Choosing between AWS PrivateLink and Transit Gateway

Photo by Federico Burgalassi on Unsplash

When connecting your AWS environment to a SaaS solution in another AWS account, what do you say if you get asked whether you want to use AWS PrivateLink, Transit Gateway (TGW), or VPC Peering to accomplish this? All three can co-exist in the same environment for different purposes. But let’s say you’ve already ruled out VPC Peering, because its intransitive nature makes it a less scalable solution as you add more VPCs. And let’s also assume you already have many VPCs and plan to add more. So how do you decide between PrivateLink and TGW? There’s an AWS blog post about how you can use Route 53’s Private DNS feature to integrate AWS Private Link with TGW, reducing the number of VPC endpoints and in turn reducing cost and complexity. So assuming

• you like to reduce cost and complexity,
• you have many VPCs in your AWS footprint that may want to connect to this SaaS solution,
• your SaaS partner is giving you not only an AWS PrivateLink option but also a TGW alternative, the question then boils down to: do you want to use AWS PrivateLink in the shared services VPC of your TGW architectureor direct to TGW? Choosing only TGW seems like the simpler option. But there are cases where choosing the AWS PrivateLink combo could be a workaround to one of the following situations:
• You’ve got overlapping CIDR blocks with the VPC in the partner’s VPC. (PrivateLink doesn’t care about overlapping CIDR blocks, unlike TGW.)

Some of the considerations, as a decision tree.

• You’ve got CIDR blocks that need to connect to the partner’s VPC that are not allowed by the partner’s networking rules. The TGW with AWS PrivateLink combo could also simplify your security, because the partner connection over the PrivateLink is unidirectional, meaning connections can only be initiated from your side to the partner. Sure, you can configure the route tables of Transit Gateway to achieve that effect, but that’s one more thing you have to get right.

How does DNS compare between the PrivateLink and TGW, when you have many VPCs?

For both scenarios, you can use Route 53 Resolver endpoints to extend DNS resolution across accounts and VPCs. As described in the aforementioned blog, and in the “Interface endpoint private DNS“ section of this AWS blog post, to extend DNS resolution across accounts and VPCs, you need to create cross-account private hosted zone-VPC associations to the spoke VPCs. Going with the TGW-only option gives you the flexibility that comes with layer-3 bidirectional connectivity. In conclusion, it depends. It depends on your security requirements, on whether PrivateLink is compatible with your existing tooling for monitoring of your hybrid network, whether your CIDR block allocation allows for the TGW-only connection.

How about cost?

When I use the calculator for PrivateLink pricing, I see nothing is free. With two VPC endpoints and 3 ENIs per VPC endpoint for high availability, at 100 GBs of data processed per hour, I’m paying $773.80 per month. And with just a single Transit Gateway attachment and the same quantity of data, I’d incur $1496.50 of monthly charges. So, with these inputs, from a financial perspective, choosing between PrivateLink+TGW and TGW-only is like choosing between 773.80 USD+1,496.50 USD or 1,496.50 USD.

• Total Data processed by all VPCE ENIs in the region: 100 GB per hour x 730 hours in a month = 73000 GB per month
• 2 VPC endpoints x 3 ENIs per VPC endpoint x 730 hours in a month x 0.01 USD = 43.80 USD (Hourly cost for endpoint ENI)
• Tiered price for: 73000 GB
• 73000 GB x 0.0100000000 USD = 730.00 USD
• Total tier cost = 730.0000 USD (PrivateLink data processing cost)
• 43.80 USD + 730 USD = 773.80 USD (Total PrivateLink Cost)
• Total PrivateLink endpoints and data processing cost (monthly): 773.80 USD Pricing calculations
• Data processed per Transit Gateway attachment: 100 GB per hour x 730 hours in a month = 73000 GB per month
• 730 hours in a month x 0.05 USD = 36.50 USD (Transit Gateway attachment hourly cost)
• 73,000 GB per month x 0.02 USD = 1,460.00 USD (Transit Gateway data processing cost)
• 36.50 USD + 1,460.00 USD = 1,496.50 USD (Transit Gateway processing and monthly cost per attachment)
• 1 attachments x 1,496.50 USD = 1,496.50 USD (Total Transit Gateway per attachment usage and data processing cost)
• Total Transit Gateway per attachment usage and data processing cost (monthly): 1,496.50 USD How about throughput? By default, each interface endpoint can support a bandwidth of up to 10 Gbps per Availability Zone. and bursts of up to 40Gbps. If your application needs higher bursts or sustained throughput, contact AWS support. — AWS docs AWS Transit Gateway can scale to 50-Gbps capacity. — “Scaling VPN throughput using AWS Transit Gateway”, AWS Blog. So Transit Gateway, out of the box, handles higher bandwidth. How much throughput are you expecting? So what now? Talk to your networking and security folks and bring up these considerations. That might help narrow it down for you.