AWS customers such as large government entities, central IT agencies, and educational institutions are faced with challenges in designing an enterprise scale network architecture that can meet high availability, hybrid connectivity, security, and compliance requirements. Join this session to take a technical deep dive into AWS network architectures. Discover common design patterns and best practices that are critical to public sector enterprise use cases. Explore new services like AWS Transit Gateway, and learn how to incorporate these services in building scalable, secure, and multi-account architectures.

1. P U B L I C S E C T O R
S U M M I T
SINGAPORE

2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Enterprise Network Architectures
on AWS
Steve Sofian
Solutions Architect
Worldwide Public Sector
AWS

3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Target Audience
• Customers who are architecting an AWS Network Architecture
• Existing AWS users using Amazon VPC in production environments
• Network architects/engineers interested in AWS Networking Services
deep-dive

4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
What not to expect
• Explanation of Amazon VPC basics; we assume that you know:
• Amazon VPCs
• Subnets
• Route tables
• Security groups/NACLs
• Explanation of AWS core services

5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Agenda
Account
Strategy
VPN
WAN
AWS Direct
Connect
Transit VPC
Network
Services
External
Connectivity
WAN
Internal
Connectivity
Multi-Region
Options

6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Common Public Sector Requirements

7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T

8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Automation of infrastructure
AWS Direct Connect and VPN standards
Subnet and routing standards
AWS Identity and Access Management
Strict security groups and routing
Identifying resources with tags
Smaller Amazon VPCs or accountsLarger Amazon VPCs or accounts
Account and Amazon VPC Segmentation
Infrastructure and
Networking
Policy and IAM

9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Segmentation: Decision inputs
Relationship between accounts, Amazon VPCs, and tenants?
• Do accounts and tenants trust each other?
• Is the current network segmentation intentional or a side effect?
Who owns security and networking?
• Each team or a centralized team?
Compliance and governance requirements?
• Can they be scoped to an account or an Amazon VPC level?

10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Baseline security
IAM
Security groups
Segmentation Options: Layers
Application Application
Application Application
Application
Application
Inside the account
At the Amazon VPC
ACLs
Network security
Route tables
Network ACLs
Separate Amazon VPCs

11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Separation of Duties using AWS Organizations
Core OU
AWS Organizations
Shared Services Log Archive
Account
baseline
Shared
Amazon VPC
Parameter
store
VPN/DXEndpoints
Route 53
Resolver
NAT
gateway
AWS Transit
Gateway
Security
AWS Direct
Connect
Network Services
Workload
OU
Workload
Regulated Workload
Workload
Amazon VPC
Workload
Amazon VPC

12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Multi-account services
Resource Access ManagerAWS Organizations Aware Services

13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
AWS Control Tower
Automated AWS setup
Launch an automated
landing zone with best-
practices blueprints
Policy enforcement
Pre-packaged guardrails
to enforce policies or
detect violations
Dashboard for oversight
Continuous visibility into
workload compliance with
controls

14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Agenda
Account
Strategy
VPN
WAN
AWS Direct
Connect
Transit VPC
Network
Services
External
Connectivity
WAN
Internal
Connectivity
Multi-Region
Options

15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T

16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Internal connectivity options
Amazon VPC peering
• One-to-one connectivity
• Scales to 100 Amazon VPCs
• Security groups across
Amazon VPCs
• Inter-Region peering
Transit Amazon VPC
• Shared services as a spoke
• Bandwidth constrained
• Complex management
• Instance and licensing costs
VPN
WAN
AWS Direct
Connect
Transit VPC
Shared
Services
AWS Transit Gateway
• Many-to-many or one-to-many
with route tables
• Highly scalable
• Hourly per attachment costs
Account Account
Account Account
Development
Account Account
Account Account
Testing
Account Account
Account Account
Production Shared Services
Route
Tables
Route
Tables
Transit Gateway
AWS PrivateLink
• One-to-many connectivity
• Highly scalable
• Supports overlapping CIDRs
• Uses Elastic Load Balancing
• Load balancing and hourly
endpoint costs

17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Our Starting Point
VPN
WAN
AWS Direct
Connect
Virtual private
gateway
Dev Prod
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Our Starting Point
VPN
WAN
AWS Direct
Connect
Virtual private
gateway
Dev Prod
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Our Starting Point
VPN
WAN
AWS Direct
Connect
Virtual private
gateway
Dev Prod

18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Challenge: Adding more Amazon VPCs
VPN
WAN
AWS Direct
Connect
Dev Prod Dev Prod Dev Prod

19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Challenge: Peering Amazon VPCs
VPN
WAN
AWS Direct
Connect
Dev Prod Dev Prod Dev Prod
Connect dev and prod
Amazon VPC peering
Connect the yellow environment
How does this scale?
Let’s:

20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
VPN
WAN
AWS Direct
Connect
Dev Prod Dev Prod Dev Prod
Dev Prod Dev Prod Dev Prod
Scaling connections?
Scaling Amazon VPC peering?
Shared services?
Firewall and services?

