AWS Networking & Hybrid Cloud Connectivity Gold Coast AWS User Group Nov 2015 Kent Plummer - VPN Solutions Managed Private IP Networks for Business vpnsolutions.com.au
AWS Networking & Hybrid Cloud Connectivity 1. The concepts and building blocks 2. Connectivity options 3. Routing and AWS. Why and how BGP is used 4. Redundancy & real life examples
AWS Networking & Hybrid Cloud Connectivity 1. The concepts and building blocks 2. Connectivity options 3. Routing and AWS. Why and how BGP is used 4. Redundancy & real life examples
Sydney Region Network Topology AWS handoff port Service Provider Networks and Internet Instances etc Co-lo Availability Zone 1 ap-southeast-2a Equinix DC Sydney Network Connection Location Service Provider Networks and Internet Instances etc Co-lo Availability Zone 2 ap-southeast-2b Global Switch DC Sydney Network Connection Location Region ap-southeast-2 OR Sydney AZ s have physical site, power and comms diversity AZ connectivity is not made public i.e. the green is not actual.
Public Cloud Solutions RDS DB RDS DB S3 EC2 EC2 S3 Typical Internet facing web app Internet well connected, high speed ELB ELB Low establishment cost AZ1 AZ2 Network performance non guaranteed Cloud Front CDN Public Internet Globally scalable via Cloud Front Internet Route53 DNS Internet Router performing NAT 192.168.1.0/24 office/home network
Virtual Private Cloud (VPC) Solutions IGW VPC CIDR 10.1.0.0/16 0.0.0.0/0 Instance A 10.1.1.11 /24 Public Subnet Instance C 10.1.3.33 /24 Private Subnet Availability Zone A VGW Instance B 10.1.2.22 /24 Public Subnet Instance D 10.1.4.44 /24 Private Subnet 10.1.1.0/16 10.1.2.0/16 10.1.3.0/16 Availability Zone B Your own private, isolated section of the AWS cloud Corporate DC extension into AWS Grouping of EC2 instances and other services within a private IP address range i.e. 10.1.0.0/16 Subnets are local per AZ (layer 3 DC-DC design) Failover is via SLB or DNS no VMotion like failover Complete control over networking & security Corporate Office Direct Connect Hardware VPN (IPSec Internet) Corporate Office Some services don t appear inside a VPC yet (S3*, DynamoDB, SQS, SNS, SWF, Glacier) VPC EndPoints WIP S3 just released
VPC Components 0.0.0.0/0 Instance A 10.1.1.11 /24 Public Subnet Instance C 10.1.3.33 /24 Private Subnet IGW Availability Zone A VPC CIDR 10.1.0.0/16 Instance B 10.1.2.22 /24 Public Subnet Instance D 10.1.4.44 /24 Private Subnet 10.1.1.0/16 10.1.2.0/16 10.1.3.0/16 Availability Zone B IGW - Internet Gateway VGW - Virtual Private Gateway CGW Customer Gateway Subnets Route tables Direct Connect Hardware VPN Security Groups & ACLs CGW VGW CGW Destination Target Corporate Office Direct Connect Hardware VPN (IPSec Internet) Corporate Office 10.1.0.0/16 local 0.0.0.0/0 igw-b409 10.99.1.0/24 vgw-724f
AWS Networking & Hybrid Cloud Connectivity 1. The concepts and building blocks 2. Connectivity options 3. Routing and AWS. Why and how BGP is used 4. Redundancy & real life examples
Hardware VPN IPSec via Internet Provides an extension of the onsite corporate network Can use your existing private IP addressing 10.x etc IPSec tunnel to secure traffic over the Internet (128-bit AES) Static or dynamic routing (BGP) 2 x termination points per region. Default is a tunnel to each Hub and spoke topology Reduced MTU Makes use of the VGW Cost of connection hours + metered data out (Internet rates) Try and turn off if no longer needed
Hardware VPN IPSec via Internet Internet links xdsl, EoC, Fibre Console builds config CGW s Cisco, Juniper or Windows Server 2 x tunnels to each edge site (for VPG redundancy)
AWS Direct Connect - Features High speed, dedicated, private pipe into AWS (VPC) Consistent network performance compared to Internet Metered outbound traffic (~1/3 cost of Internet) 1 or more network connection points per region (Syd x 2) Supports redundancy (BGP routing) Allows QoS End to end support by single network provider
AWS Direct Connect - Benefits Reduced network transfer costs (out of AWS) Improved & consistent application performance Flexible initial seed data typically very large Less downtime - end to end support Security and compliance Enabler for the Hybrid Cloud Architecture
