aws networking & hybrid cloud connectivity · aws networking & hybrid cloud connectivity...
TRANSCRIPT
![Page 1: AWS Networking & Hybrid Cloud Connectivity · AWS Networking & Hybrid Cloud Connectivity Gold Coast AWS User Group Nov 2015. 1. The concepts and building blocks 2. Connectivity options](https://reader036.vdocument.in/reader036/viewer/2022081400/5f0cfaed7e708231d4381540/html5/thumbnails/1.jpg)
KentPlummer- VPNSolutionsManagedPrivateIPNetworksforBusiness
vpnsolutions.com.au
AWSNetworking&HybridCloudConnectivityGoldCoastAWSUserGroupNov2015
![Page 2: AWS Networking & Hybrid Cloud Connectivity · AWS Networking & Hybrid Cloud Connectivity Gold Coast AWS User Group Nov 2015. 1. The concepts and building blocks 2. Connectivity options](https://reader036.vdocument.in/reader036/viewer/2022081400/5f0cfaed7e708231d4381540/html5/thumbnails/2.jpg)
1. Theconceptsandbuildingblocks2. Connectivityoptions3. RoutingandAWS.WhyandhowBGPisused4. Redundancy&reallifeexamples
AWSNetworking&HybridCloudConnectivity
![Page 3: AWS Networking & Hybrid Cloud Connectivity · AWS Networking & Hybrid Cloud Connectivity Gold Coast AWS User Group Nov 2015. 1. The concepts and building blocks 2. Connectivity options](https://reader036.vdocument.in/reader036/viewer/2022081400/5f0cfaed7e708231d4381540/html5/thumbnails/3.jpg)
1. Theconceptsandbuildingblocks2. Connectivityoptions3. RoutingandAWS.WhyandhowBGPisused4. Redundancy&reallifeexamples
AWSNetworking&HybridCloudConnectivity
![Page 4: AWS Networking & Hybrid Cloud Connectivity · AWS Networking & Hybrid Cloud Connectivity Gold Coast AWS User Group Nov 2015. 1. The concepts and building blocks 2. Connectivity options](https://reader036.vdocument.in/reader036/viewer/2022081400/5f0cfaed7e708231d4381540/html5/thumbnails/4.jpg)
SydneyRegionNetworkTopology
Availability Zone 2ap-southeast-2b
Availability Zone 1ap-southeast-2a
Regionap-southeast-2 OR Sydney
Equinix DC SydneyNetwork Connection Location
Global Switch DC SydneyNetwork Connection Location
Instances etc
Instances etc
Co-lo
ServiceProviderNetworks
andInternet
Co-lo
ServiceProviderNetworks
andInternet
AWShandoffport
• AZ’shavephysicalsite,powerandcomms diversity• AZconnectivity isnotmadepublic i.e.thegreen isnotactual.
![Page 5: AWS Networking & Hybrid Cloud Connectivity · AWS Networking & Hybrid Cloud Connectivity Gold Coast AWS User Group Nov 2015. 1. The concepts and building blocks 2. Connectivity options](https://reader036.vdocument.in/reader036/viewer/2022081400/5f0cfaed7e708231d4381540/html5/thumbnails/5.jpg)
PublicCloudSolutions
EC2
AZ1
Route53DNSInternet
CloudFrontCDN
ELB
• TypicalInternetfacingwebapp
• Internet– wellconnected,highspeed
• Lowestablishmentcost
• Networkperformancenonguaranteed
• PublicInternet
• Globally scalableviaCloudFront
InternetRouterperformingNAT
192.168.1.0/24office/homenetwork
RDS DB
EC2
AZ2
ELB
RDS DB
S3 S3
![Page 6: AWS Networking & Hybrid Cloud Connectivity · AWS Networking & Hybrid Cloud Connectivity Gold Coast AWS User Group Nov 2015. 1. The concepts and building blocks 2. Connectivity options](https://reader036.vdocument.in/reader036/viewer/2022081400/5f0cfaed7e708231d4381540/html5/thumbnails/6.jpg)
VirtualPrivateCloud(VPC)Solutions
VPCCIDR10.1.0.0/16
Availability Zone A Availability Zone B
Public Subnet Public Subnet
Private Subnet Private Subnet
Instance A10.1.1.11 /24
Instance B10.1.2.22 /24
Instance C10.1.3.33 /24
Instance D10.1.4.44 /24
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
0.0.0.0/0
DirectConnect
HardwareVPN(IPSecInternet)
VGW
IGW
CorporateOffice
CorporateOffice
• Yourownprivate,isolatedsectionoftheAWScloud
• CorporateDCextensionintoAWS• Grouping ofEC2instancesand
otherserviceswithinaprivateIPaddressrangei.e.10.1.0.0/16
• SubnetsarelocalperAZ(layer3DC-DCdesign)
• FailoverisviaSLBorDNS– noVMotion likefailover
• Completecontrolovernetworking&security
Someservicesdon’tappear insideaVPCyet(S3*,DynamoDB,SQS,SNS,SWF,Glacier)VPCEndPoints WIP– S3justreleased
