A well-designed network architecture is the backbone of any cloud infrastructure. It ensures better performance, security, resilience, and easier troubleshooting. Additionally, choosing the right networking solutions can optimize costs by leveraging AWS services that align with your application’s needs.
This article focuses on complex, large-scale setups where multiple teams operate across multiple AWS accounts and regions.
Let’s dive into AWS’s networking offerings and explore the best options for connecting Virtual Private Clouds (VPCs) and external networks. This guide compares VPC Sharing, VPC Peering, AWS Transit Gateway (TGW), and AWS Cloud WAN, highlighting their use cases, advantages, and limitations.
1. VPC Sharing
VPC sharing was introduces at re:Invent in 2018. It allows multiple AWS accounts to use subnets from a single, centrally managed VPC.
Once shared, other accounts (members) can create resources in the subnets such as RDS, EC2, etc. However, the main limitation is that the account that owns the VPC (owner) and members must belong to the same AWS Organization. Members cannot view, modify, or delete resources that belong to other members or the VPC owner.
Use Case:
- When you want to centrally manage networking but allow different AWS accounts to deploy resources in a shared VPC.
- Useful for organizations with multiple business units that need a common network but different AWS accounts for billing and access control.
Pros:
- ✅ Simplifies network management – No need for complex peering or routing setups. Reduces the number of VPCs to manage while maintaining separate accounts for billing and access control.
- ✅ Reduces cost – No need for data transfer fees between VPCs, reuse of NAT GW and VPC endpoints.
- ✅ Better security – The VPC owner centrally manages DNS, routing, VPC endpoints, etc.
Cons:
- ❌ Limited cross-region capability – Works only within a single region and AWS Organization.
- ❌ No isolation – Since all accounts share the same VPC, a misconfiguration can impact multiple users.
- ❌ Only subnets are shared – VPC-wide settings like Security Groups, NACLs, and Route Tables are not shared. Security Group could be referenced by members.
- ❌ Security - Additional guardrails should be applied for members accounts. For example to prevent of creating AWS Client VPN in shared subnet.
Additional resources:
- VPC sharing: A new approach to multiple accounts and VPC management
- VPC sharing: key considerations and best practices
- Share your VPC subnets with other accounts
2. VPC Peering
VPC Peering within the same region was added in 2014, later in 2017 it became possible to do Inter-Region VPC Peering.
VPC Peering creates a direct, private connection between two VPCs, allowing them to communicate using private IPs. Instances in both VPCs can communicate with each other as if they are within the same network.
Use Case:
- When you need low-latency, high-throughput communication between two VPCs.
- When you need connectivity to a VPC from account outside your AWS Organization.
- Best for a hub-and-spoke model where a central VPC connects to multiple others.
- Good for workloads that need direct, private connectivity but don’t require a large-scale network.
Pros:
- ✅ Low latency – Direct connection with no extra hop.
- ✅ High throughput – No bandwidth limitations from AWS-managed services.
- ✅ Secure – traffic is encrypted.
Cons:
- ❌ Not scalable – Each VPC requires a manual peering connection with every other VPC. Complexity increases with number of VPCs > 3.
- ❌ No transitive routing – A VPC that peers with two others can’t forward traffic between them.
- ❌ Cross-region support has costs – Peering across regions incurs inter-region data transfer charges.
- ❌ IP Address Overlaps - VPCs with overlapping IP ranges cannot establish a peering connection.
Additional resources:
- What is VPC peering?
- New VPC Peering for the Amazon Virtual Private Cloud
- How to solve AWS VPC CIDR overlaps | Overlapping IP Addresses | Amazon Web Services
3. AWS Transit Gateway (TGW)
In 2018 AWS introduced AWS Transit Gateway, a managed regional service that simplifies connectivity of multiple VPCs and more. AWS Transit Gateway (TGW) is a fully managed network hub or gateway that connects multiple VPCs, on-premises networks, and even VPNs.
Use Case:
- Ideal for large-scale networking when managing multiple VPCs and hybrid cloud setups.
- Supports centralized network policies and simplifies routing between multiple VPCs.
- Good for enterprises needing inter-region VPC communication or multi-account setups.
Pros:
- ✅ Highly scalable – Supports thousands of VPCs, VPNs, on-premises.
- ✅ Transitive routing – Eliminates complex peering configurations.
- ✅ Multi-account support – Works with AWS Organizations for shared services.
- ✅ Security – ingres/egress traffic inspection, centralized VPC endpoints, etc.
- ✅ Simplified network management – single central place to control all networks.
Cons:
- ❌ Added latency – Traffic flows through TGW, adding an extra hop.
- ❌ Costly – Charged per attachment and data processing.
- ❌ Limited bandwidth – AWS enforces throughput limits per attachment.
- ❌ Regional – TGW is a regional service and does not support dynamic routing between TGWs.
Additional resources:
- What is Amazon VPC Transit Gateways?
- Best practices and considerations to migrate from VPC Peering to AWS Transit Gateway
- Introduction to AWS Transit Gateway
- AWS Transit Gateway | Overview and Best Practices
4. AWS Cloud WAN
In 2022 AWS accounced general availability of AWS Cloud WAN, a managed service that helps you build, manage, and monitor a unified global network.
With Cloud WAN, you can use a central dashboard and network policies to create a global network that spans multiple locations and networks. It supports dynamic routing by using Border Gateway Protocol (BGP) so that you can easily exchange routes around the world.
Most likely this service was build to overcome limitations of Transit Gateways.
Use Case:
- Ideal for multi-region, multi-VPC, and multi-account environments.
- Great for enterprises managing branch office connectivity or hybrid cloud architectures.
- Works well for companies needing centralized policy-based routing for global networks.
Pros:
- ✅ Best for global networking – Ideal for worldwide operations.
- ✅ Automated routing & segmentation – Simplifies policy-based routing.
- ✅ Multi-region support – Built for inter-region communication natively.
- ✅ Security – ingres/egress traffic inspection, centralized VPC endpoints, etc.
Cons:
- ❌ Expensive – Cloud WAN pricing can add up quickly.
- ❌ Overkill for small setups – If you don’t need global-scale networking, TGW might be a better fit.
- ❌ More complex setup – Requires learning policy-based networking concepts.
Additional resources:
- What is AWS Cloud WAN?
- Migration to AWS Cloud WAN multi-Region inspection using service insertion
- Simplify global security inspection with AWS Cloud WAN Service Insertion
- Inspecting network traffic between Amazon VPCs with AWS Cloud WAN
Comparison Table
| Feature | VPC Sharing | VPC Peering | Transit Gateway (TGW) | AWS Cloud WAN |
|---|---|---|---|---|
| Best for | Multi-account subnet sharing | Direct VPC-to-VPC connection | Multi-VPC, hybrid cloud | Global-scale networking |
| Scalability | Low | Low | High | Very High |
| Latency | Low | Low | Medium (extra hop) | Medium (extra hop) |
| Transitive Routing? | No | No | Yes | Yes |
| Multi-Region? | No | Yes | Yes | Yes |
| Cost | Low | Medium | High | Very High |
| Ease of Setup | Easy | Medium | Complex | Most Complex |
Which One Should You Choose?
- Use VPC Sharing for a simple, centralized network within one region and AWS Organization.
- Use VPC Peering for direct, private connectivity between a few VPCs.
- Use AWS Transit Gateway (TGW) for multi-VPC and hybrid cloud setups.
- Use AWS Cloud WAN for global-scale networking with centralized policies and dynamic routing.
This guide should help you choose the right AWS networking solution for your needs. 🚀