AWS Transit VPC

Netgate’s TNSR provides the most cost-effective and highest performance implementation of AWS Transit VPC.


AWS Transit VPC enables multiple Virtual Private Clouds (VPCs) - either geographically disparate and/or running in separate AWS accounts - to connect to a common VPC that serves as a global network transit center. Transit VPC simplifies cloud network management and minimizes the number of connections that must be configured and managed. Further, owing to its virtual implementation, no physical network equipment - or physical presence in a colocation transit hub is required.

Private Networking

Build a high-performance private IPSec network that spans two or more AWS regions.

Shared Connectivity

Multiple VPCs can share connections to data centers, partner networks, and other clouds.

Cross-Account AWS Usage

VPCs, and the AWS resources within them, can reside in multiple AWS accounts.

Application Highlights

  • AWS enables three throughput options ranging from 500 Mbps to 2 Gbps (note TNSR scales as high as 4.79 Gbps on a single Xeon-class core - setting a new bar for Transit VPC throughput potential)
  • Transit VPC is implemented over a pair of connections for high availability
  • CloudFormation uses Netgate’s TNSR platform, now available in the AWS Marketplace
  • TNSR supports hourly and annual subscription models
  • TNSR subscriptions include enterprise level support - leading to not only the highest performance option, but the leading price-performance, and lowest total cost of ownership option on the market

Application Details

Transit VPC uses an AWS CloudFormation stack to launch and configure all AWS resources. Three throughput options ranging from 500 Mbps to 2 Gbps are available - each implemented over a pair of connections for high availability. The stack makes use of the Netgate’s TNSR Secure Networking Software Platform, available through the AWS Marketplace.

TNSR instances are available on an hourly or annual subscription basis, with significant discounts applied to annual subscriptions.

The total cost per solution is based on selected AWS Transit throughput option, selected TNSR EC2 instance option, number of spoke VPCs, and optional AWS Key Management Service (KMS). All prices are exclusive of network transit costs.

The template installs and uses a pair of AWS Lambda functions in a creative way!

The VGW Poller function runs every minute. It scans all AWS regions in the account, looking for appropriately tagged Virtual Private Gateways in spoke VPCs that do not have a VPN connection. When one is found, a corresponding customer gateway is created and associated VPN connections are connected to TNSR, and then all configuration information is saved to an S3 bucket.

TNSR parses the VPN connection information and generates appropriate config files, then pushes them to TNSR instances using SSH. This allows the VPN tunnels to come up via BGP, with neighbor relationships established with spoke VPCs.

As a result, new spoke VPCs can be added quickly - avoiding the overhead of underutilized EC2 instances. More details, including a solution implementation guide, can be found on the AWS Marketplace.