AWS Direct Connect & VPN's - Pop-up Loft Tel Aviv
-
Upload
amazon-web-services -
Category
Technology
-
view
581 -
download
0
Transcript of AWS Direct Connect & VPN's - Pop-up Loft Tel Aviv
Amazon VPC
Availability Zone
Virtual Private Cloud
AWS Cloud
Public Subnet
Internet
VirtualPrivateCloud
Availability Zone
Private Subnet
Availability Zone
VPN Only Subnet
ApplicationServers
WebServer WebServer
NAT
CorporateNetwork
R
Database Servers
Corporate NetworkInternet
ISP 2(BGP)
FIREWALL
Internet ISP 1
InternetISP 3
OS
PF
Router
Public IP
Router
BGPInside GRE Tunnels
Over IPSEC
FIREWALL
InternetISP 4
InternetISP 5
OS
PF
.1
Wireless Controller
Backup GRE Tunnels
Router
The Toolbox
Virtual Private Cloud
Route Tables
Internet Gateway
Virtual Private Gateway
VPN Connection
Customer Gateway
AWS Direct Connect
Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session.
IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session.
Reference: Wikipedia - http://en.wikipedia.org/wiki/IPsec
VPN Connection – IPsec
Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session.
IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session.
Reference: Wikipedia - http://en.wikipedia.org/wiki/IPsec
VPN Connection – IPsec
AWS VPN Features
• Static or Dynamic (BGP)
• Static requires routes (IP Prefixes) to be specified
• Dynamic VPN supports max-prefixes of 100
• BGP over VPN supports 2-byte AS Numbers
AWS VPN Requirements
• Connections initiated from the Customer Gateway• IKE Security Association using a Pre-Shared Key• IPSec Security Associations in Tunnel Mode• AES 128-bit encryption, SHA-1 hashing function• Diffie-Hellman Perfect Forward Secrecy – Group 2• Dead Peer Detection• Fragment IP Packets before encryption
Static VPN
CORP
• 1 unique Security Association (SA) pair per tunnel• 1 inbound and 1 outbound• 2 unique pairs for 2 tunnels – 4 SA’s
10.0.0.0 /16
10.0.0.0 /16
192.168.0.0 /16
192.168.0.0 /16
10.0.0.0 /16
Static VPN
CORP
• Consolidate ACL’s to cover all IP’s• Filter to block unwanted traffic
0.0.0.0/0 (any)
0.0.0.0/0 (any)
172.16.0.0 /12192.168.1.0 /24192.168.9.0 /24
192.168.1.0 /24192.168.9.0 /24172.16.0.0 /12
10.0.0.0 /16
Static VPN
CORP
• Consolidate ACL’s to cover all IP’s• Filter to block unwanted traffic
10.0.0.0 /16
10.0.0.0 /16
0.0.0.0 /0 (any)
0.0.0.0 /0(any)
10.0.0.0 /16
What is BGP ?
• TCP based protocol on port 179• BGP Neighbors exchange routing information - prefixes• More specific prefixes are preferred• Uses Autonomous System Numbers – AS Numbers• iBGP – between peers in the same AS• eBGP – between peers in different AS• AS_PATH – measure of network “distance”• Local Preference – weighting of identical prefixes
Dynamic VPN
CORP
Tunnel 1
IP 169.254.169.1 /30
BGP AS 7224
Route TableDestination Target10.0.0.0/16 Local
172.16.0.0/16 VGW
Tunnel 2
IP 169.254.169.5 /30
BGP AS 7224
10.0.0.0 /16
Tunnel 1
IP 169.254.169.2 /30
BGP AS 65001
Tunnel 2
IP 169.254.169.6 /30
BGP AS 65001
172.16.0.0 /16
Dynamic VPN
CORP
Tunnel 1
IP 169.254.169.1 /30
BGP AS 17493
Tunnel 2
IP 169.254.169.5 /30
BGP AS 17493
10.0.0.0 /16
Tunnel 1
IP 169.254.169.2 /30
BGP AS 65001
Tunnel 2
IP 169.254.169.6 /30
BGP AS 65001
172.16.0.0 /16
• BGP Peer IP Addresses are automatically generated• Customer AS Number – owned or private ASN• Amazon AS Number is fixed per region
Path Selection – inside the VGW
1. Most specific IP prefix192.168.10.0/24 over 192.168.0.0/16
2. Direct Connect (irrelevant of AS PATH length)3. Static VPN Connection4. Dynamic (BGP) VPN Connection4. Shortest AS PATH
65001 i over 65001 65001 i
Recent VPN Updates
• NAT Traversal (NAT-T)• Re-usable Customer Gateway
• Allows for the same Customer Gateway (CGW) IP• Create a new VGW and VPN then attach to your VPC
Note: Only one VGW can be attached to a VPC at one time.
