Set up new networks in AWS with a simple workflow

Article Tags
On This Page
Is Stax Networks for You?About Stax NetworksAdvanced Network SettingsTagging Networking ResourcesSee also

The Stax networking service provides a simple and flexible way of deploying AWS network topologies. AWS offers a wide variety of products that form the building blocks of a secure and advanced cloud network. Stax configures these products for you based on your needs and safely and securely manages the deployment of your AWS network. The Stax Networking service provides the foundations you need to connect your AWS resources with other Workloads, on-premises data centers and other distributed networks.

Stax Networking Service

Is Stax Networks for You?

Setting up a network in AWS can be challenging and requires a specialist skill set. Based on years of experience in deploying networks in AWS for companies ranging from mid to large enterprise, Stax has identified some common use cases faced by clients and formed a pattern to handle the challenging tasks that are often required to meet regulatory, compliance, and other industry standards. These include:

  • Centralized network management
  • Security and access controls
  • Private hosted zones
  • On-premises connectivity
  • Management of diverse operating systems
  • Forwarding and routing solutions
  • Internal DNS resolution

If you find yourself looking for a networking solution that will grow with your business, Stax Networks is for you.

About Stax Networks

The Stax Networking service is comprised of two main components:

  • Stax Networking Hub
  • Stax VPCs

Stax Networking Hub

The Stax Networking Hub forms the basis of a Stax Network. It manages the traffic and connectivity between AWS resources, AWS VPCs and external resources. A Stax Networking Hub deploys the below resources:

  • AWS Transit Gateway: A dedicated gateway for connecting your VPCs, on-premises data centers and other distributed networks.
  • Transit VPC: A Stax built and managed VPC that provides centralized outbound access/egress to the internet with preconfigured secure routes. This VPC is called the Transit VPC.
  • Private Hosted Zones: An AWS Route53 hosted zone enabling Interface VPC Endpoints attached to the Stax Transit VPC which are shared across all VPCs within a Networking Hub.

Stax gives you the ability to configure egress and ingress services to enable or disable these additional resources:

  • AWS NAT Gateway: A gateway that allows resources in the private subnet of the Stax Transit VPC to connect to the internet or other AWS resources.
  • Internet Gateway: A VPC component that allows communication between your VPC and the internet.

Stax VPCs

Stax VPCs are pre-configured AWS VPCs that you can deploy within your Stax Networking Hub. Depending on your needs, you can choose how they connect with your Stax Networking Hub and other VPCs. Stax makes networking easy and secure by configuring route tables, NACLs, basic security groups, flow logs, and much more.

Stax Networking Service

Types of Stax VPCs

Stax offers a variety of VPCs that can be deployed as part of the Stax Networking Service. These VPCs provide you with flexibility in terms of inter VPC connectivity and routing. The type of VPC will determine which VPCs can talk to each other and which VPCs are connected to the Internet. The four types of Stax VPCs include:

  • Isolated VPC: Segregated from all other Isolated and Flat VPCs. If required, this type of VPC can be connected to Shared Services VPCs and Transit VPCs for access to core services and outbound egress to the internet. Connectivity from Isolated VPC to Shared Services VPCs is unidirectional only.
  • Flat VPC: Connectivity between Flat VPCs is only possible when the VPCs exist within the same Zone. A Zone is a group of VPCs defined by a customer.
  • Shared Services VPC: To provide core services across VPCs in a Hub, this type of VPC can be connected to all other VPCs. Connectivity from Isolated VPCs to Shared Services VPCs is however unidirectional only.
  • Transit VPC: Created as a component of the Stax Networking Hub - this VPC provides centralized outbound access and egress to the internet. A Transit VPC is created only once by Stax as part of each Networking Hub and is shared across all CIDR Ranges within a Hub.

The table below provides an overview of inter-connectivity between Stax VPCs.

VPC TypeIsolatedFlatShared ServicesTransit
Shared Servicestick*tickticktick

*Only one-way connectivity from Isolated VPCs to Shared Services VPCs is only possible. Shared Services VPCs are blocked from accessing Isolated VPCs.

**Connectivity between Flat VPCs is only possible when the VPCs exist within the same Zone.

Stax VPC Architecture

Stax VPCs are uniformly architected, regardless of the VPC type, and conform with AWS best practice. Stax VPCs are architected with the below configuration:

  • 3 Availability Zones
  • 4 Subnets - Public, Private, Restricted and Transit Gateway Subnets
  • VPC Flow Logging - all logs flow to an S3 bucket in your Logging Account
  • Gateway VPC Endpoints for AWS Services
  • 3 sizes - Small (/23), Medium (/22) and Large (/20)

In regard to the Subnet structure, Stax VPCs conform to a strict security model. The table below provides detail in regard to this model.