10.1.1.0/16 10.1.2.0/16 10.1.3.0/16 Private AWS Direct Connect - Anatomy Private Virtual Interface dot1q VLAN 666 AWS Direct Connect POP Co-location rack within same DC ie Equinix Sydney Customer Datacenter Colocation Facility - e.g. Equinix SV1 Customer DC Instance A 10.1.1.11 /24 Public Subnet Instance C 10.1.3.33 /24 Private Subnet Availability Zone A Instance B 10.1.2.22 /24 Public Subnet Instance D 10.1.4.44 /24 Private Subnet VPC CIDR 10.1.0.0/16 AS7224 Availability Zone B VGW VIF.17.18 AWS Direct Connect Point of Presence Cross Connect Customer Gateway Service Provider Network Customer or partner device CGW Customer Subnet 192.168.0.0/16 AS65442 Service Provider (MPLS L3 IP VPN or VPLS) 169.254.247.16/30 BGP over /30 routed subnet VLAN on dot1q trunk BGP via managed Service Provider Network
Customer AWS Console View BGP learnt routes from Customer remote sites
AWS Networking & Hybrid Cloud Connectivity 1. The concepts and building blocks 2. Connectivity options 3. Routing and AWS. Why and how BGP is used 4. Redundancy & real life examples
BGP Border Gateway Protocol Needed to implement network redundancy Standards based protocol used to connect the global Internet Exchanges routes prefixes between neighbours Uses AS numbers ie AS 65001 AS_PATH measure of network distance Local Preference means to override AS_PATH locally Used by AWS to connect to customers and advertise routes. Direct Connect (mandatory) IPSec VPN (optional) Bi-Directional Forwarding Detection (BFD) speeds up failover to as low a 150ms. Standard BGP can be 180 sec.
The Customer Gateway (CGW)
AWS Networking & Hybrid Cloud Connectivity 1. The concepts and building blocks 2. Connectivity options 3. Routing and AWS. Why and how BGP is used 4. Redundancy & real life examples
10.1.1.0/16 10.1.2.0/16 10.1.3.0/16 Private Redundancy IPSec Backup x 2 Direct Connect HSRP & ibgp between onsite routes for failover Colocation Facility - e.g. Equinix SV1 Customer DC Instance A 10.1.1.11 /24 Public Subnet Instance C 10.1.3.33 /24 Private Subnet Availability Zone A Instance B 10.1.2.22 /24 Public Subnet Instance D 10.1.4.44 /24 Private Subnet VPC CIDR 10.1.0.0/16 AS 7224 Availability Zone B VIF AWS Direct Connect Point of Presence Customer Gateway Service Provider Network Customer Subnet 192.168.0.0/16 AS65001 Different IPSec termination endpoints (AZ?) for each tunnel. VGW redundancy. Service Provider Internet Network 2 x IPSec tunnels BGP over /30 routed VPC Routing Selects shortest AS path (Direct Connect) Advertise with AS7224 out over all links Customer Site Routing Prefer Service Provider MPLS (set local-pref) Advertise with AS65001 AS65001 AS65001 over IPSec
Design 1 Key Head Office site Internet 2 x IPSec VPN (Backup paths) Brisbane Head Office Brisbane Co-lo BGP routing Backup Primary VPN Solutions MPLS Private IP Network Direct Connect BGP routing outage VGW Instances VPC subnet Availability Zone 1 ap-southeast-2a Gold Coast Network Interconnect POP Equinix Sydney Instances VPC subnet Sydney Melbourne Adelaide Availability Zone 2 ap-southeast-2b VPN Solutions Supported AWS Supported
Design 2 High Branch Dependency 2 x IPSec VPN (Backup paths) Internet Instances Brisbane Head Office Brisbane Co-lo Backup Primary VPN Solutions MPLS Private IP Network Direct Connect BGP routing outage VGW VPC subnet Availability Zone 1 ap-southeast-2a Gold Coast Network Interconnect POP Equinix Sydney Instances VPC subnet Sydney Melbourne Adelaide Availability Zone 2 ap-southeast-2b VPN Solutions Supported AWS Supported
Design 3 Standby/DR Office Brisbane Standby Office Internet 2 x IPSec VPN (Backup paths) outage Instances Brisbane Head Office Brisbane Co-lo Backup Primary VPN Solutions MPLS Private IP Network Direct Connect BGP routing outage VGW VPC subnet Availability Zone 1 ap-southeast-2a Gold Coast Network Interconnect POP Equinix Sydney Instances VPC subnet Sydney Melbourne Adelaide Availability Zone 2 ap-southeast-2b VPN Solutions Supported AWS Supported
Questions or follow-up? Kent Plummer local Gold Coast er Find me on LinkedIn or kent.plummer@vpnsolutions.com.au 0424 177377 vpnsolutions.com.au Credit to Matt Lehwess (AWS) For use of some of his slides from reinvent