• Additional Encryption Options• AES256, SHA-256• Phase 1 can now use DH groups 2, 14-18, 22, 23, and 24.• Phase 2 can now use DH groups 1, 2, 5, 14-18, 22, 23, and 24.
How to Create a VPN Connection
1. Create a VGW
2. Attach it to the VPC
3. Create a CGW
4. Create a VPN
5. Update Route Tables
6. Configure CGW
How to Create a VPN Connection
1. Create a VGW
2. Attach it to the VPC
3. Create a CGW
4. Create a VPN
5. Update Route Tables
6. Configure CGW
How to Create a VPN Connection
1. Create a VGW
2. Attach it to the VPC
3. Create a CGW
4. Create a VPN
5. Update Route Tables
6. Configure CGW
How to Create a VPN Connection
1. Create a VGW
2. Attach it to the VPC
3. Create a CGW
4. Create a VPN
5. Update Route Tables
6. Configure CGW
How to Create a VPN Connection
1. Create a VGW
2. Attach it to the VPC
3. Create a CGW
4. Create a VPN
5. Update Route Tables
6. Configure CGW
How to Create a VPN Connection
1. Create a VGW
2. Attach it to the VPC
3. Create a CGW
4. Create a VPN
5. Update Route Tables
6. Configure CGW
What is AWS Direct Connect…
Dedicated, private pipes into AWS
Create private (VPC) or public virtual interfaces to AWSReduced data-out rates (data-in still free))Consistent network performance
At least 1 location to each AWS region Option for redundant connections
Multiple AWS accounts can share a connectionInter-Region enables connectivity to multiple regions in US
Uses BGP to exchange routing information over a VLAN
Direct Connect - LocationsAWS Region AWS Direct Connect LocationAsiaPacific(Seoul) KINX,Seoul,KoreaAsiaPacific(Singapore) EquinixSG2,SingaporeAsiaPacific(Singapore) GPX,Mumbai,IndiaAsiaPacific(Sydney) EquinixSY3,Sydney,AustraliaAsiaPacific(Sydney) GlobalSwitch,Sydney,AustraliaAsiaPacific(Tokyo) Equinix OS1,Osaka,JapanAsiaPacific(Tokyo) EquinixTY2,Tokyo, JapanAWSGovCloud (US) EquinixSV1&SV5,SanFrancisco,CAChina(Beijing) CIDSJiachuangIDC,Beijing,ChinaChina(Beijing) SinnetJiuxianqiaoIDC,Beijing,ChinaEUCentral(Frankfurt) EquinixFR5,Frankfurt,GermanyEUCentral(Frankfurt) InterxionFrankfurt,GermanyEUWest(Ireland) EquinixLD4- LD6,London,EnglandEUWest(Ireland) EircomClonshaugh,Dublin,IrelandEUWest(Ireland) TelecityGroup,LondonDocklands',London,EnglandSouthAmerica(SaoPaulo) TerremarkNAPdoBrasil,SaoPaulo,BrasilSouthAmerica(SaoPaulo) Tivit,SaoPaulo,BrasilUSEast(Virginia) CoreSiteNY1&NY2,NewYork,NYUSEast(Virginia) EquinixDA1- DA3&DA6,Dallas,TXUSEast(Virginia) EquinixDC1 - DC6&DC10,Ashburn,VAUSWest(NorthernCalifornia) CoreSiteOneWilshire&900NorthAlameda,CAUSWest(NorthernCalifornia) EquinixSV1&SV5,SanFrancisco,CAUSWest(Oregon) EquinixSE2&SE3,Seattle,WAUSWest(Oregon) SwitchSUPERNAP8,LasVegas,NV
Layers of Direct Connect
Single Mode Fiber – 1G or 10GLayer 1 - Physical
Ethernet – 802.1Q VLANLayer 2 – Data Link
Peer & Amazon IPLayer 3 - Network
TCPLayer 4 - Transport
BGPLayer 7 - Application
“Routing of traffic”