Trust LevelSecurity Zone
1Public Subnet: The Public Subnet is exposed publicly and acts as the flow control for data and interfaces within Private Subnet services. Customers with zero trust networks should connect endpoints (workstations and other devices/ services) to this Zone.
2Transit Gateway Subnet: The Transit Gateway Subnet is dedicated to the customer and provided for connectivity between multiple Stax provisioned accounts, environments and VPCs. Customers with either trusted internal networks or SD-WAN networks can connect to the Transit Gateway.
3Private Subnet: Authorized services from the Public Subnet or Transit Gateway Subnet can communicate with interfaces within the Private Subnet Zone.
4Restricted Subnet: Only authorized services from the Private Subnet are permitted to connect to interfaces within the Restricted Subnet Zone. The Public Subnet and Transit Gateway Subnet are not permitted to directly connect to this Zone.

CIDR Ranges

All Stax VPCs reside within a CIDR Range. A CIDR Range is the overarching object within a Stax Networking Hub that contains VPCs and Exclusions. The configured CIDR Range must be contained within an RFC1918-compliant private address space. You should confirm your CIDR ranges with your networking team before configuring them in a Stax Networking Hub. Some examples of supported CIDR ranges are below.

CIDR RangeFirst IP AddressLast IP Address

The largest supported size for a Stax CIDR Range is /8, while the smallest is /23.

When creating a Networking Hub in Stax, you must define a CIDR Range which will host your Transit VPC. Additional VPCs can be created in this same CIDR Range or additional ranges can be created.

CIDR Ranges cannot be resized once created. When creating a CIDR Range in Stax, we recommend you:

  • Ensure you size your CIDR Range to support growth for your workloads.
  • Ensure that your CIDR Range does not overlap with your organization’s other private network ranges. Use Stax Exclusions to exclude other private network ranges in your Networking Hub's CIDR Ranges if they overlap.


An Exclusion is a CIDR Range that will be reserved and excluded across all CIDR Ranges in a given Networking Hub. Exclusions help to prevent overlapping subnets and ensure the range of IP addresses in your CIDR Ranges are unique. Exclusions allow you to integrate Stax Networking Hubs with your on-premises data centers, offices and other VPCs without experiencing network address conflicts.

VPC Endpoints

AWS VPC endpoints provide fast and efficient integration with AWS resources. Stax provides you with the ability to enable AWS VPC Endpoints with a click of a button. It is important to be aware that enabling VPC Endpoints will incur costs, however, Stax helps you manage costs by sharing endpoints across VPCs.

Types of AWS VPC Endpoints offered by Stax:

  • Interface VPC Endpoints: Can be attached to Transit VPCs at the Networking Hub level and shared across other VPCs.
  • Gateway VPC Endpoints: Can be attached to any VPC.

Stax Roles Needed to Use the Networking Service

Only Stax Users with the Admin role can create, edit and delete Stax Networking Components. All Stax roles have permission to view Stax Networking Hubs, CIDR Ranges, Exclusions and VPC. To find out more, visit Stax Permissions.

Advanced Network Settings

DNS Names

When connecting your Stax VPCs to your on-premises data centers, your DNS requests need to find their way to the correct host. The Stax DNS solution uses Private Hosted Zones and Amazon Route 53 Resolver endpoints to route traffic between your VPCs and host. DNS resolution between VPCs can be done by assigning a Private Hosted Zone (PHZ) suffix to your Networking Hub and a PHZ prefix to your VPCs without needing to configure DNS rules and associate them within AWS. These two fields will essentially create the Private Hosted Zone domain named called {phz_prefix}.{phz_suffix}. For example, would be the PHZ name used for the VPC.

PHZs are shared across all VPC types which have the exact same rules as the transit gateway routing.

Once domain names have been assigned, Stax will manage the routing of traffic in an Amazon VPC and manage your Amazon Route 53 Hosted Zone records.

ASN for Transit Gateway

If using AWS Direct Connect or VPN to connect your on-premise network to AWS, you will need to set an Autonomous System Number (ASN) for your Transit Gateway. AWS Direct Connect and VPN require an ASN to create a public or private virtual interface. This sets the ASN on the Amazon side of the BGP (Border Gateway Protocol) session for VPNs and AWS Direct Connect private VIFs.

During Hub creation, you can set your own private ASN for your TGW. This is a number in the range of 64512 and 65535. This can be done via the Stax API or console. If a value is not set, Stax will set the ASN a default value of 64512 and each subsequent hub created will increment by one.

ECMP Support

Equal Cost Multi-Path (ECMP) is a routing strategy where packets are forwarded along multiple paths of the same cost with the aim of achieving even distribution of traffic.

You may want to use ECMP routing when connecting your Stax Networking Hub and your on-premises network over multiple VPN connections. If connections advertise the same CIDRs, the traffic is distributed equally between them. Enabling ECMP over multiple VPN tunnels also delivers traffic load balancing at scale beyond the default throughput of 1.25 Gbps.

During Hub creation, you can configure ECMP Support on your Stax Transit Gateway. Ensure that your on-premises gateway or router is also ECMP-enabled. Once set at Hub creation, you cannot change your ECMP configuration.

Tagging Networking Resources

All underlying resources used for the Networking Hub and VPCs can be tagged for resource identification, cost management and can be used for CI/CD and automated triggers. These tags are defined at the Networking Hub and VPC level via the Stax API or console.

See also