How do Aviatrix Security Domains and Connection Policies help orchestrate and simplify cloud network connectivity when using native AWS Transit Gateway (TGW)?

AWS Transit Gateway (TGW) is a service that enables connectivity across multiple VPCs and on-premise networks. It also helps in network segmentation by allowing users to group VPCs together into defined route domains.

When using AWS Transit Gateway (TGW), multiple VPCs can be grouped together into route domains. Similar to virtual routing and forwarding (VRFs) in traditional networks, a route domain is conceptual group of VPCs and/or VPNs attached to a single route table. Via route propagation, a user could enable VPCs in that route domain to talk to each other. Each route domain has a route table associated with it in the AWS Transit Gateway (TGW). Every time a new spoke VPC is added to that route domain, the VPC route table would need to be updated so that instances in the newly added spoke VPC can talk to instances in other spoke VPCs in the same route domain. Or course, the route domains also provide isolation from other route domains.

Updating route tables, every time a new VPC or a new route domain is added to the current network setup, is cumbersome and time consuming. This problem increases dramatically, if you have multiple VPCs and AWS Transit Gateways (TGW) that need to be connected.

Another problem arises when there is a need for two different route domains to talk to each other. Although you can connect route domains using AWS propagation, you still need to manually update all the associated AWS Transit Gateway (TGW) route tables and VPC route tables to enable communication across route domains.

Aviatrix makes the route domain and propagation process much simpler using the Aviatrix Software-Defined Cloud Router (using the Aviatrix Controller console) which includes full orchestration of the AWS Transit Gateway (TGW) by using Aviatrix Security Domain and Connection Policy concepts.

A Security Domain is an enforced network of member VPCs attached to the same route table. Member VPCs have connectivity to each other. VPCs outside of the domain cannot connect. A Security Domain is an instantiation of the AWS Transit Gateway (TGW) Route Domain concept. This enables VPC segmentation through AWS Transit Gateway (TGW). For example, you can have “dev”, “prod” and “test” security domains to isolate your development, production and test environments in your AWS cloud. In this scenario, the VPCs in dev security domain cannot talk to VPCs in prod and test security domains. A security domain can have one or more spoke VPCs as its members. VPCs within a security domain can communicate to each other via AWS Transit Gateway (TGW).

Now, every time a new spoke VPC is added to a Security domain, Aviatrix will automatically propagate the routes and perform all route table updates so that all instances in the newly added spoke VPC can talk to instances in other spoke VPCs within that security domain. Also, if there is a need for route domains to talk to each other, Aviatrix will establish the connectivity and update all the associated route tables.

By default, security domains are independent and not connected to each other i.e. the spoke VPCs in one security domain cannot talk to spoke VPCs in other domains. However, if required, Aviatrix can enable the connectivity among security domains by enabling policy-based route updates by using connection policies.

A Connection Policy is an enforced cross-Security Domain connectivity. Uses AWS Transit Gateway (TGW) route table propagation. If two security domains are connected through a connection policy, then spoke VPCs in both the security domains can talk to each other. The connection policy can be applied at a security domain level to avoid specifying connections at individual VPC level.

A simple way to think about this is:

Aviatrix Security Domain = AWS Transit Gateway (TGW) Route Domain + Dynamic Route Propagation of Spoke VPCs

Aviatrix Connection Policy = AWS Transit Gateway (TGW) Route Table Propagation + Policy based route updates

When a AWS Transit Gateway (TGW) is created by using the Aviatrix Controller, three security domains are created by default.

• Default Security Domain – A default security domain is created whenever you create TGW using the Aviatrix controller. If you do not plan on building any VPC network segmentation, you can use the default domain for inter Spoke VPC and hybrid communications. This will essentially create a mesh network where every VPC can talk to each other
• Shared Service Security Domain – When a AWS Transit Gateway (TGW) is created by the Aviatrix Controller, the Shared Service Security Domain is created, and a corresponding route table is created on AWS Transit Gateway (TGW). You can attach a Spoke VPC to this domain and host your shared service instances such as your DevOps tools. Shared Service Security Domain is always connected to default security domain and edge security domain
• Aviatrix Edge Security Domain – When a AWS Transit Gateway (TGW) is created by the Aviatrix Controller, the Aviatrix Edge Domain is created, and a corresponding route table is created on AWS Transit Gateway (TGW). Aviatrix Edge Domain is designated for connecting VPCs to on- premise network. There must be one VPC attached to this domain. In the VPC, an Aviatrix Transit GW is deployed that is used for data traffic forwarding between Spoke VPCs and on-premise network. Aviatrix Edge Security Domain is always connected to the Shared Service Security Domain and the Default Security Domain

In addition to the above three security domains, you can easily create additional security domains based on your network needs and establish connection policies among them.

In summary, Aviatrix orchestrator (available in the Aviatrix Controller) simplifies and extends the AWS Transit Gateway (TGW) by using dynamic route propagation, policy abstraction and simplifying operations through a single pane of glass.