Terminology For Physical Connections
Leased LineEthernet Private LinePseudo-wirePoint-to-point circuitLAN ExtensionMPLS / VPLS / IP-VPN / L3-VPN
Terminology For Physical Connections
Leased LineEthernet Private LinePseudo-wirePoint-to-point circuitLAN ExtensionMPLS / VPLS / IP-VPN / L3-VPN
All generally deliver an “extension” of a port from a Direct Connect Location to a Customer Location}
Leased LineEthernet Private LinePseudo-wirePoint-to-point circuitLAN ExtensionMPLS / VPLS / IP-VPN / L3-VPN
Terminology For Physical Connections
A little different …}
Physical Connection
• Cross Connect at the location
• Single Mode Fiber- 1000Base-LX or 10GBASE-LR
• Potential onward Delivery via Direct Connect Partner
• Customer Router
At the Direct Connect Location
CORP
AWS DirectConnect Routers
Customer Router
Colocation
DX Location
CustomerNetwork`
AWS BackboneNetwork
Cross Connect
Customer Router
AccessCircuit
Customers Network Backbone
AccessCircuit
Demarcation
Dedicated Port via Direct Connect Partner
CORP
AWS DirectConnect Routers
Colocation
DX Location
Partner Network
AWS BackboneNetwork
Cross Connect
Customer Router
PartnerNetwork
AccessCircuit
Demarcation
PartnerEquipment
At the Direct Connect Location – via MPLS
CORP
AWS DirectConnect Routers
PartnerPE Router
Colocation
DX Location
MPLS Core`
AWS BackboneNetwork
Cross Connect
ProviderEdge
Partner MPLSCore
AccessCircuit to CE
Demarcation
`
`
CE Router
CE Router
Layers of Direct Connect
Direct Connect Connection
Ethernet – 802.1Q VLAN
Peer & Amazon IP
Virtual Interface(One per VLAN)
BGP
Virtual Private Gateway
A/C 1
“Routing of traffic”
Single Mode Fiber – 1G or 10G
Public and Private Virtual Interfaces
• 802.1Q VLAN
• eBGP SessionNote: Max Prefixes on the AWS peer : 100
• Private Virtual Interface – Access to VPCNote: Not VPC Endpoints or transitive via VPC Peering
• Public Virtual Interface – Access to non-VPC Services
Account ownership of Direct Connect
Direct Connect Connection
Ethernet – 802.1Q VLAN
Peer & Amazon IP
Hosted Virtual Interface(One per VLAN)
BGP
Virtual Private Gateway
A/C 1
A/C 2
“Routing of traffic”
Single Mode Fiber – 1G or 10G
Sub-1G via Direct Connect Partner
Direct Connect Interconnect
Ethernet – 802.1Q VLAN
Hosted Connection
Virtual Interface(Single)
BGP
Virtual Private Gateway
Partn
erC
usto
mer
Bandwidth VLAN
Peer & Amazon IP’s
“Routing of traffic”
Single Mode Fiber – 1G or 10G
50Mbps, 100Mbps, 200Mbps, 300Mbps, 400Mbps and 500Mbps
Sharing Hosted Connections
Direct Connect Interconnect
Ethernet – 802.1Q VLAN
Hosted Connection
Hosted Virtual Interface(Single)
BGP
Virtual Private Gateway
Partn
erC
usto
mer
A/C
2
Bandwidth VLAN
Peer & Amazon IP’s
A/C 1
“Routing of traffic”
Single Mode Fiber – 1G or 10G
Private Virtual Interface
• Only provides access to resources in a VPCNote: Not VPC Endpoints or transitive via VPC Peering
• Attaches to the Virtual Private GatewaySame as a VPN Connection
