KentPlummer- VPNSolutionsManagedPrivateIPNetworksforBusiness
vpnsolutions.com.au
AWSNetworking&HybridCloudConnectivityGoldCoastAWSUserGroupNov2015
1. Theconceptsandbuildingblocks2. Connectivityoptions3. RoutingandAWS.WhyandhowBGPisused4. Redundancy&reallifeexamples
AWSNetworking&HybridCloudConnectivity
1. Theconceptsandbuildingblocks2. Connectivityoptions3. RoutingandAWS.WhyandhowBGPisused4. Redundancy&reallifeexamples
AWSNetworking&HybridCloudConnectivity
SydneyRegionNetworkTopology
Availability Zone 2ap-southeast-2b
Availability Zone 1ap-southeast-2a
Regionap-southeast-2 OR Sydney
Equinix DC SydneyNetwork Connection Location
Global Switch DC SydneyNetwork Connection Location
Instances etc
Instances etc
Co-lo
ServiceProviderNetworks
andInternet
Co-lo
ServiceProviderNetworks
andInternet
AWShandoffport
• AZ’shavephysicalsite,powerandcomms diversity• AZconnectivity isnotmadepublic i.e.thegreen isnotactual.
PublicCloudSolutions
EC2
AZ1
Route53DNSInternet
CloudFrontCDN
ELB
• TypicalInternetfacingwebapp
• Internet– wellconnected,highspeed
• Lowestablishmentcost
• Networkperformancenonguaranteed
• PublicInternet
• Globally scalableviaCloudFront
InternetRouterperformingNAT
192.168.1.0/24office/homenetwork
RDS DB
EC2
AZ2
ELB
RDS DB
S3 S3
VirtualPrivateCloud(VPC)Solutions
VPCCIDR10.1.0.0/16
Availability Zone A Availability Zone B
Public Subnet Public Subnet
Private Subnet Private Subnet
Instance A10.1.1.11 /24
Instance B10.1.2.22 /24
Instance C10.1.3.33 /24
Instance D10.1.4.44 /24
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
0.0.0.0/0
DirectConnect
HardwareVPN(IPSecInternet)
VGW
IGW
CorporateOffice
CorporateOffice
• Yourownprivate,isolatedsectionoftheAWScloud
• CorporateDCextensionintoAWS• Grouping ofEC2instancesand
otherserviceswithinaprivateIPaddressrangei.e.10.1.0.0/16
• SubnetsarelocalperAZ(layer3DC-DCdesign)
• FailoverisviaSLBorDNS– noVMotion likefailover
• Completecontrolovernetworking&security
Someservicesdon’tappear insideaVPCyet(S3*,DynamoDB,SQS,SNS,SWF,Glacier)VPCEndPoints WIP– S3justreleased
VPCComponents
VPCCIDR10.1.0.0/16
Availability Zone A Availability Zone B
Public Subnet Public Subnet
Private Subnet Private Subnet
Instance A10.1.1.11 /24
Instance B10.1.2.22 /24
Instance C10.1.3.33 /24
Instance D10.1.4.44 /24
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
0.0.0.0/0
DirectConnect
HardwareVPN(IPSecInternet)
VGW
IGW
CorporateOffice
CorporateOffice
• IGW- InternetGateway
• VGW- VirtualPrivateGateway
• CGW– CustomerGateway
• Subnets
• Routetables
• DirectConnect
• HardwareVPN
• SecurityGroups&ACLs
CGWCGW Destination Target
10.1.0.0/16 local
0.0.0.0/0 igw-b409
10.99.1.0/24 vgw-724f
1. Theconceptsandbuildingblocks2. Connectivityoptions3. RoutingandAWS.WhyandhowBGPisused4. Redundancy&reallifeexamples
AWSNetworking&HybridCloudConnectivity
HardwareVPN– IPSec viaInternet• Providesanextensionoftheonsitecorporatenetwork
• CanuseyourexistingprivateIPaddressing10.xetc
• IPSec tunneltosecuretrafficovertheInternet(128-bitAES)
• Staticordynamicrouting(BGP)
• 2xterminationpointsperregion.Defaultisatunneltoeach
• Hubandspoketopology
• ReducedMTU
• MakesuseoftheVGW
• Costofconnectionhours+metereddataout(Internetrates)
• Tryandturnoffifnolongerneeded
HardwareVPN– IPSec viaInternet
Consolebuildsconfig
CGW’sCisco,JuniperorWindowsServer
InternetlinksxDSL,EoC,Fibre
2xtunnels toeachedgesite(forVPGredundancy)
AWSDirectConnect- Features• Highspeed,dedicated,privatepipeintoAWS(VPC)
• ConsistentnetworkperformancecomparedtoInternet
• Meteredoutboundtraffic(~1/3costofInternet)
• 1ormorenetworkconnectionpointsperregion(Syd x2)
• Supportsredundancy(BGProuting)
• AllowsQoS
• Endtoendsupportbysinglenetworkprovider
AWSDirectConnect- Benefits• Reducednetworktransfercosts(outofAWS)
• Improved&consistentapplicationperformance
• Flexible– initialseeddatatypicallyverylarge
• Lessdowntime- endtoendsupport
• Securityandcompliance
