KentPlummer- VPNSolutionsManagedPrivateIPNetworksforBusiness

vpnsolutions.com.au

AWSNetworking&HybridCloudConnectivityGoldCoastAWSUserGroupNov2015

1. Theconceptsandbuildingblocks2. Connectivityoptions3. RoutingandAWS.WhyandhowBGPisused4. Redundancy&reallifeexamples

AWSNetworking&HybridCloudConnectivity

1. Theconceptsandbuildingblocks2. Connectivityoptions3. RoutingandAWS.WhyandhowBGPisused4. Redundancy&reallifeexamples

AWSNetworking&HybridCloudConnectivity

SydneyRegionNetworkTopology

Availability Zone 2ap-southeast-2b

Availability Zone 1ap-southeast-2a

Regionap-southeast-2 OR Sydney

Equinix DC SydneyNetwork Connection Location

Global Switch DC SydneyNetwork Connection Location

Instances etc

Instances etc

Co-lo

ServiceProviderNetworks

andInternet

Co-lo

ServiceProviderNetworks

andInternet

AWShandoffport

• AZ’shavephysicalsite,powerandcomms diversity• AZconnectivity isnotmadepublic i.e.thegreen isnotactual.

PublicCloudSolutions

EC2

AZ1

Route53DNSInternet

CloudFrontCDN

ELB

• TypicalInternetfacingwebapp

• Internet– wellconnected,highspeed

• Lowestablishmentcost

• Networkperformancenonguaranteed

• PublicInternet

• Globally scalableviaCloudFront

InternetRouterperformingNAT

192.168.1.0/24office/homenetwork

RDS DB

EC2

AZ2

ELB

RDS DB

S3 S3

VirtualPrivateCloud(VPC)Solutions

VPCCIDR10.1.0.0/16

Availability Zone A Availability Zone B

Public Subnet Public Subnet

Private Subnet Private Subnet

Instance A10.1.1.11 /24

Instance B10.1.2.22 /24

Instance C10.1.3.33 /24

Instance D10.1.4.44 /24

10.1.1.0/16

10.1.2.0/16

10.1.3.0/16

0.0.0.0/0

DirectConnect

HardwareVPN(IPSecInternet)

VGW

IGW

CorporateOffice

CorporateOffice

• Yourownprivate,isolatedsectionoftheAWScloud

• CorporateDCextensionintoAWS• Grouping ofEC2instancesand

otherserviceswithinaprivateIPaddressrangei.e.10.1.0.0/16

• SubnetsarelocalperAZ(layer3DC-DCdesign)

• FailoverisviaSLBorDNS– noVMotion likefailover

• Completecontrolovernetworking&security

Someservicesdon’tappear insideaVPCyet(S3*,DynamoDB,SQS,SNS,SWF,Glacier)VPCEndPoints WIP– S3justreleased

VPCComponents

VPCCIDR10.1.0.0/16

Availability Zone A Availability Zone B

Public Subnet Public Subnet

Private Subnet Private Subnet

Instance A10.1.1.11 /24

Instance B10.1.2.22 /24

Instance C10.1.3.33 /24

Instance D10.1.4.44 /24

10.1.1.0/16

10.1.2.0/16

10.1.3.0/16

0.0.0.0/0

DirectConnect

HardwareVPN(IPSecInternet)

VGW

IGW

CorporateOffice

CorporateOffice

• IGW- InternetGateway

• VGW- VirtualPrivateGateway

• CGW– CustomerGateway

• Subnets

• Routetables

• DirectConnect

• HardwareVPN

• SecurityGroups&ACLs

CGWCGW Destination Target

10.1.0.0/16 local

0.0.0.0/0 igw-b409

10.99.1.0/24 vgw-724f

1. Theconceptsandbuildingblocks2. Connectivityoptions3. RoutingandAWS.WhyandhowBGPisused4. Redundancy&reallifeexamples

AWSNetworking&HybridCloudConnectivity

HardwareVPN– IPSec viaInternet• Providesanextensionoftheonsitecorporatenetwork

• CanuseyourexistingprivateIPaddressing10.xetc

• IPSec tunneltosecuretrafficovertheInternet(128-bitAES)

• Staticordynamicrouting(BGP)

• 2xterminationpointsperregion.Defaultisatunneltoeach

• Hubandspoketopology

• ReducedMTU

• MakesuseoftheVGW

• Costofconnectionhours+metereddataout(Internetrates)

• Tryandturnoffifnolongerneeded

HardwareVPN– IPSec viaInternet

Consolebuildsconfig

CGW’sCisco,JuniperorWindowsServer

InternetlinksxDSL,EoC,Fibre

2xtunnels toeachedgesite(forVPGredundancy)

AWSDirectConnect- Features• Highspeed,dedicated,privatepipeintoAWS(VPC)

• ConsistentnetworkperformancecomparedtoInternet

• Meteredoutboundtraffic(~1/3costofInternet)

• 1ormorenetworkconnectionpointsperregion(Syd x2)

• Supportsredundancy(BGProuting)

• AllowsQoS

• Endtoendsupportbysinglenetworkprovider

AWSDirectConnect- Benefits• Reducednetworktransfercosts(outofAWS)