21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Transit VPC
VPN
WAN
AWS Direct
Connect
Transit VPC
Dev Prod Dev Prod Dev Prod
Dev Prod Dev Prod Dev Prod

22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Connectivity options at scale
Amazon VPC Peering
• 1-to-1 connectivity
• Scales to 100 Amazon VPCs
• Security groups across VPCs
• Inter-region peering
Transit Amazon VPC
• Shared services as a spoke
• Bandwidth restricted
• Complex management
• Instance and licensing costs
AWS Transit Gateway
• Many-to-many or one-to-many
with route tables
• Highly scalable
• Hourly per attachment costs
Account Account
Account Account
Development
Account Account
Account Account
Testing
Account Account
Account Account
Production Shared Services
Route
Tables
Route
Tables
Transit Gateway
AWS PrivateLink
• One-to-many connectivity
• Highly scalable
• Supports overlapping CIDRs
• Uses Elastic Load Balancing
• Load balancing and hourly
endpoint costs

23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Transit Amazon
VPC
VPN
WAN
AWS Direct
Connect
Transit VPC
Dev Prod Dev Prod Dev Prod
Dev Prod Dev Prod Dev Prod

24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
VPN
WAN
AWS Direct
Connect
Transit Gateway
AWS
Transit Gateway
Dev Prod Dev Prod Dev Prod
Dev Prod Dev Prod Dev Prod

25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
AWS Transit Gateway
AWS Region
Transit Gateway
ENIs
VPN
Routing Domain
Routing Domain
AWS Direct
Connect
Regional service
Scalable
Flexible routing

26. P U B L I C S E C T O R
S U M M I T
Reference network
architecture
Account Account
Account Account
Account Account
Account Account
Account Account
Account Account
VPN AWS Direct Connect
Account Account Account Account IAM, cross-account roles
Route
tables
Route
tables
AWS Transit Gateway

27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Amazon VPC sharing
Easily share Amazon VPC networks between AWS accounts,
providing central oversight, and control for networking
engineers

28. P U B L I C S E C T O R
S U M M I T
Amazon VPC sharing and AWS Resource Access Manager
Share subnets between accounts in an AWS Organization
Account
Account
Account
Account
Resource Share
• Public subnets
• Private subnets
Resource Share
• Private subnets
Infrastructure
account

29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Amazon VPC sharing benefits
Less unused resources
• Higher density subnets, add up
to five additional CIDRs
• More efficient use of VPN and
AWS Direct Connect
Separation of duties
• Infrastructure strictly controls
routing, IP addresses, and Amazon
VPC structure
• Developers own their resources,
accounts, and security groups
Decouple accounts and networks
• Account protection and billing
without additional infrastructure
• Many accounts with fewer
networks
• Avoid Amazon VPC peering
charges

30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Segmentation considerations: Where to start
Security groups and IAM are effective and proven
• Encourage IAM and security group use and monitor security configuration
Shared Amazon VPCs
• Tenants should limit access from the internet and other tenants
• Amazon VPCs using Amazon VPC peering are likely to benefit from shared Amazon VPCs
• Design around resource and limit contention
Separate Amazon VPCs
• Often the best security decision is the simplest; separate Amazon VPCs are simple
• Use separate Amazon VPCs for strong network segmentation and resource isolation
• AWS Transit Gateway removes the scaling issues with many Amazon VPCs (peering, VPN,
routes)
AWS Transit Gateway route tables define multi-Amazon VPC policy
• Consider isolating environments (dev and prod) and allow access to shared resources

31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Agenda
Account
Strategy
VPN
WAN
AWS Direct
Connect
Transit VPC
Network
Services
External
Connectivity
WAN
Internal
Connectivity
Multi-Region
Options

32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T

33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Connecting to on premises
Virtual Private Gateway VPN AWS Direct Connect
VPN WAN
• Per Amazon VPC
• 1.25 Gbps outbound
• Encrypted in transit
• 50 virtual interfaces per
port
• Multiple Amazon VPCs with
AWS Direct Connect
gateway
• No bandwidth constraints
AWS Transit Gateway VPN
VPN
• Multiple Amazon VPCs
• Add VPN connection as needed
• 1.25 Gbps per tunnel
• AWS Direct Connect Support
Amazon EC2 Customer VPN
VPN
• Per Amazon VPC or multiple
(Transit Amazon VPC)
• Bandwidths vary by instance type
• AWS Marketplace options
• Scalability is generally limited by
management complexity

