Stax Networks FAQs

What is a Stax Networking Hub?

The Stax Networking Hub forms the basis of a Stax Network. It manages the traffic and connectivity between AWS resources, AWS VPCs and external resources. A Stax Networking Hub consists of many resources including an AWS Transit Gateway, Transit VPC, and Interface VPC Endpoints which provide centralized management for your network solutions.

When should I create an additional Stax Networking Hub?

The number of Networking Hubs you create depends on your organization's or team's needs and budget. Stax Networking Hubs are a great way to logically isolate your AWS resources, infrastructure or development and production environments.

How is a VPC created in Stax different?

VPCs that are created in Stax are securely configured with four subnets, span multiple Availability Zones, have associated security groups and route tables configured within a specified CIDR Range.

How are Route Tables and NACLs configured within Stax Networks?

Route Tables and NACLs are configured differently for Stax Networks VPCs and the Stax Networks Transit VPC.

Stax VPC

Subnet	Route Table	NACLS
VPC Public Subnet	10.0.0.0/22 → Local Router 0.0.0.0/0 → IGW Transit VPC Endpoint Subnet → TGW	Inbound ALL Traffic from 0.0.0.0/0 Outbound ALL Traffic to 0.0.0.0/0
VPC Private Subnet	10.0.0.0/22 → Local Router 0.0.0.0/0 → TGW	Inbound ALL Traffic from Public Subnet Port 1024-65535 (TCP) Traffic from 0.0.0.0/0 Port 443 (TCP) Traffic from 0.0.0.0/0 Outbound ALL Traffic to 0.0.0.0/0
VPC Restricted Subnet	10.0.0.0/22 → Local Router Transit VPC Endpoint Subnet → TGW	Inbound ALL Traffic from Private Subnet CIDRS ALL Traffic from Restricted Subnet CIDRS Outbound ALL Traffic to 0.0.0.0/0
VPC Connectivity Subnet	10.0.0.0/22 → Local Router	Inbound ALL Traffic from 0.0.0.0/0 Outbound ALL Traffic to 0.0.0.0/0

Transit VPC

Subnet	Route Table	NACLS
VPC Public Subnet	10.0.0.0/22 → Local Router 0.0.0.0/0 → IGW Stax VPC Public Subnet → TGW	Inbound ALL Traffic from 0.0.0.0/0 Outbound ALL Traffic to 0.0.0.0/0
VPC Private Subnet	10.0.0.0/22 → Local Router 0.0.0.0/0 → NAT Stax VPC Private Subnet → TGW	Inbound ALL Traffic from Public Subnet Port 1024-65535 (TCP) Traffic from 0.0.0.0/0 Port 443 (TCP) from 0.0.0.0/0 Outbound ALL Traffic to 0.0.0.0/0
VPC Restricted Subnet	10.0.0.0/22 → Local Router	Inbound ALL Traffic from Private Subnet CIDRS ALL Traffic from Restricted Subnet CIDRS Outbound ALL Traffic to 0.0.0.0/0
VPC Connectivity Subnet	10.0.0.0/22 → Local Router 0.0.0.0/0 → NAT	Inbound ALL Traffic from 0.0.0.0/0 Outbound ALL Traffic to 0.0.0.0/0
VPC Endpoint Subnet	10.0.0.0/22 → Local Router 0.0.0.0/0 → TGW	Inbound Port 443 (TCP) from 0.0.0.0/0 Outbound Port 1024-65535 (TCP) to 0.0.0.0/0

The configuration above assumes the VPC has a CIDR range of 10.0.0.0/22

What is a CIDR Range?

Classless Inter-Domain Routing (CIDR) is a set of Internet Protocol (IP) standards used to uniquely identify a network address or a subnet. A CIDR Range consist of two groups of numbers, or bits. The group of bits before the “/” is the address prefix, while the bits after the “/” represent the number of hosts or IP addresses available within the network address or subnet.

How do I select my CIDR Range when creating a Stax Networking Hub or VPC?

