AWS Hybrid Cloud Connectivity - VPN Solutions

Kent Plummer - VPN SolutionsManaged Private IP Networks for Business

vpnsolutions.com.au

AWS Networking &

Hybrid Cloud ConnectivityNov 2015

http://vpnsolutions.com.au/

1. The concepts and building blocks

2. Connectivity options

3. Routing and AWS. Why and how BGP is used

4. Redundancy & real life examples

AWS Networking & Hybrid Cloud Connectivity






Sydney Region Network Topology

Availability Zone 2

ap-southeast-2b

Availability Zone 1

ap-southeast-2a

Region

ap-southeast-2 OR Sydney

Equinix DC Sydney

Network Connection Location

Global Switch DC Sydney

Network Connection Location

Instances etc

Instances etc

Co-lo

Service Provider Networks

and Internet

Co-lo

Service Provider Networks

and Internet

AWS handoff port

• AZ’s have physical site, power and comms diversity• AZ connectivity is not made public i.e. the green is not actual.

Public Cloud Solutions

EC2

AZ1

Route53 DNSInternet

Cloud Front CDN

ELB

• Typical Internet facing web app

• Internet – well connected, high speed

• Low establishment cost

• Network performance non guaranteed

• Public Internet

• Globally scalable via Cloud Front

Internet Router performing NAT

192.168.1.0/24 office/home network

RDS

DB

EC2

AZ2

ELB

RDS

DB

S3 S3

Virtual Private Cloud (VPC) Solutions

VPC CIDR 10.1.0.0/16

Availability Zone A Availability Zone B

Public Subnet Public Subnet

Private Subnet Private Subnet

Instance A10.1.1.11 /24

Instance B10.1.2.22 /24

Instance C10.1.3.33 /24

Instance D10.1.4.44 /24

10.1.1.0/16

10.1.2.0/16

10.1.3.0/16

0.0.0.0/0

Direct Connect

HardwareVPN(IPSecInternet)

VGW

IGW

Corporate Office

Corporate Office

• Your own private, isolated section of the AWS cloud

• Corporate DC extension into AWS• Grouping of EC2 instances and

other services within a private IP address range i.e. 10.1.0.0/16

• Subnets are local per AZ (layer 3 DC-DC design)

• Failover is via SLB or DNS – no VMotion like failover

• Complete control over networking & security

Some services don’t appear inside a VPC yet (S3*, DynamoDB, SQS, SNS, SWF, Glacier)VPC EndPoints WIP – S3 just released

VPC Components

VPC CIDR 10.1.0.0/16




Instance A10.1.1.11 /24

Instance B10.1.2.22 /24

Instance C10.1.3.33 /24

Instance D10.1.4.44 /24

10.1.1.0/16

10.1.2.0/16

10.1.3.0/16

0.0.0.0/0

Direct Connect

HardwareVPN(IPSecInternet)

VGW

IGW

Corporate Office

Corporate Office

• IGW - Internet Gateway

• VGW - Virtual Private Gateway

• CGW – Customer Gateway

• Subnets

• Route tables

• Direct Connect

• Hardware VPN

• Security Groups & ACLs

CGWCGW Destination Target

10.1.0.0/16 local

0.0.0.0/0 igw-b409

10.99.1.0/24 vgw-724f






Hardware VPN – IPSec via Internet

• Provides an extension of the onsite corporate network

• Can use your existing private IP addressing 10.x etc

• IPSec tunnel to secure traffic over the Internet (128-bit AES)

• Static or dynamic routing (BGP)

• 2 x termination points per region. Default is a tunnel to each

• Hub and spoke topology

• Reduced MTU

• Makes use of the VGW

• Cost of connection hours + metered data out (Internet rates)

• Try and turn off if no longer needed

Hardware VPN – IPSec via Internet

Console builds config

CGW’s Cisco, Juniper or Windows Server

Internet linksxDSL, EoC, Fibre

2 x tunnels to each edge site (for VPG redundancy)

AWS Direct Connect - Features

• High speed, dedicated, private pipe into AWS (VPC)

• Consistent network performance compared to Internet

• Metered outbound traffic (~1/3 cost of Internet)

• 1 or more network connection points per region (Syd x 2)

• Supports redundancy (BGP routing)