• Improved&consistentapplicationperformance

• Flexible– initialseeddatatypicallyverylarge

• Lessdowntime- endtoendsupport

• Securityandcompliance

• EnablerfortheHybridCloudArchitecture

AWSDirectConnect- Anatomy

Customer DCColocation Facility - e.g. Equinix SV1

VPCCIDR10.1.0.0/16AS7224

Service ProviderNetwork

CustomerSubnet

192.168.0.0/16AS65442

AWSDirectConnectPOP

Co-location rackwithinsameDCie Equinix Sydney

CustomerorpartnerdeviceCGW

AWS Direct ConnectPoint of Presence Customer Gateway

Cross Connect

CustomerDatacenter

ServiceProvider(MPLSL3IPVPNorVPLS)

PrivateVirtualInterfacedot1qVLAN666

Instance A10.1.1.11 /24

Availability Zone A Availability Zone B

Public Subnet Public Subnet

Private Subnet Private Subnet

Instance B10.1.2.22 /24

Instance C10.1.3.33 /24

Instance D10.1.4.44 /24

10.1.1.0/16

10.1.2.0/16

10.1.3.0/16Private VIF

VGW

BGPover/30routedsubnetVLANondot1qtrunk

BGPviamanagedServiceProviderNetwork

169.254.247.16/30

.17 .18

CustomerAWSConsoleView

BGPlearntroutesfromCustomerremotesites

1. Theconceptsandbuildingblocks2. Connectivityoptions3. RoutingandAWS.WhyandhowBGPisused4. Redundancy&reallifeexamples

AWSNetworking&HybridCloudConnectivity

BGP• BorderGatewayProtocol• Neededtoimplementnetworkredundancy• Standardsbasedprotocolusedtoconnecttheglobal

Internet• Exchangesroutes‘prefixes’between ‘neighbours’• UsesASnumbersie AS65001• AS_PATHmeasureofnetworkdistance• LocalPreference– meanstooverrideAS_PATH locally• UsedbyAWStoconnecttocustomersandadvertiseroutes.

– DirectConnect(mandatory)– IPSec VPN(optional)

• Bi-DirectionalForwardingDetection(BFD)– speedsupfailovertoaslowa150ms.StandardBGPcanbe180sec.

TheCustomerGateway(CGW)

1. Theconceptsandbuildingblocks2. Connectivityoptions3. RoutingandAWS.WhyandhowBGPisused4. Redundancy&reallifeexamples

AWSNetworking&HybridCloudConnectivity

Redundancy– IPSec Backupx2

Customer DCColocation Facility - e.g. Equinix SV1

VPCCIDR10.1.0.0/16AS7224

Service ProviderNetwork

CustomerSubnet

192.168.0.0/16AS65001

DirectConnect

2xIPSec tunnelsBGPover/30routed

AWS Direct ConnectPoint of Presence Customer Gateway

HSRP&iBGP betweenonsiteroutesforfailover

Instance A10.1.1.11 /24

Availability Zone A Availability Zone B

Public Subnet Public Subnet

Private Subnet Private Subnet

Instance B10.1.2.22 /24

Instance C10.1.3.33 /24

Instance D10.1.4.44 /24

10.1.1.0/16

10.1.2.0/16

10.1.3.0/16

Private VIF

DifferentIPSec terminationendpoints (AZ?)foreachtunnel.VGWredundancy.

Service ProviderNetworkInternet

VPCRoutingSelectsshortestASpath(DirectConnect)AdvertisewithAS7224outoveralllinks

CustomerSiteRoutingPreferServiceProviderMPLS(setlocal-pref)AdvertisewithAS65001AS65001AS65001overIPSec

Design1– KeyHeadOfficesite

GoldCoast

VPNSolutionsMPLS

PrivateIPNetwork

BrisbaneHeadOffice

2xIPSec VPN(Backuppaths)

DirectConnect

AWSSupported

BGProuting

Internet

Availability Zone1ap-southeast-2a

Instances

Availability Zone2ap-southeast-2b

VGW

VPCsubnet

VPCsubnet

SydneyMelbourne Adelaide

NetworkInterconnectPOPEquinix Sydney

VPNSolutionsSupported

Instances

BrisbaneCo-lo

Primary

Backup

BGProuting

outage

Design2– HighBranchDependency

GoldCoast

VPNSolutionsMPLS

PrivateIPNetwork

BrisbaneHeadOffice

2xIPSec VPN(Backuppaths)

DirectConnect

AWSSupported

BGProuting

Internet

Availability Zone1ap-southeast-2a

Instances

Availability Zone2ap-southeast-2b

VPCsubnet

VPCsubnet

SydneyMelbourne Adelaide

NetworkInterconnectPOPEquinix Sydney

VPNSolutionsSupported

Instances

BrisbaneCo-lo

Primary

Backup

VGWoutage

Design3– Standby/DROffice

GoldCoast

VPNSolutionsMPLS

PrivateIPNetwork

BrisbaneHeadOffice

2xIPSec VPN(Backuppaths)

DirectConnect

AWSSupported

BGProuting

Internet

Availability Zone1ap-southeast-2a

Instances

Availability Zone2ap-southeast-2b

VPCsubnet

VPCsubnet

SydneyMelbourne Adelaide

NetworkInterconnectPOPEquinix Sydney

VPNSolutionsSupported

Instances

BrisbaneCo-lo

Primary

Backup

VGW

BrisbaneStandbyOffice

outage

outage

Questionsorfollow-up?

KentPlummer– localGoldCoast’erFindmeonLinkedIn

orkent.plummer@vpnsolutions.com.au

0424177377vpnsolutions.com.au

CredittoMattLehwess (AWS)ForuseofsomeofhisslidesfromreInvent