TGW Design Patterns

If you like to build network segmentation between Dev/QA VPCs and Production VPCs, but require shared service VPC and on-prem to reach each VPC, consider the diagram below. diagram below.

In this network design, you need to create two custom Network Domains, Dev_Domain and Prod_Domain.

At the Plan page Step 2, select Create Custom Security Domain and fill in the information. Make sure you multi-select Shared_Service_Domain and Aviatrix_Edge_Domain for Connect to Security Domains. Apply this step for both Dev_Domain and Prod_Domain.

Aviatrix integrates native TGW Direct Connect and VPN to connect to on-prem while allowing you to connect to multiple cloud as Spoke VPCs.

If you are only concerned about VPC-to-VPC segmentation, you can deploy the Aviatrix Controller for an all-in-cloud segmented network, as shown below.

You can use Aviatrix Transit GWs to connect AWS Transit Gateways in multi-regions and multicloud deployment, as shown below.

You can extend the TGW to a different region with transit peering and then spokes in a different cloud.

If you like to build a full-mesh network that allows all VPCs and on-prem to communicate with each other, you do not need to create any custom Network Domains. Simply use the built-in Default_Domain and Aviatrix_Edge_Domain for the deployment, as shown below.

At Plan page Step 2, select Full mesh network.

If you would like to build a fully isolated network where no VPCs can communicate with each other except to the shared service VPC and on-prem, you need to create a Network Domain for each VPC and connect each domain to the Shared_Service_Domain.

In this network design, you need to create a custom Network Domain for each VPC.

If this design does not scale for you, consider the Aviatrix Transit Network workflow where all VPCs are by default isolated to each other.

An alternative design for a fully isolated deployment is to have a group of VPCs share one Network Domain but disabling VPC route propagation when attaching a VPC, as shown in the diagram below.

The advantage of this design is to keep the Network Domains to a minimum. You can specify connection policies for a domain to communicate with another domain, such as Aviatrix Edge Domain or Aviatrix FireNet Domain, without the VPC in the domain being able to talk to each other.

You can use TGW native VPN capability to connect to multi-sites VPN. Since VPN connection is in Default Security Domain, you need to build connection policy for each VPC domain.

For any of the TGW design patterns, you may deploy Aviatrix distributed Egress FQDN in each VPC. In this example, a full-mesh deployment is expanded to include Egress FQDN support, as shown below.

You can configure Egress Control in the Aviatrix Controller, or use Secure Egress in CoPilot.

Deploy an Aviatrix hardware appliance on-prem to achieve 10Gbps Transit Network throughput. Added benefit is that traffic over Direct Connect is encrypted.

Simplify and scale your firewall deployment with Aviatrix Firewall Network solution. For more information, see Firewall Network Overview.

Aviatrix supports TGW VPN and TGW Direct Connect for connecting to remote site or on-prem network, as shown in the diagram below.

If the majority of deployment is outside China regions, the best way to connect China region VPC or VNets are to use the cloud native AWS VGW or Azure VPN gateway and connect them to Aviatrix Transit Gateway by IPsec tunnels, as shown in the diagram below. This architecture applies to all other cloud providers that have presence in China regions. On the Aviatrix side, use the option External Devices when making the connection.

To connect any network of a cloud provider that is not AWS, Azure, GCP, and Oracle Cloud, use the native VPN gateway of these cloud providers to build VPN tunnels to the Aviatrix Transit Gateway to connect to the rest of the deployment, as shown in the diagram below. On the Aviatrix side, use the option [External Devices when making the connection.

If the Aviatrix Transit Gateway connects to multiple sites over IPsec or GRE tunnels, the Network Domains can be extended to each site as shown below, where Blue Domain in the cloud can only communicate with Site 2, Green Domain can only communicate with Site 1. Routes are only advertised within the domain and data traffic is segmented by the Network Domains.