• EnablerfortheHybridCloudArchitecture
AWSDirectConnect- Anatomy
Customer DCColocation Facility - e.g. Equinix SV1
VPCCIDR10.1.0.0/16AS7224
Service ProviderNetwork
CustomerSubnet
192.168.0.0/16AS65442
AWSDirectConnectPOP
Co-location rackwithinsameDCie Equinix Sydney
CustomerorpartnerdeviceCGW
AWS Direct ConnectPoint of Presence Customer Gateway
Cross Connect
CustomerDatacenter
ServiceProvider(MPLSL3IPVPNorVPLS)
PrivateVirtualInterfacedot1qVLAN666
Instance A10.1.1.11 /24
Availability Zone A Availability Zone B
Public Subnet Public Subnet
Private Subnet Private Subnet
Instance B10.1.2.22 /24
Instance C10.1.3.33 /24
Instance D10.1.4.44 /24
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16Private VIF
VGW
BGPover/30routedsubnetVLANondot1qtrunk
BGPviamanagedServiceProviderNetwork
169.254.247.16/30
.17 .18
CustomerAWSConsoleView
BGPlearntroutesfromCustomerremotesites
1. Theconceptsandbuildingblocks2. Connectivityoptions3. RoutingandAWS.WhyandhowBGPisused4. Redundancy&reallifeexamples
AWSNetworking&HybridCloudConnectivity
BGP• BorderGatewayProtocol• Neededtoimplementnetworkredundancy• Standardsbasedprotocolusedtoconnecttheglobal
Internet• Exchangesroutes‘prefixes’between ‘neighbours’• UsesASnumbersie AS65001• AS_PATHmeasureofnetworkdistance• LocalPreference– meanstooverrideAS_PATH locally• UsedbyAWStoconnecttocustomersandadvertiseroutes.
– DirectConnect(mandatory)– IPSec VPN(optional)
• Bi-DirectionalForwardingDetection(BFD)– speedsupfailovertoaslowa150ms.StandardBGPcanbe180sec.
TheCustomerGateway(CGW)
1. Theconceptsandbuildingblocks2. Connectivityoptions3. RoutingandAWS.WhyandhowBGPisused4. Redundancy&reallifeexamples
AWSNetworking&HybridCloudConnectivity
Redundancy– IPSec Backupx2
Customer DCColocation Facility - e.g. Equinix SV1
VPCCIDR10.1.0.0/16AS7224
Service ProviderNetwork
CustomerSubnet
192.168.0.0/16AS65001
DirectConnect
2xIPSec tunnelsBGPover/30routed
AWS Direct ConnectPoint of Presence Customer Gateway
HSRP&iBGP betweenonsiteroutesforfailover
Instance A10.1.1.11 /24
Availability Zone A Availability Zone B
Public Subnet Public Subnet
Private Subnet Private Subnet
Instance B10.1.2.22 /24
Instance C10.1.3.33 /24
Instance D10.1.4.44 /24
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
Private VIF
DifferentIPSec terminationendpoints (AZ?)foreachtunnel.VGWredundancy.
Service ProviderNetworkInternet
VPCRoutingSelectsshortestASpath(DirectConnect)AdvertisewithAS7224outoveralllinks
CustomerSiteRoutingPreferServiceProviderMPLS(setlocal-pref)AdvertisewithAS65001AS65001AS65001overIPSec
Design1– KeyHeadOfficesite
GoldCoast
VPNSolutionsMPLS
PrivateIPNetwork
BrisbaneHeadOffice
2xIPSec VPN(Backuppaths)
DirectConnect
AWSSupported
BGProuting
Internet
Availability Zone1ap-southeast-2a
Instances
Availability Zone2ap-southeast-2b
VGW
VPCsubnet
VPCsubnet
SydneyMelbourne Adelaide
NetworkInterconnectPOPEquinix Sydney
VPNSolutionsSupported
Instances
BrisbaneCo-lo
Primary
Backup
BGProuting
outage
Design2– HighBranchDependency
GoldCoast
VPNSolutionsMPLS
PrivateIPNetwork
BrisbaneHeadOffice
2xIPSec VPN(Backuppaths)
DirectConnect
AWSSupported
BGProuting
Internet
Availability Zone1ap-southeast-2a
Instances
Availability Zone2ap-southeast-2b
VPCsubnet
VPCsubnet
SydneyMelbourne Adelaide
NetworkInterconnectPOPEquinix Sydney
VPNSolutionsSupported
Instances
BrisbaneCo-lo
Primary
Backup
VGWoutage
Design3– Standby/DROffice
GoldCoast
VPNSolutionsMPLS
PrivateIPNetwork
BrisbaneHeadOffice
2xIPSec VPN(Backuppaths)
DirectConnect
AWSSupported
BGProuting
Internet
Availability Zone1ap-southeast-2a
Instances
Availability Zone2ap-southeast-2b
VPCsubnet
VPCsubnet
SydneyMelbourne Adelaide
NetworkInterconnectPOPEquinix Sydney
VPNSolutionsSupported
Instances
BrisbaneCo-lo
Primary
Backup
VGW
BrisbaneStandbyOffice
outage
outage
Questionsorfollow-up?
KentPlummer– localGoldCoast’erFindmeonLinkedIn
0424177377vpnsolutions.com.au
CredittoMattLehwess (AWS)ForuseofsomeofhisslidesfromreInvent