The specific CIDR Range you select depends on your networking architecture, any existing networks or subnets allocations, and any other networking constructs that you may wish to connect in the future (such on-premises networks). If you are integrating Stax Networks with external resources and services, you may need to use a unique or available CIDR Range.

The IPv4 CIDR Range you provide must be in a private network range, for example

10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

When creating a Networking Hub or VPC in Stax, you must provide a CIDR Range between /8 and /23 bits. The bits you provide will determine the number of addresses or hosts available within your CIDR Range.

CIDR Range Bit	Addresses
/23	512
/22	1,024
/21	2,048
/20	4,096
/19	8,192
/18	16,384
/17	32,768
/16	65,536
/15	131,072
/14	262,144
/13	524,288
/12	1,048,576
/11	2,097,152
/10	4,194,304
/9	8,388,608
/8	16,777,216

If you are still unsure of the CIDR Range to use, please speak to your Security Team or Networking SME to identify which range you should allocate to your Stax VPC/s.

Can I change my CIDR Range later?

Changing the first CIDR Range created for the Networking Hub is not possible. You will need to delete the Hub and/or create a new Networking Hub instance.

Any additional CIDR Ranges created within the Hub for exclusions can be updated.

What is the difference between Interface and Gateway VPC Endpoints?

Interface VPC Endpoints are attached to Transit VPCs and can be shared across other Stax VPCs. There are currently more than 35 AWS endpoints available to choose from.

Gateway VPC Endpoints must be attached to each of your Stax VPCs directly, as they cannot be shared across from the Transit VPC.

See Interface VPC endpoints in Stax Networks for a list of endpoints which can be enabled.

Why should I use AWS VPC Endpoints?

A VPC Endpoint enables you to privately connect your Stax VPC to supported AWS resources and services without requiring a NAT, Internet Gateway or VPN connection. Instances in your Stax VPCs do not require public IP addresses to communicate with AWS resources and do not traverse the public internet.

Which VPC Endpoints should I enable?

The type of VPC Endpoints you enable will depend on the workloads you are running with your Stax VPCs, the AWS services you wish to utilize and your budget. Refer to this VPC Endpoints user guide for more information.

Does it matter which AWS Region I select from my Networking Hub?

The AWS Region you select for your Networking Hub may impact what AWS resources are available. All egress traffic will flow through this region so you might want to create your Hub in a geographic location closest to your customers or users. Please also consider your organization's data sovereignty and data localization commitments when deciding on into which AWS Region you deploy your Stax Networking Hub.

What is an Exclusion?

Exclusions are CIDR Range/s that, once added as an excluded range in Stax, will be reserved across all CIDR Ranges in the selected Networking Hub. Exclusions help to prevent overlapping subnets and ensure the range of IP addresses in your CIDR Range are unique.

Exclusions can help to prevent address conflicts and routing issues, especially when trying to connect your AWS Cloud environment with your on-premises data centers, offices and other legacy VPCs.

Is Split-Horizon DNS Supported by DNS Resolvers?

Yes, it is.

How many DNS queries per second are supported for DNS Resolvers?

Approximately 10,000 queries per second are supported per IP address associated with the DNS Resolver endpoint.

How many DNS Rules can I create?

The default limit for the number of AWS Route 53 Resolver Rules is 1000 per region.

What is a Stax Networking Hub?​

When should I create an additional Stax Networking Hub?​

How is a VPC created in Stax different?​

How are Route Tables and NACLs configured within Stax Networks?​

What is a CIDR Range?​

How do I select my CIDR Range when creating a Stax Networking Hub or VPC?​

Can I change my CIDR Range later?​

What is the difference between Interface and Gateway VPC Endpoints?​

Why should I use AWS VPC Endpoints?​

Which VPC Endpoints should I enable?​

Does it matter which AWS Region I select from my Networking Hub?​

What is an Exclusion?​

Is Split-Horizon DNS Supported by DNS Resolvers?​

How many DNS queries per second are supported for DNS Resolvers?​

How many DNS Rules can I create?​