• Multiple Private VIF’s can be attached for resilience
• Any IP Addresses and ASN for BGP Peering acceptable
Single Private Virtual Interface
CORP
Route TableDestination Target Propagated10.0.0.0/16 Local
172.16.0.0/16 VGW Yes
10.0.0.0 /16 172.16.0.0 /16
dxvif-wwxxyyzz
VLAN 100
IP 169.254.254.9 /30
BGP AS 7224
MD5 Key
Interface gi0/0.100
VLAN 100
IP 169.254.254.10 /30
BGP AS 65001
MD5 Key
eBGP AS65001 Announcing 172.16.0.0 /16
AS7224 Announcing 10.0.0.0 /16
Dual DX – Single Location
CORP
AWS DirectConnect Routers
Customer Router
Colocation
DX Location
Service Provider Network`
eBGP
eBGP
Dual Private Virtual Interface
CORP
10.0.0.0 /16 172.16.0.0 /16
dxvif-wwxxyyzz
VLAN 100
IP 169.254.254.9 /30
BGP AS 7224
MD5 Key
Interface gi0/0.100
VLAN 100
IP 169.254.254.10 /30
BGP AS 65001
MD5 Key
dxvif-aabbccdd
VLAN 100
IP 169.254.254.13 /30
BGP AS 7224
MD5 Key
Interface gi0/0.100
VLAN 100
IP 169.254.254.14 /30
BGP AS 65001
MD5 Key
eBGP
eBGP
Dual Private Virtual Interface
CORP
10.0.0.0 /16 172.16.0.0 /16
dxvif-wwxxyyzz
VLAN 100
IP 169.254.254.9 /30
BGP AS 7224
MD5 Key
Interface gi0/0.100
VLAN 100
IP 169.254.254.10 /30
BGP AS 65001
MD5 Key
dxvif-aabbccdd
VLAN 100
IP 169.254.254.13 /30
BGP AS 7224
MD5 Key
Interface gi0/0.100
VLAN 100
IP 169.254.254.14 /30
BGP AS 65001
MD5 Key
Dual DX – Single Location revisited
CORP
AWS DirectConnect Routers
Customer Router
Colocation
DX Location
Service Provider Network`
Dual DX – Single Location revisited
CORP
AWS DirectConnect Routers
Customer Routers
Colocation
DX Location
`
Service Provider Network
`
Single DX – Dual Location
CORP
Customer Routers
Colocation
DX Location 1
`
Customer Routers
Colocation
DX Location 2
`
Service Provider Network
AWS DirectConnect Routers
AWS DirectConnect Routers
Dual DX – Dual Location
CORP
AWS DirectConnect Routers
Customer Routers
Colocation
DX Location 1
`
`
AWS DirectConnect Routers
Customer Routers
Colocation
DX Location 2
`
`
Service Provider Network
Public Virtual Interface
• Provides access to Amazon Public IP Addresses
• Requires Public IP Addresses for BGP SessionIf you can’t provide them, raise a case with AWS Support
• Public ASN must be owned by customer – Private is OK
• Inter-Region is available in the US
Public VIF – Inter-Region – US Only
Public VIF’s receive prefixes for all US Regions
Prefixes are identified by BGP CommunitiesAdvertisements can be controlled via BGP Communities
Public Virtual Interface
CORP
172.16.0.0 /16
dxvif-wwxxyyzz
VLAN 200
IP 54.239.244.57 /31
BGP AS 7224
MD5 Key
Interface gi0/0.200
VLAN 200
IP 54.239.244.56 /31
BGP AS 65001
MD5 Key
AS65001 Announcing 54.239.244.56 /31
AS7224 Announcing184.72.96.0/19 via 7224 16509 14618 i184.72.128.0/17 via 7224 16509 14618 i184.73.0.0 via 7224 16509 14618 i184.169.128.0/17 via 7224 16509 i199.127.232.0/22 via 7224 16509 i199.255.192.0/22 via 7224 16509 I…...…..
