Well Architected Networking

Applying AWS Well-Architected Framework principles to network connectivity

AWS Well-Architected Framework Network Pillars

Six Pillars

The AWS Well-Architected Framework has six pillars, each including best practices and questions to consider when architecting cloud solutions. This section highlights best practices most relevant to network connectivity.

Design Considerations

When designing connectivity to multiple networks, consider all future planned workloads in on-premises and cloud environments. Ensure workloads will be resilient, secure, high performing, and cost effective when deployed over multiple networks.

At infrastructure level, start by designing network to be resilient, secure, high performing, and cost effective.

Foundations - Plan Your Network Topology

Reliability

Best Practice: Provision Redundant Connectivity

Provision redundant connectivity between private networks in cloud and on-premises environments.

Implementation Guidelines

• Have failover network mechanisms on premises and in cloud for interruptions
• For VPN connections: Consider resiliency and bandwidth requirements
  • If VPN appliance not resilient, have redundant connection through second appliance
• For Direct Connect: Implement redundant connections from each data center
  • Use second Direct Connect connection from different location than first
  • For multiple data centers, ensure connections point to different locations
• VPN as backup for Direct Connect connection

Best Practice: Prefer Hub-and-Spoke Topologies

Prefer hub-and-spoke topologies over many-to-many mesh.

Recommendations

• Use hub-and-spoke topologies like Transit Gateway rather than many-to-many mesh like VPC peering
• Transit Gateway provides hub-and-spoke model that routes traffic across networks
• Avoid VPC peering to connect more than two VPCs
• Don’t establish multiple BGP sessions for each VPC to create connectivity across multiple Regions

Supporting AWS Services

• Implement VPN connection failover if Direct Connect between on-premises and AWS VPC networks not available
• For multiple VPCs, implement hub-and-spoke model for less connection maintenance and ease of use

Infrastructure Protection - Protecting Networks

Security

Best Practice: Control Traffic at All Layers

Apply zero trust approach to implement principle of security at all layers. Careful planning and management of network design forms foundation for providing isolation and boundaries for resources within hybrid workload.

Implementation

• Establish private network traffic by implementing Direct Connect or Site-to-Site VPN to protect communication
• Site-to-Site VPN: Creates secure connection with tunnels to traverse public internet from on-premises to AWS Cloud
• Direct Connect: Establishes dedicated private line from on-premises to Direct Connect location

Supporting AWS Services

• Implement Site-to-Site VPN for private network traffic over internet
• Implement Direct Connect for private, dedicated line to AWS

Data Protection - Protecting Data in Transit

Security

Data in transit is any data sent from one system to another, including communication between resources within workload and communication between other services and end users.

Best Practice: Authenticate Network Communications

Verify identity of communications using protocols that support authentication, such as TLS or IPsec.

Benefits

• Using network protocols with authentication establishes trust between parties
• Adds to encryption used in protocol to reduce risk of communications being altered or intercepted
• Common protocols: TLS (used in many AWS services) and IPsec (used in AWS VPNs)

Best Practice: Enforce Encryption in Transit

Use protocols with encryption when transmitting sensitive data outside of VPC.

Requirements

• All data encrypted in transit using TLS protocols and cipher suites
• Recommended: TLS version 1.3
• Network traffic to internet must be encrypted to mitigate unauthorized access
• Consider protecting network-to-network traffic with IPsec VPN or Direct Connect for private network traffic

Supporting AWS Services

• Implement Site-to-Site VPN using IPsec protocol to authenticate traffic and establish encrypted VPN tunnels
• Implement encryption and Direct Connect for private, dedicated line to AWS

Selection - Network Architecture Selection

Performance

Optimal solution for particular workload varies, and solutions often combine multiple approaches. Well-architected workloads use multiple solutions and include different features to improve performance.

Best Practice: Choose Appropriately Sized Connectivity

Size workload traffic that will need hybrid networking.

Considerations

• Multiple configuration options: dedicated connection or VPN
• Select appropriate connection type for each workload
• Verify adequate bandwidth and encryption requirements between location and cloud
• Estimate bandwidth and latency requirements for hybrid workload to drive sizing requirements

Best Practice: Choose Workload Location Based on Network Requirements

Evaluate options for resource placement to reduce network latency and improve throughput.

Benefits

• Optimal user experience by reducing page load and data transfer times
• Applications or users on-premises: May benefit from dedicated network connection
• Direct Connect: Reduces chance of public internet congestion or unexpected latency increases
• Site-to-Site VPN with acceleration: Uses Global Accelerator to route traffic to closest AWS edge location

Supporting AWS Services

• Evaluate workloads to estimate bandwidth and encryption requirements between workload location and AWS
• Implement Direct Connect for predictable performance if users/applications on-premises

Cost Effective Resources - Plan for Data Transfer

Cost Optimization

Workload on network should fully use all resources, achieve outcomes at lowest possible price, and meet functional requirements. Network costs should be included in workload cost benchmark.

Best Practice: Select Components to Optimize Data Transfer Cost

Architect data transfer to minimize data transfer costs.

Strategies

• Use content delivery networks to locate data closer to users
• Use dedicated network connection like Direct Connect from on-premises to AWS
• Use WAN optimization and application optimization to reduce data transfer between components

Best Practice: Implement Services to Reduce Data Transfer Costs

Use data transfer modeling to identify largest costs and highest volume flows.

Process

• Review AWS services to assess transfer reduction opportunities
• Assess networking and content delivery services that reduce or remove transfer
• AWS preference: Customers use Direct Connect instead of VPN for predictable connectivity

Supporting AWS Services

Use dedicated network connection like Direct Connect from on-premises to VPCs to optimize data transfer costs and provide predictable data transfer cost.

Key Takeaways

Tip

Network Design Principles

• Provision redundant connectivity between private networks
• Prefer hub-and-spoke topologies over many-to-many mesh
• Control traffic at all layers with authentication and encryption
• Choose appropriately sized connectivity and optimize for cost

The AWS Well-Architected Framework provides comprehensive guidance for designing network connectivity that balances reliability, security, performance, and cost optimization across hybrid cloud environments.