![Page 7: AWS Networking & Hybrid Cloud Connectivity · AWS Networking & Hybrid Cloud Connectivity Gold Coast AWS User Group Nov 2015. 1. The concepts and building blocks 2. Connectivity options](https://reader036.vdocument.in/reader036/viewer/2022081400/5f0cfaed7e708231d4381540/html5/thumbnails/7.jpg)
VPCComponents
VPCCIDR10.1.0.0/16
Availability Zone A Availability Zone B
Public Subnet Public Subnet
Private Subnet Private Subnet
Instance A10.1.1.11 /24
Instance B10.1.2.22 /24
Instance C10.1.3.33 /24
Instance D10.1.4.44 /24
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
0.0.0.0/0
DirectConnect
HardwareVPN(IPSecInternet)
VGW
IGW
CorporateOffice
CorporateOffice
• IGW- InternetGateway
• VGW- VirtualPrivateGateway
• CGW– CustomerGateway
• Subnets
• Routetables
• DirectConnect
• HardwareVPN
• SecurityGroups&ACLs
CGWCGW Destination Target
10.1.0.0/16 local
0.0.0.0/0 igw-b409
10.99.1.0/24 vgw-724f
![Page 8: AWS Networking & Hybrid Cloud Connectivity · AWS Networking & Hybrid Cloud Connectivity Gold Coast AWS User Group Nov 2015. 1. The concepts and building blocks 2. Connectivity options](https://reader036.vdocument.in/reader036/viewer/2022081400/5f0cfaed7e708231d4381540/html5/thumbnails/8.jpg)
1. Theconceptsandbuildingblocks2. Connectivityoptions3. RoutingandAWS.WhyandhowBGPisused4. Redundancy&reallifeexamples
AWSNetworking&HybridCloudConnectivity
![Page 9: AWS Networking & Hybrid Cloud Connectivity · AWS Networking & Hybrid Cloud Connectivity Gold Coast AWS User Group Nov 2015. 1. The concepts and building blocks 2. Connectivity options](https://reader036.vdocument.in/reader036/viewer/2022081400/5f0cfaed7e708231d4381540/html5/thumbnails/9.jpg)
HardwareVPN– IPSec viaInternet• Providesanextensionoftheonsitecorporatenetwork
• CanuseyourexistingprivateIPaddressing10.xetc
• IPSec tunneltosecuretrafficovertheInternet(128-bitAES)
• Staticordynamicrouting(BGP)
• 2xterminationpointsperregion.Defaultisatunneltoeach
• Hubandspoketopology
• ReducedMTU
• MakesuseoftheVGW
• Costofconnectionhours+metereddataout(Internetrates)
• Tryandturnoffifnolongerneeded
![Page 10: AWS Networking & Hybrid Cloud Connectivity · AWS Networking & Hybrid Cloud Connectivity Gold Coast AWS User Group Nov 2015. 1. The concepts and building blocks 2. Connectivity options](https://reader036.vdocument.in/reader036/viewer/2022081400/5f0cfaed7e708231d4381540/html5/thumbnails/10.jpg)
HardwareVPN– IPSec viaInternet
Consolebuildsconfig
CGW’sCisco,JuniperorWindowsServer
InternetlinksxDSL,EoC,Fibre
2xtunnels toeachedgesite(forVPGredundancy)
![Page 11: AWS Networking & Hybrid Cloud Connectivity · AWS Networking & Hybrid Cloud Connectivity Gold Coast AWS User Group Nov 2015. 1. The concepts and building blocks 2. Connectivity options](https://reader036.vdocument.in/reader036/viewer/2022081400/5f0cfaed7e708231d4381540/html5/thumbnails/11.jpg)
AWSDirectConnect- Features• Highspeed,dedicated,privatepipeintoAWS(VPC)
• ConsistentnetworkperformancecomparedtoInternet
• Meteredoutboundtraffic(~1/3costofInternet)
• 1ormorenetworkconnectionpointsperregion(Syd x2)
• Supportsredundancy(BGProuting)
• AllowsQoS
• Endtoendsupportbysinglenetworkprovider
![Page 12: AWS Networking & Hybrid Cloud Connectivity · AWS Networking & Hybrid Cloud Connectivity Gold Coast AWS User Group Nov 2015. 1. The concepts and building blocks 2. Connectivity options](https://reader036.vdocument.in/reader036/viewer/2022081400/5f0cfaed7e708231d4381540/html5/thumbnails/12.jpg)
AWSDirectConnect- Benefits• Reducednetworktransfercosts(outofAWS)
• Improved&consistentapplicationperformance
• Flexible– initialseeddatatypicallyverylarge
• Lessdowntime- endtoendsupport
• Securityandcompliance
• EnablerfortheHybridCloudArchitecture
![Page 13: AWS Networking & Hybrid Cloud Connectivity · AWS Networking & Hybrid Cloud Connectivity Gold Coast AWS User Group Nov 2015. 1. The concepts and building blocks 2. Connectivity options](https://reader036.vdocument.in/reader036/viewer/2022081400/5f0cfaed7e708231d4381540/html5/thumbnails/13.jpg)
AWSDirectConnect- Anatomy
Customer DCColocation Facility - e.g. Equinix SV1
