cloud networking, multi-cloud networking, thrid party integration

Building a Cloud Backbone

This architecture establishes a cloud backbone connecting AWS, Azure, and GCP, with AWS Transit Gateway (TGW), Azure Virtual WAN (vWAN), and GCP Network Connectivity Center (NCC) serving as northbound components to manage connectivity within each cloud, while Aviatrix Transit Gateways form the backbone for inter-cloud connectivity, ensuring seamless traffic flow across the clouds. Southbound connectivity links on-premises environments to each cloud using dedicated circuits, specifically AWS Direct Connect, Azure ExpressRoute, and GCP Cloud Interconnect, enabling secure and high-performance access to cloud resources.

AWS Transit Gateway

  • What it is: It provides a single gateway to interconnect VPCs within the same AWS account, across different accounts, and with on-premises networks via VPN or AWS Direct Connect. This reduces the need for complex peering relationships (e.g., VPC peering in a mesh topology) and simplifies network management.
  • How It Works: Transit Gateway acts as a regional router. You attach VPCs, VPNs, or Direct Connect gateways to the Transit Gateway, and it routes traffic between them based on a centralized route table. Each attachment (e.g., a VPC or VPN) can be associated with a specific route table to control traffic flow.

Azure Virtual WAN (vWAN)

  • What It Is: Azure Virtual WAN (vWAN) is a managed networking service that provides a centralized hub-and-spoke architecture to connect Azure Virtual Networks (VNets), on-premises networks, branch offices, and remote users. It simplifies large-scale network management by offering a unified solution for connectivity, routing, and security across Azure regions and hybrid environments.
  • How It Works: vWAN creates virtual hubs in Azure regions, each acting as a central point for connectivity. VNets, VPNs (site-to-site, point-to-site), and ExpressRoute circuits are attached to these hubs. vWAN integrates with Azure Route Server to enable dynamic routing via Border Gateway Protocol (BGP). Azure Route Server, deployed in a dedicated subnet, peers with network virtual appliances (NVAs) like firewalls, ExpressRoute, and VPN gateways, learning and propagating routes to VNets and VMs. vWAN supports any-to-any connectivity in its Standard tier, allowing traffic to flow between VNets, branches, and on-premises networks through the hub, with options for security and traffic optimization using Azure Firewall or third-party NVAs.

GCP Network Connectivity Center (NCC)

  • What It Is: Google Cloud’s Network Connectivity Center (NCC) is a hub-and-spoke networking service that simplifies connectivity between Google Cloud Virtual Private Cloud (VPC) networks, on-premises networks, and other cloud providers. It provides a centralized way to manage hybrid and multi-cloud connectivity, reducing the complexity of manual route configuration.
  • How It Works: NCC operates as a global hub with spokes representing different network resources, such as VPCs, Cloud VPN tunnels, Cloud Interconnect attachments, or third-party networks (e.g., via Megaport Virtual Edge). It uses Google Cloud Router for dynamic routing via BGP. Cloud Router, a regional service within a VPC, establishes BGP sessions with external routers (e.g., on-premises routers or other cloud routers), learns routes, and programs them into the VPC’s routing table.

AWS Transit Gateway, Azure Virtual WAN, and Google Cloud Network Connectivity Center Comparison

