit Gateway vs Transit VPC (Exam Comparison)
| Feature | Transit Gateway | Transit VPC |
|---|---|---|
| Type | Managed service | Self-managed |
| Scalability | Very high | Limited |
| Complexity | Low | High |
| Performance | High | Depends on EC2 |
| Maintenance | AWS-managed | Customer-managed |
| Recommended | Yes (modern) | No (legacy use only) |
5. Routing Behavior in Hub-and-Spoke
Key Routing Concepts:
1. Centralized Routing
- All traffic flows through hub
- No direct VPC-to-VPC connection
2. Route Tables
- Control which spokes can talk to each other
- Can isolate environments (e.g., dev vs prod)
3. Segmentation
- Use multiple TGW route tables
- Control traffic flow between groups of VPCs
6. Security in Hub-and-Spoke
Centralized Security
You can place security tools in the hub:
- Firewalls
- Intrusion detection systems
- Logging systems
All traffic can be:
- Inspected
- Logged
- Controlled
Example IT Use Case
- Security VPC contains:
- Firewall appliance
- Traffic monitoring tools
- All VPC traffic routes through it via TGW
7. Multi-Account Hub-and-Spoke
Using AWS RAM
You can:
- Share Transit Gateway across accounts
- Attach VPCs from different accounts
Benefits:
- Central networking team manages TGW
- Application teams manage their VPCs
8. Multi-Region Hub-and-Spoke
- Use Transit Gateway Peering
- Connect TGWs in different Regions
Important:
- Traffic stays on AWS global network
- No single global TGW (regional only)
9. When to Use Which
Use Transit Gateway When:
- You have many VPCs
- You want simple management
- You need scalability
- You want AWS-managed solution
Use Transit VPC When:
- You require custom appliances not supported by TGW
- You need specific third-party integrations
10. Common Exam Scenarios
Scenario 1:
Many VPCs need connectivity
→ Use Transit Gateway
Scenario 2:
Centralized security inspection required
→ Use TGW + inspection VPC
Scenario 3:
Multiple AWS accounts
→ Use TGW with AWS RAM
Scenario 4:
Legacy VPN-based architecture
→ Transit VPC (but recommend migration to TGW)
11. Key Exam Tips
- Transit Gateway = preferred modern solution
- Transit VPC = legacy
- Hub-and-spoke = centralized control
- TGW route tables = traffic segmentation
- Use RAM for multi-account sharing
- TGW is regional, not global
12. Quick Summary
- Hub-and-spoke simplifies network design
- Central hub controls routing and security
- Transit Gateway is the best AWS solution
- Transit VPC is older and less efficient
- Used in multi-VPC, multi-account, hybrid environments
