Member-only story
Transitive Routing — AWS — Advanced Networking
Before understanding the way AWS does transitive routing, let us try to wrap our head on transitive property in mathematics
What is Transitive Property?A property is called transitive property, if x, y and z
are the three quantities, and if x is related to y by some rule,
and y is related to z by the same rule, then we can say x is related to z by the same rule.
Alright, now let’s look at the following scenario
So Connectivity from VPC3-VPC1 would work just fine, VPC2-VPC1 will also work just fine while VPC2-VPC3/VPC3-VPC2 via VPC1 will never work in AWS, this is the first thing that we should remember.
I see only downsides! — well not everything is lost in this case, there are security benefits as well, large part of it plays a role in IP Address spoofing. Imagine someone is trying to send a packet to your VPC, check to make sure that the instance won’t accept the packet as that is not locally configured and also instance cannot send any of the packets with any source IP as well, that is one of the preliminary reasons why Source and Destination checks are turned off.
Okay before dwelling deep into this, what are the exceptions?
The first thing to understand clearly is that in order for traffic to be answered it should either be generated from a source address/interface within the VPC and/or it should at least be destined to an address which belongs to the destination VPC.
VGW is one service where this is bypassed, the nature of working of VGW is such that it can advertise the routes that it sees and can process the communication and is well aware of the sources and destinations.
What are different solutions that are available?
One easier solution is to construct proxy servers, proxy servers source the packet so that traffic gets the source address of the proxy server within the same VPC as if communication was destined for the local- VPC’s existing interface.
The other is to do full-mesh VPC peering, this will technically make all the communications VPC-to-VPC
Transit VPC — is a really good solution, if we have to explore
-Rakesh
More content at PlainEnglish.io. Sign up for our free weekly newsletter. Follow us on Twitter and LinkedIn. Check out our Community Discord and join our Talent Collective.