34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Connecting to on premises at scale
Virtual Private Gateway VPN AWS Direct Connect
VPN WAN
• Per Amazon VPC
• 1.25 Gbps per tunnel
• Encrypted in transit
• 50 virtual interfaces per
port
• Multiple Amazon VPCs with
AWS Direct Connect
gateway
• No bandwidth constraints
AWS Transit Gateway VPN
VPN
• Multiple Amazon VPCs
• Add VPN connection as needed
• 1.25 Gbps per tunnel
• AWS Direct Connect support
Amazon EC2 Customer VPN
VPN
• Per Amazon VPC or multiple
(Transit Amazon VPC)
• Bandwidths vary by instance type
• AWS Marketplace options
• Scalability is generally limited by
management complexity

35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Private connectivity with AWS Direct Connect
Dedicated private connection
from on premises to AWS
Consistent network
performance
Reduced bandwidth costs
Compatible with all
AWS services

36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
AWS Direct Connect to many Amazon VPCs
AWS Region
10.1.0.0/16
WAN
On premises
AWS Direct Connect
location
Private Virtual Interface (VIF)
Customer
Router
AWS
Router
Customer
Router
AWS
Router
10.2.0.0/16
Up to 50 VIFs per port
AWS Direct Connect
location 2

37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
P U B L I C S E C T O R
S U M M I T
AWS Direct Connect Gateway
AWS Region
10.1.0.0/16
WAN
On premises
AWS Direct Connect
location
Private Virtual
Interface (VIF)
Customer
Router
AWS
Router
Customer
Router
AWS
Router
10.2.0.0/16
Up to 10 VGWs per Direct
Connect Gateway
AWS Direct Connect
location 2
Direct
Connect
Gateway
Account

38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
P U B L I C S E C T O R
S U M M I T
Direct Connect Gateway: Multiple accounts
10.1.0.0/16
WAN
On premises
AWS Direct Connect
location
Private Virtual
Interface (VIF)
Customer
Router
AWS
Router
Customer
Router
AWS
Router
10.2.0.0/16
AWS Direct Connect
location 2
Direct
Connect
Gateway
Account A
Account B

39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
VPN With Transit Gateway
VPN
Route
Tables
Route
Tables
AWS Transit Gateway
Customer Gateway
Consolidate VPN at the AWS Transit Gateway
• VPN acts similar to the Virtual Private Gateway (VGW)
• Bandwidth, configuration, APIs, cost, and experience
• VPN is attached to a AWS Transit Gateway instead of
a VGW
• Same 1.25 Gbps bandwidth per tunnel applies
Encryption to the edge of many Amazon VPCs
• Traffic is encrypted until it’s inside the Amazon VPC
• Does not natively encrypt traffic between Amazon
VPCs
• Inter-Region Amazon VPC peering does

40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
VPN with AWS Transit Gateway: Add more bandwidth
VPN
Route
Tables
Route
Tables
AWS Transit Gateway
Customer Gateway
Support for spreading traffic across many tunnels
• Equal cost multi-path (ECMP) support with BGP multi-
path
• Tested up to 50 Gbps of traffic
• Split traffic into smaller flows, multi-part uploads, etc.
Check your on-premises configuration
• Multi-path BGP
• ECMP support, amount of equal paths, reverse-path
forwarding/spoofing checks
• Only supported with BGP, not static routing

41. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
P U B L I C S E C T O R
S U M M I T
AWS Direct Connect and AWS Transit Gateway
Account Account
Account Account
Account Account
Account Account
Account Account
Account Account
VPN
Route
Tables
Route
Tables
AWS Transit Gateway

42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
P U B L I C S E C T O R
S U M M I T
AWS Direct Connect and AWS Transit Gateway
AWS Direct Connect with VPN
failover
VPN over AWS Direct Connect
via Public virtual interface
(VIF)
Account Account
Account Account
Account Account
Account Account
Account Account
Account Account
VPN
AWS Direct
Connect
Route
Tables
Route
Tables
AWS Transit Gateway
Transit VIF
VPN
AWS Direct
Connect
Route
Tables
Route
Tables
AWS Transit Gateway
Public VIF
AWS Region
Receive AWS
public IP addresses
Direct Connect
Gateway

43. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
AWS Client VPN
Support for OpenVPN clients
Available in 10 AWS Regions
today
Connected users charged
per user per hour

44. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Attachment
to Amazon
VPC
TLS based tunnel
over the internet
User with open
VPN client
Client VPN
endpoint
Client
The
InternetAmazon
DynamoDB
Amazon S3
On premises

45. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Agenda
Account
Strategy
VPN
WAN
AWS Direct
Connect
Transit VPC
Network
Services
External
Connectivity
WAN
Internal
Connectivity
Multi-Region
Options

46. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T

47. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Enabling hybrid cloud
Amazon
VPC
Data Center

48. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Enabling hybrid cloud
Amazon
VPC
Data Center
X
DNS not resolvable

49. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Enabling hybrid cloud
Amazon
VPC
Data Center
DNS Forwarders

50. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Enabling hybrid cloud
Amazon
VPC
Data Center

51. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Enabling hybrid cloud – multiple accounts
Amazon
VPC
Data Center
Amazon
VPC
Amazon
VPC

52. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Enabling hybrid cloud
Amazon
VPC
Data Center
Amazon
VPC
Amazon
VPC

53. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Enabling hybrid cloud – highly available forwarders
Data Center
Amazon
VPC
Amazon
VPC
Amazon
VPC

54. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Route 53 Resolver
Managed DNS Resolver
service from Route 53
Create conditional
forwarding rules to re-direct
query traffic
Enables hybrid connectivity
over AWS Direct Connect
and managed VPN

55. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Route 53 Resolver
Amazon
VPC
Amazon
VPC
Amazon
VPC

56. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Benefit to you: Availability
• Use AWS high-availability architecture
• Create additional redundancy by provisioning more ENIs in different
AZs
Amazon
VPC

57. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Benefit to you: Cross account rules sharing
Amazon
VPC
Amazon
VPC
Amazon
VPC

58. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Interface Amazon VPC endpoints - powered by AWS
PrivateLink
Three types of services accessible over AWS PrivateLink
• AWS services – interface Amazon VPC endpoints
• Customer-hosted internal services
• Third-party services (SaaS)

59. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Amazon VPC endpoints (VPCEs) for AWS services
AWS ServiceConsumer VPC
Consumer VPC
AWS Service
VPCE
us-east-1
Growing list of supported AWS Services:
Amazon API Gateway
App Mesh
AWS CloudFormation
AWS CloudTrail
Amazon CloudWatch
Amazon CloudWatch Events
Amazon CloudWatch Logs
AWS CodeBuild
AWS CodeCommit
AWS CodePipeline
AWS Config
Amazon EC2 API
Elastic Load Balancing
Amazon Elastic Container Registry
Amazon Elastic Container Service
AWS Glue
AWS Key Management Service
Amazon Kinesis Data Firehose
Amazon Kinesis Data Streams
Amazon SageMaker
Amazon SageMaker Runtime
Amazon SageMaker Notebook Instance
AWS Secrets Manager
AWS Security Token Service
AWS Service Catalog
Amazon SNS
Amazon SQS
AWS Systems Manager
AWS Storage Gateway
AWS Transfer for SFTP

60. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Sharing VPCEs across Amazon VPCs using AWS Transit
Gateway
Amazon VPC
Shared services VPC (service consumer)
Corporate data center
On-premises
servers
Route53
resolver
AWS
Transit
Gateway
Amazon VPC
Amazon VPC
VPN

61. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Agenda
Account
Strategy
VPN
WAN
AWS Direct
Connect
Transit VPC
Network
Services
External
Connectivity
WAN
Internal
Connectivity
Multi-Region
Options

62. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T

63. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Private connectivity with inter-Region peering
Private connectivity for two
or more Amazon VPCs between
Regions
Highly available, no single
point of failure
All traffic stays on the AWS
global backbone network
All traffic encrypted and
anonymized

64. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Multiple Regions with AWS Direct Connect
WAN
On Premises
AWS Direct Connect
Location
Private Virtual
Interface (VIF)
Customer
Router
AWS
Router
Customer
Router
AWS
Router
AWS Region
AWS Direct Connect
Location 2
AWS
Direct
Connect
Gateway
Account
AWS Region

65. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Multiple Regions with AWS Direct Connect AWS
Transit Gateway
WAN
On Premises
AWS Direct Connect
Location
Transit Virtual
Interface (VIF)
Customer
Router
AWS
Router
Customer
Router
AWS
Router
AWS Direct Connect
Location 2
AWS
Direct
Connect
Gateway
Account
AWS Region
AWS Region

66. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Multiple Regions with Direct Connect + TGW
WAN
On Premises
AWS Direct Connect
Location
Transit Virtual
Interface (VIF)
Customer
Router
AWS
Router
Customer
Router
AWS
Router
AWS Direct Connect
Location 2
AWS
Direct
Connect
Gateway
Region
Region
Network Services Account
Prod Account
Dev Account

67. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T

68. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Takeaways
Enterprises have flexibility to architect for any use case
We have tools that scale to many Amazon VPCs across many AWS
accounts
Use services in combination to meet scale and security requirements

69. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Advice
• Networking changes fast, no more crystal balls
• Start simple – stay simple; reduce complexity to smaller scopes
• Segment and modify as needed
• Experiment and test

70. Thank you!
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Steve Sofian
Solutions Architect
Worldwide Public Sector
AWS