Feature/AspectAWS Transit GatewayAzure Virtual WANGoogle Cloud Network Connectivity Center (NCC)
PurposeCentral hub for connecting VPCs, on-premises networks, and AWS services in a hub-and-spoke model.Enables global transit network architecture with hub-and-spoke connectivity for VNs, branches, and users.Centralized hub for hybrid and multi-cloud connectivity, connecting VPCs, on-premises networks, and other clouds.
ScopeBroad hub-and-spoke solution for VPC-to-VPC, hybrid, and inter-region connectivity.Hub-and-spoke model for VN-to-VN, hybrid, and global connectivity using Microsoft’s backbone.Hub-and-spoke model focused on hybrid and multi-cloud connectivity, less on intra-VPC routing.
Layer of OperationLayer 3 (Network Layer)Layer 3 (Network Layer)Layer 3 (Network Layer)
Dynamic RoutingSupports BGP for dynamic routing between VPCs, VPNs, and Direct Connect.Supports BGP for dynamic routing with ExpressRoute, VPNs, and SD-WAN devices.Supports BGP for dynamic routing with Interconnect, VPNs, and third-party routers.
Hybrid ConnectivityIntegrates with AWS Direct Connect and Site-to-Site VPN for on-premises connectivity.Integrates with ExpressRoute and VPN; supports branch-to-branch and VN-to-VN transit.Integrates with Cloud Interconnect and Cloud VPN; supports hybrid and multi-cloud setups.
Inter-Region SupportNative inter-region peering between Transit Gateways for global connectivity.Hub-to-hub connectivity in a full mesh for global transit across regions.Uses a global Spoke-Hub-Spoke model; supports cross-region connectivity via hubs.
ScalabilitySupports thousands of VPCs; up to 50 Gbps throughput per Transit Gateway.Scales with hub infrastructure units (up to 2000 VMs per hub); hub-to-hub full mesh.Scales with hub-and-spoke model; no specific throughput limit, but depends on attachments.
High AvailabilityBuilt-in redundancy within a region; supports multiple Transit Gateways for failover.Full mesh hub-to-hub connectivity; supports ExpressRoute Global Reach for redundancy.Managed service with regional redundancy; supports HA with multiple attachments.
NVA/SD-WAN IntegrationSupports Transit Gateway Connect for SD-WAN (GRE tunnels, up to 20 Gbps).Native integration with SD-WAN vendors (e.g., Cisco, Aruba); supports NVAs in hubs.Supports third-party routers and SD-WAN via Router Appliance spokes; less native integration.
IPv6 SupportSupports IPv6 for VPCs, VPNs, and Direct Connect.Supports IPv6 for ExpressRoute and VPN, but not in all configurations.Supports IPv6 for Interconnect and VPN, but limited in some multi-cloud scenarios.
Use Cases– Multi-VPC connectivity
– Hybrid cloud setups
– Centralized security VPCs
– Global applications		– Global transit for branches and VNs
– Hybrid connectivity with ExpressRoute/VPN
– SD-WAN integration
– Multi-region hub-and-spoke		– Hybrid and multi-cloud connectivity
– Centralized management of external connections
– Multi-region VPC connectivity
Limitations– Regional service; inter-region peering adds latency/cost
– Data transfer fees ($0.02/GB)		– Hub-to-hub latency for cross-region traffic
– Limited to 2000 VMs per hub without scaling units
– Complex routing configuration		– Less mature than TGW/vWAN
– Limited intra-VPC routing features
– Egress costs for Interconnect/VPN
Cost$0.02/GB for data processed; additional fees for attachments and inter-region peering.Costs for hub deployment, data processing, and ExpressRoute/VPN usage (not specified).Free for NCC; costs for Interconnect ($0.02–$0.10/GB egress) and VPN data transfer.

AWS Deployment

The Terraform configuration sets up a multi-cloud transit network in AWS using Aviatrix modules, integrating Aviatrix Transit Gateways with AWS Transit Gateways (TGW) via GRE tunnels and BGP. It also can deploy and bootstrap PAN firewalls.

https://github.com/rtrentinavx/bb/tree/main/control/8/aws2.1

Azure Deployment

The provided Terraform code deployes an Aviatrix transit architecture on Azure. It includes data sources, local variables, and resources to manage transit gateways, BGP over LAN (bgpolan), vWAN creation and integration, and spoke gateways. It also can deploy and bootstrap PAN firewalls.

https://github.com/rtrentinavx/bb/tree/main/control/8/azure2.1

GCP Deployment

The provided Terraform code deployes an Aviatrix transit architecture on Google Cloud Platform (GCP). It includes data sources, local variables, and resources to manage transit gateways, BGP over LAN (bgpolan), Network Connectivity Center (NCC) creation and integration, and spoke gateways. It also can deploy and bootstrap PAN firewalls.

https://github.com/rtrentinavx/bb/tree/main/control/8/gcp2.1

References

https://docs.aws.amazon.com/vpc/latest/tgw/what-is-transit-gateway.html

https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about

https://cloud.google.com/network-connectivity-center

Leave a Reply