Planning Your Network for AWS Cloud Migration - TriNimbus

Planning Your Network for AWS Cloud Migration

A core component in your company’s move to the Amazon Web Services cloud is the design of Amazon Virtual Private Cloud (VPC) network resources. Although AWS provides a VPC network design wizard, issues such as IP address range selection, subnet creation, route table configuration and connectivity options must be carefully evaluated.
Thinking through such issues ensures a smoother transition from in-house infrastructure while reducing the risk of time-consuming backtracking of your cloud architecture.

Single versus Multiple AWS Accounts

Before designing your VPCs it is necessary to consider into how many AWS accounts you will deploy.

In some situations, using a single AWS account may be sufficient. One account is often sufficient when using AWS for disaster recovery or as a development sandbox. However, in many other situations multiple AWS accounts should be considered.

For instance, you may wish to separate development and testing environments into one account and place a production environment into a second account. Additional AWS accounts may be created to reflect the organizational structure of larger enterprises. Multiple accounts can be utilized also to separate workloads based on security requirements such as the isolation of PCI-compliant workloads from those that are less sensitive.

“Escrow” accounts that emulate offsite backups or consolidated billing accounts may also benefit from additional AWS accounts although these account types typically do not impact the VPC design.

Single versus Multiple VPCs

Choosing whether your AWS infrastructure utilizes a single VPC or several VPCs is not a straightforward decision.

Using multiple VPCs provides for better isolation between the systems, contains the scope of security audits, and limits “blast radius” in case of an operator error or security breach. However, multiple VPCs increase the complexity of network topology, routing, and connectivity between the VPCs and on-premise data centers.

Using a single VPC simplifies the networking and connectivity but makes it harder to isolate workloads from one another. With a single VPC isolation of workloads, user accounts and network access leans heavily on the use of AWS Security Groups (SGs) and Network Access Control Lists (NACLs). The likelihood of running into AWS limits related to SGs and NACLs is higher in this scenario.

If you use multiple VPCs, consider isolating them from each other. VPC isolating is also appropriate if you want VPCs for  shared infrastructure  tools such as authentication stores, management tools, or common entry points (e.g., bastion servers).

Single vs Multiple Region Deployments

AWS regions by design are isolated from each other which means that virtual networks are also inherently separated. For most uses, a single region network configuration is sufficient. However, in circumstances that require low latency with active processing workloads in globally shared configurations there may be additional considerations to take into consideration.

When evaluating interconnection between regions, scrutinize whether you can deploy to multiple regions within an isolated architecture or if a content delivery network (CDN) solution such as CloudFront meets your needs.


There are a number of factors with respect to VPC subnetting that must be taken into account :

  • High availability of AWS Managed Services, such as RDS, is achieved by using multiple subnets in multiple AWS Availability Zones
  • AWS subnets cannot be resized
  • AWS subnets will either share or have independent routing tables assigned

If your subnet IP spaces may not meet your future needs, consider using from the start the newly added support for IPv6 in AWS.

Network Connectivity Options

VPC Peering

Peering allows communication between VPCs using private IPv4 or public IPv6 addressing over a virtual connection. This feature enables AWS cross-account connections within a single AWS region. These facilitate resource sharing between two or more VPCs although it does not allow transitive peering relationships.


AWS provides several flavors of VPN connectivity depending on your needs. These are used to connect your VPCs to remote networks such as your corporate intra-net:

  • AWS managed hardware VPN – A high-availability, redundant IPsec connection compatible with major vendors’ routers
  • Customer managed software VPN – Consists of an EC2 instance within a VPC running a software VPN appliance obtained from a third-party
  • AWS VPN CloudHub – For connection to multiple remote networks

AWS Direct Connect

AWS Direct Connect provides a dedicated physical connection for high-performance and high-reliability connectivity between AWS and on-premise data centers. Often, VPNs are configured over Direct Connect connections.


Choosing the correct VPC architecture for your cloud migration is a critical first step in moving to the cloud. “Re-dos” are unfortunately common when system partitioning, CIDR sizing or inappropriate VPC options are chosen that lead to hard-to-manage, insecure or inefficient cloud infrastructure.

TriNimbus has assisted many customers in evaluating their present and future cloud requirements. Our clients realize the optimal VPC and networking options for their AWS cloud services transition, which results in an easily maintainable and scalable cloud presence. As clients transition from legacy to virtual infrastructure, they receive additional benefits such as increased automation, reliability and disaster recovery.