VPCCIDR10.1.0.0/16AS7224
Service ProviderNetwork
CustomerSubnet
192.168.0.0/16AS65442
AWSDirectConnectPOP
Co-location rackwithinsameDCie Equinix Sydney
CustomerorpartnerdeviceCGW
AWS Direct ConnectPoint of Presence Customer Gateway
Cross Connect
CustomerDatacenter
ServiceProvider(MPLSL3IPVPNorVPLS)
PrivateVirtualInterfacedot1qVLAN666
Instance A10.1.1.11 /24
Availability Zone A Availability Zone B
Public Subnet Public Subnet
Private Subnet Private Subnet
Instance B10.1.2.22 /24
Instance C10.1.3.33 /24
Instance D10.1.4.44 /24
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16Private VIF
VGW
BGPover/30routedsubnetVLANondot1qtrunk
BGPviamanagedServiceProviderNetwork
169.254.247.16/30
.17 .18
![Page 14: AWS Networking & Hybrid Cloud Connectivity · AWS Networking & Hybrid Cloud Connectivity Gold Coast AWS User Group Nov 2015. 1. The concepts and building blocks 2. Connectivity options](https://reader036.vdocument.in/reader036/viewer/2022081400/5f0cfaed7e708231d4381540/html5/thumbnails/14.jpg)
CustomerAWSConsoleView
BGPlearntroutesfromCustomerremotesites
![Page 15: AWS Networking & Hybrid Cloud Connectivity · AWS Networking & Hybrid Cloud Connectivity Gold Coast AWS User Group Nov 2015. 1. The concepts and building blocks 2. Connectivity options](https://reader036.vdocument.in/reader036/viewer/2022081400/5f0cfaed7e708231d4381540/html5/thumbnails/15.jpg)
1. Theconceptsandbuildingblocks2. Connectivityoptions3. RoutingandAWS.WhyandhowBGPisused4. Redundancy&reallifeexamples
AWSNetworking&HybridCloudConnectivity
![Page 16: AWS Networking & Hybrid Cloud Connectivity · AWS Networking & Hybrid Cloud Connectivity Gold Coast AWS User Group Nov 2015. 1. The concepts and building blocks 2. Connectivity options](https://reader036.vdocument.in/reader036/viewer/2022081400/5f0cfaed7e708231d4381540/html5/thumbnails/16.jpg)
BGP• BorderGatewayProtocol• Neededtoimplementnetworkredundancy• Standardsbasedprotocolusedtoconnecttheglobal
Internet• Exchangesroutes‘prefixes’between ‘neighbours’• UsesASnumbersie AS65001• AS_PATHmeasureofnetworkdistance• LocalPreference– meanstooverrideAS_PATH locally• UsedbyAWStoconnecttocustomersandadvertiseroutes.
– DirectConnect(mandatory)– IPSec VPN(optional)
• Bi-DirectionalForwardingDetection(BFD)– speedsupfailovertoaslowa150ms.StandardBGPcanbe180sec.
![Page 17: AWS Networking & Hybrid Cloud Connectivity · AWS Networking & Hybrid Cloud Connectivity Gold Coast AWS User Group Nov 2015. 1. The concepts and building blocks 2. Connectivity options](https://reader036.vdocument.in/reader036/viewer/2022081400/5f0cfaed7e708231d4381540/html5/thumbnails/17.jpg)
TheCustomerGateway(CGW)
![Page 18: AWS Networking & Hybrid Cloud Connectivity · AWS Networking & Hybrid Cloud Connectivity Gold Coast AWS User Group Nov 2015. 1. The concepts and building blocks 2. Connectivity options](https://reader036.vdocument.in/reader036/viewer/2022081400/5f0cfaed7e708231d4381540/html5/thumbnails/18.jpg)
1. Theconceptsandbuildingblocks2. Connectivityoptions3. RoutingandAWS.WhyandhowBGPisused4. Redundancy&reallifeexamples
AWSNetworking&HybridCloudConnectivity
![Page 19: AWS Networking & Hybrid Cloud Connectivity · AWS Networking & Hybrid Cloud Connectivity Gold Coast AWS User Group Nov 2015. 1. The concepts and building blocks 2. Connectivity options](https://reader036.vdocument.in/reader036/viewer/2022081400/5f0cfaed7e708231d4381540/html5/thumbnails/19.jpg)
Redundancy– IPSec Backupx2
Customer DCColocation Facility - e.g. Equinix SV1
VPCCIDR10.1.0.0/16AS7224
Service ProviderNetwork
CustomerSubnet
192.168.0.0/16AS65001
DirectConnect
2xIPSec tunnelsBGPover/30routed
AWS Direct ConnectPoint of Presence Customer Gateway
HSRP&iBGP betweenonsiteroutesforfailover
Instance A10.1.1.11 /24
Availability Zone A Availability Zone B
Public Subnet Public Subnet
Private Subnet Private Subnet
Instance B10.1.2.22 /24
Instance C10.1.3.33 /24
Instance D10.1.4.44 /24
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
Private VIF
DifferentIPSec terminationendpoints (AZ?)foreachtunnel.VGWredundancy.
