Most AWS deployments evolve from a single VPC to multiple VPCs spread across numerous regions as the enterprise expands. However, with multi-VPC deployments, enabling connectivity between VPCs requires explicit peering using VPC peering modules, which are restricted to peering VPCs within a single AWS region and do not possess the ability to granularly filter and control traffic flowing between VPCs.
Transit-VPC solution with Juniper’s virtual SRX allows enterprises to seamlessly add NGFW services and connectivity to large multi-VPC AWS deployments. This solution utilizes a hub-and-spoke topology where every VPC connects to a special “transit VPC” which serves as a central hub for internal traffic, as well as external traffic sent to the corporate on-premises data center or the internet. For enterprises with large deployments in multiple regions, the same solution can easily scale to support a global transit network by connecting multiple transit networks as seen in the Figure.
Global AWS Transit VPC deployment in a multi-region hybrid cloud deployment
For the sake of simplicity only 3 VPCs are shown connecting to each transit VPC in Figure1. However, the AWS limit of 100 spoke VPC per transit-VPC can be achieved.
Benefits of an AWS Transit VPC solution with Juniper vSRX:
- Integrated security: Juniper’s vSRX Virtual Firewall can offers NGFW services, in addition to the routing and carrier-grade IPsec capabilities on a single instance thereby eliminating the need for Switch Port Analyzer (SPAN) ports
- High performance routing: AWS allows for 100 spoke VPCs to connect to a transit VPC. Juniper’s vSRX can support 128 Virtual Routing Functions (VRFs), which supports the scaling requirement needed to take full advantage of a transit VPC deployment.
- Ease of deployment: This solution can be easily deployed within minutes in an AWS deployment using CloudFormation templates or ansible scripts.
- Centralized management and granular policies: Junos Space Security Director provides intuitive and centralized management to configure and monitor security policies across the entire network. Each VPC could have a unique security policy, allowing granular control based on roles and responsibilities.
- Lower licensing costs and TCO: vSRXs software licensing costs on the AWS marketplace is lower than similar offerings from the competitors like Cisco, Palo Alto Networks, and Checkpoint. Also, the vSRX consumes significantly fewer AWS resources, which translates to lower operating costs.
To learn more about how Juniper can help enterprises deploy a Transit VPC solution with integrated security on their AWS deployments, read this Solution Brief.
Juniper Networks supports two modes of deployment for AWS Transit VPC:
- Cloudformation templates - Checkout the implementation guide here
- Ansible scripts - Reach out to learn more about this option