AWS re:Invent 2025 - Advanced VPC design and new capabilities (NET340)

AWS re:Invent 2025 - Advanced VPC Design and New Capabilities (NET340)

AWS Networking Foundations

• AWS global backbone consists of over 9 million kilometers of fiber, powering workloads across AWS regions and availability zones
• Amazon VPC is a regional construct that hosts compute resources, with subnets as containers for workloads
• VPC security features include network ACLs, security groups, and AWS Network Firewall for advanced traffic inspection and filtering
• Connectivity options include internet gateway, NAT gateway, VPC endpoints, and AWS PrivateLink for accessing AWS services

Innovations in Amazon VPC

NAT Gateway in Regional Availability Mode

• New regional NAT gateway construct simplifies configuration and maintenance compared to zonal NAT gateways
• Automatically scales and updates, reducing operational overhead

Network Firewall Enhancements

• Support for multiple VPC endpoints to a single Network Firewall, enabling centralized policy management across VPCs
• Active threat defense integrates AWS threat intelligence and allows importing partner-managed rules
• New Network Firewall Proxy provides explicit proxy functionality with pre-DNS, pre-request, and post-request inspection capabilities

VPC Route Server

• Allows instances to make BGP-based routing updates to VPC routing tables, enabling use cases like floating IPs and custom failover

Native Network Firewall Integration with Transit Gateway

• Eliminates the need for a separate inspection VPC, simplifying deployment and management

Advancements in Transit Gateway

Flexible Cost Allocation

• Enables configuring traffic processing costs to be billed to the source, destination, or transit gateway owner

VPC Encryption Controls

• Provides VPC-level monitoring and enforcement of encryption requirements, ensuring all traffic is encrypted

Innovations in Application Networking

Amazon VPC PrivateLink

• Supports cross-region connectivity to AWS managed services, simplifying DNS management
• Introduces IPv6 support for gateway and interface endpoints

Amazon VPC Lattice

• Purpose-built for internal application-to-application connectivity, with service networks, resource associations, and fine-grained access control policies
• Supports custom DNS names for resources, simplifying client-side configuration
• Enables configurable IP addresses for resource gateways, improving scalability

Advanced VPC Lattice Architectures

• Supports connectivity to on-premises applications via a transit VPC
• Enables cross-region service-to-service communication using a transit VPC
• Allows centralizing connectivity to SaaS provider endpoints with traffic inspection

Enhancements in Elastic Load Balancing

• Application Load Balancer introduces target optimizer for better load distribution based on concurrent requests
• Network Load Balancer adds weighted target groups and HTTP/3 pass-through support

Advancements in Global and Hybrid Connectivity

AWS CloudWAN

• Provides a centralized, global networking control plane with policy-driven routing and security
• Supports advanced routing controls, including route filtering, summarization, and path manipulation
• Integrates with VPCs, on-premises connections, and other cloud providers via AWS Interconnect Multi-Cloud

AWS Interconnect Multi-Cloud

• Enables private, high-throughput connectivity between AWS and other cloud providers (e.g., Google Cloud) through a collaborative, fully managed service

Other Enhancements

• High-throughput VPN tunnels up to 5 Gbps
• AWS Global Resolver for managed, secure DNS resolution for on-premises and cloud workloads
• Bundled pricing options for content delivery and web security services

Key Takeaways

• AWS has launched over 150 new networking features and integrations in 2025, significantly enhancing VPC, application connectivity, load balancing, and global/hybrid networking capabilities
• Innovations like regional NAT gateways, Network Firewall enhancements, VPC Lattice, and CloudWAN provide greater flexibility, scalability, and centralized control for complex networking architectures
• Hybrid and multi-cloud connectivity options, such as AWS Interconnect Multi-Cloud, simplify the management of private, high-performance links between cloud environments
• Continued focus on encryption, security, and cost optimization across the networking portfolio

Real-world Applications and Examples

• Customers are using VPC Route Server for custom failover and load balancing scenarios
• Network Firewall Proxy enables centralized, inspected internet access for VPCs without internet gateways
• VPC Lattice simplifies application-to-application connectivity, including extending to on-premises resources, with fine-grained access control
• CloudWAN's advanced routing policies allow granular control over traffic flows, including optimizing backup data transfers and restricting internal AS paths
• AWS Interconnect Multi-Cloud provides a seamless way to connect AWS workloads to those running on other cloud platforms, enabling hybrid architectures