Service ProviderNetworkInternet
VPCRoutingSelectsshortestASpath(DirectConnect)AdvertisewithAS7224outoveralllinks
CustomerSiteRoutingPreferServiceProviderMPLS(setlocal-pref)AdvertisewithAS65001AS65001AS65001overIPSec
![Page 20: AWS Networking & Hybrid Cloud Connectivity · AWS Networking & Hybrid Cloud Connectivity Gold Coast AWS User Group Nov 2015. 1. The concepts and building blocks 2. Connectivity options](https://reader036.vdocument.in/reader036/viewer/2022081400/5f0cfaed7e708231d4381540/html5/thumbnails/20.jpg)
Design1– KeyHeadOfficesite
GoldCoast
VPNSolutionsMPLS
PrivateIPNetwork
BrisbaneHeadOffice
2xIPSec VPN(Backuppaths)
DirectConnect
AWSSupported
BGProuting
Internet
Availability Zone1ap-southeast-2a
Instances
Availability Zone2ap-southeast-2b
VGW
VPCsubnet
VPCsubnet
SydneyMelbourne Adelaide
NetworkInterconnectPOPEquinix Sydney
VPNSolutionsSupported
Instances
BrisbaneCo-lo
Primary
Backup
BGProuting
outage
![Page 21: AWS Networking & Hybrid Cloud Connectivity · AWS Networking & Hybrid Cloud Connectivity Gold Coast AWS User Group Nov 2015. 1. The concepts and building blocks 2. Connectivity options](https://reader036.vdocument.in/reader036/viewer/2022081400/5f0cfaed7e708231d4381540/html5/thumbnails/21.jpg)
Design2– HighBranchDependency
GoldCoast
VPNSolutionsMPLS
PrivateIPNetwork
BrisbaneHeadOffice
2xIPSec VPN(Backuppaths)
DirectConnect
AWSSupported
BGProuting
Internet
Availability Zone1ap-southeast-2a
Instances
Availability Zone2ap-southeast-2b
VPCsubnet
VPCsubnet
SydneyMelbourne Adelaide
NetworkInterconnectPOPEquinix Sydney
VPNSolutionsSupported
Instances
BrisbaneCo-lo
Primary
Backup
VGWoutage
![Page 22: AWS Networking & Hybrid Cloud Connectivity · AWS Networking & Hybrid Cloud Connectivity Gold Coast AWS User Group Nov 2015. 1. The concepts and building blocks 2. Connectivity options](https://reader036.vdocument.in/reader036/viewer/2022081400/5f0cfaed7e708231d4381540/html5/thumbnails/22.jpg)
Design3– Standby/DROffice
GoldCoast
VPNSolutionsMPLS
PrivateIPNetwork
BrisbaneHeadOffice
2xIPSec VPN(Backuppaths)
DirectConnect
AWSSupported
BGProuting
Internet
Availability Zone1ap-southeast-2a
Instances
Availability Zone2ap-southeast-2b
VPCsubnet
VPCsubnet
SydneyMelbourne Adelaide
NetworkInterconnectPOPEquinix Sydney
VPNSolutionsSupported
Instances
BrisbaneCo-lo
Primary
Backup
VGW
BrisbaneStandbyOffice
outage
outage
![Page 23: AWS Networking & Hybrid Cloud Connectivity · AWS Networking & Hybrid Cloud Connectivity Gold Coast AWS User Group Nov 2015. 1. The concepts and building blocks 2. Connectivity options](https://reader036.vdocument.in/reader036/viewer/2022081400/5f0cfaed7e708231d4381540/html5/thumbnails/23.jpg)
Questionsorfollow-up?
KentPlummer– localGoldCoast’erFindmeonLinkedIn
0424177377vpnsolutions.com.au
CredittoMattLehwess (AWS)ForuseofsomeofhisslidesfromreInvent