• Allows QoS

• End to end support by single network provider

AWS Direct Connect - Benefits

• Reduced network transfer costs (out of AWS)

• Improved & consistent application performance

• Flexible – initial seed data typically very large

• Less downtime - end to end support

• Security and compliance

• Enabler for the Hybrid Cloud Architecture

AWS Direct Connect - Anatomy

Customer DCColocation Facility - e.g. Equinix SV1

VPC CIDR 10.1.0.0/16AS7224

Customer Subnet

192.168.0.0/16AS65442

AWS Direct Connect POP

Co-location rack withinsame DC ie Equinix Sydney

Customer or partner deviceCGW

AWS Direct ConnectPoint of Presence

Customer Gateway

Cross Connect

Customer Datacenter

Service Provider(MPLS L3 IP VPN or VPLS)

Private Virtual Interfacedot1q VLAN 666

Instance A10.1.1.11 /24




Instance B10.1.2.22 /24

Instance C10.1.3.33 /24

Instance D10.1.4.44 /24

10.1.1.0/16

10.1.2.0/16

10.1.3.0/16

VGW

BGP over /30 routed subnetVLAN on dot1q trunk

BGP via managed Service Provider Network

169.254.247.16/30

.17 .18

Customer AWS Console View

BGP learnt routesfrom Customer remote sites






BGP• Border Gateway Protocol• Needed to implement network redundancy• Standards based protocol used to connect the global

Internet• Exchanges routes ‘prefixes’ between ‘neighbours’• Uses AS numbers ie AS 65001• AS_PATH measure of network distance• Local Preference – means to override AS_PATH locally • Used by AWS to connect to customers and advertise routes.

– Direct Connect (mandatory)– IPSec VPN (optional)

• Bi-Directional Forwarding Detection (BFD) – speeds up failover to as low a 150ms. Standard BGP can be 180 sec.

The Customer Gateway (CGW)






Redundancy – IPSec Backup x 2

Customer DCColocation Facility - e.g. Equinix SV1

VPC CIDR 10.1.0.0/16AS 7224

Customer Subnet

192.168.0.0/16AS65001

Direct Connect

2 x IPSec tunnelsBGP over /30 routed

AWS Direct ConnectPoint of Presence

Customer Gateway

HSRP & iBGP between onsite routes for failover

Instance A10.1.1.11 /24




Instance B10.1.2.22 /24

Instance C10.1.3.33 /24

Instance D10.1.4.44 /24

10.1.1.0/16

10.1.2.0/16

10.1.3.0/16

Different IPSec termination endpoints (AZ?) for each tunnel. VGW redundancy.

Internet

VPC RoutingSelects shortest AS path (Direct Connect)Advertise with AS7224 out over all links

Customer Site RoutingPrefer Service Provider MPLS (set local-pref)Advertise with AS65001 AS65001 AS65001 over IPSec

Design 1 – Key Head Office site

Gold Coast

VPN SolutionsMPLS

Private IP Network

BrisbaneHead Office

2 x IPSec VPN(Backup paths)

Direct Connect

AWS Supported

BGP routing

Internet

Availability Zone 1ap-southeast-2a

Instances

Availability Zone 2ap-southeast-2b

VGW

VPC subnet

VPC subnet

SydneyMelbourne Adelaide

Network Interconnect POP Equinix Sydney

VPN SolutionsSupported

Instances

BrisbaneCo-lo

Primary

Backup

BGP routing

outage

Design 2 – High Branch Dependency

Gold Coast

VPN SolutionsMPLS

Private IP Network

BrisbaneHead Office


Direct Connect

AWS Supported

BGP routing

Internet


Instances


VPC subnet

VPC subnet




Instances

BrisbaneCo-lo

Primary

Backup

VGWoutage

Design 3 – Standby/DR Office

Gold Coast

VPN SolutionsMPLS

Private IP Network

BrisbaneHead Office


Direct Connect

AWS Supported

BGP routing

Internet


Instances


VPC subnet

VPC subnet




Instances

BrisbaneCo-lo

Primary

Backup

VGW

BrisbaneStandby Office

outage

outage

Questions or follow-up?

Kent Plummer – Find me on LinkedInor

[email protected] 177377

vpnsolutions.com.au

Credit to Matt Lehwess (AWS)For use of some of his slides from reInvent

mailto:[email protected]