How to order AWS Direct Connect
1. Select Your Region
2. Create a Connection
3. Receive LOA-CFA
4. Cross Connect
5. Create Virtual Interface
6. Configure Customer Router
How to order AWS Direct Connect
1. Select Your Region
2. Create a Connection
3. Receive LOA-CFA
4. Cross Connect
5. Create Virtual Interface
6. Configure Customer Router
How to order AWS Direct Connect
1. Select Your Region
2. Create a Connection
3. Receive LOA-CFA
4. Cross Connect
5. Create Virtual Interface
6. Configure Customer Router
How to order AWS Direct Connect
1. Select Your Region
2. Create a Connection
3. Receive LOA-CFA
4. Cross Connect
5. Create Virtual Interface
6. Configure Customer Router
How to order AWS Direct Connect
1. Select Your Region
2. Create a Connection
3. Receive LOA-CFA
4. Cross Connect
5. Create Virtual Interface
6. Configure Customer Router
How to order AWS Direct Connect
1. Select Your Region
2. Create a Connection
3. Receive LOA-CFA
4. Cross Connect
5. Create Virtual Interface
6. Configure Customer Router
How to order sub-1G via an APN Partner
1. Provide your Direct Connect Partner with Account Number
2. Accept Hosted Connection
3. Create Virtual Interface
4. Configure Customer Router
How to order sub-1G via an APN Partner
1. Provide your Direct Connect Partner with Account Number
2. Accept Hosted Connection
3. Create Virtual Interface
4. Configure Customer Router
How to order sub-1G via an APN Partner
1. Provide your Direct Connect Partner with Account Number
2. Accept Hosted Connection
3. Create Virtual Interface
4. Configure Customer Router
How to order sub-1G via an APN Partner
1. Provide your Direct Connect Partner with Account Number
2. Accept Hosted Connection
3. Create Virtual Interface
4. Configure Customer Router
Hardware VPN over DX Public VIF
CORP
172.16.0.0 /16dxvif-wwxxyyzz
VLAN 200
IP 54.239.244.57 /31
BGP AS 7224
MD5 Key
Interface gi0/0.200
VLAN 200
IP 54.239.244.56 /31
BGP AS 65001
MD5 Key
Tunnel 1
IP 169.254.169.1 /30
BGP AS 17493
Tunnel 2
IP 169.254.169.5 /30
BGP AS 17493
Tunnel 1
IP 169.254.169.2 /30
BGP AS 65001
Tunnel 2
IP 169.254.169.6 /30
BGP AS 65001
Billing
• VPN ConnectionsConnection HoursData Transfer (Internet rates)
• Direct ConnectPort HoursReduced Data Transfer RatesNo charge for resources owned by other accountsVPN Data Transfer over Direct Connect at reduced rate
Things to remember
All Direct Connect locations are at 3rd party data centersYou will have to work with at least one other organization
• Could be just the Data Center• Could be a Network Provider / Direct Connect Partner• Could be multiple Network Providers AND the Data Center
Sub-1G Hosted Connections support a single VIFYou can share VIF’s with other accountsPublic VIF’s include the Hardware VPN Endpoints
Demo Architecture
192.168.51.0 /24
192.168.51.10
Gi0/1: 192.168.51.254
Gi0/0Internet
Gi0/0/0DX 1
DX Location(Telecity London)
eu-west-1 (Ireland)10.0.0.0 /16
Summary
Connectivity via VPN – Static & Dynamic
Connectivity via AWS Direct Connect – Public & Private
Demo