© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Brian Hoekelman, Level 3 Communications
VP – Cloud Ecosystem Development
October 2015
NET303
Network Slowing You Down?
Optimizing Your Cloud Architecture by Looking
at Network Strategy

What to Expect from the Session
Who is Level 3 Communications?
Trends Transforming IT
Best Practices when Connecting to the Cloud
• High Performance Connectivity
• SDN Implementations for the Cloud
• Hybrid Environments
• Compliance and Security

Who is Level 3 Communications?
OUR COMPANY
OUR CUSTOMERS

Trends transforming IT
Cloud Security UC&C
Globalization Big Data Software-Defined
Networks

Your organization has decided to move
applications, workloads, and data to the cloud…
You need a strong network strategy to build a
successful cloud architecture

High performance
connectivity
HYBRID
ENVIRONMENTS
PUBLIC
PRIVATE
Of enterprises
have a hybrid
IT strategy, up
from 74% in
2014*
In 2015
82%
*Rightscale, 2015 State of the Cloud Report

AWS Direct Connect - high performance connectivity
• A trusted path for enterprises to migrate and optimize applications in the
cloud
• Seamless, private connectivity for private, public, and hybrid IT
environments
• The scalability, efficiency, and flexibility of the public cloud without
compromising performance, productivity, or revenue
Level 3 Cloud Connect AWS Direct Connect

Real-time data feeds
Level 3 Cloud Connect Solutions AWS Direct Connect
AWS
CHALLENGE
Video, voice, and collaboration applications require low latency and consistent network performance.
SOLUTION
Enable direct user access from customer premises directly to AWS. Single hop routing removes variable latencies, packet
loss, and the unpredictability of the Internet.
Enterprise Users

Reference architecture
Enterprise
Data Center AWS Direct
Connect
Level 3
Global
Network
WAN routing to AWS
Customer
CE Router
Customer
CE Router
Customer
CE Router
Customer
CE Router Level 3 PE
Router
CSP PE
Router
Customer
HQ
Branch
Branch
Global
WAN
Level 3
NNI
Common Use Cases:
• Amazon CloudFront Video Streaming
• Amazon WorkSpaces
• Intranet Hosting (MS SharePoint)
VDI Workspaces
Amazon
CloudFront
Streaming
Virtual
Private
Gateway
Single hop BGP peers
Sustainable IP address
and subnets

SDN implementations for the
cloud
scalability in
bandwidth over
private
connections to
AWS
Up to
300%

Dynamic capacity implementations
AD HOC CHANGES
Adjust desired bandwidth and
instantly see the costs per meg
per hour
UTILIZATION BASED
Automatically trigger a
bandwidth increase based on
your utilization thresholds
SCHEDULED
One time, daily, weekly
Set start and end times
Weekly back-ups

Variable workloads – Brock White case study
Level 3 Cloud Connect SolutionsAWS Direct Connect
AWS Enterprise IT Environment
CHALLENGE
Back-ups can time out with large data sets that require multiple hours to execute
SOLUTION – Scheduled Bandwidth
The Dynamic Capacity capabilities allow the firm to immediately double or triple its network capacity when network traffic
increases for weekly back-ups.
“The automatic threshold
capability made Dynamic
Capacity twice as useful for us.
You tell it what you need and it
automatically does it for you. The
important point is that with
flexible bandwidth my time is
freed up to work on other
business solutions and not
infrastructure. I don’t have to
worry about my network, or even
think about its performance.”

Variable workloads, need flexible bandwidth options
Key Benefits
• VLAN mapping over Ethernet provides simplicity
• eLynk Interface: physically connected to the CSP/DCO-
1G or 10G port terminates multiple EVCs
• Quality of Service (QoS) Aware
• Dynamic Capacity to increase bandwidth 3x
Level 3
Layer 2 PE
Enterprise Data Center
1G Ethernet Access
Native or 802.1Q
Level 3
Global Network
VLAN per
Customer EVC
200Mbps Customer EVC
Level 3 Ethernet AWS Direct Connect
Reference architecture
Common Use Cases
• Elastic Cloud Bursting
• Big Data Analysis
• BCDR & Storage
Flex bandwidth up to 300%
2X
3X
Level 3
Layer 2 PE
CSP -
Layer 2 PE
Customer CE
Layer 3 Router
Legend:
CE – Customer Edge Router
PE – Provider Edge Router
EVC – Ethernet Virtual Circuit
Pre-established NNI
with 1:1 relationship of
EVC to VPC
- or-
Dedicated cross
connect VLAN
Transparency for VPC
Scalability

Hybrid solutions
CHALLENGE
• PCI or security concerns when dealing with customers’ personal information
• Scalability of the web services tier was needed during peak periods
SOLUTION
• Distribute access into the cloud and partition security measures across the infrastructure
• Maintain sensitive data in governance-compliant environments
Level 3 Cloud Connect SolutionsAWS Direct ConnectPublic Internet
Consumers Company Data CenterAWS

Reference architecture
Level 3-
Layer 2 PE
Enterprise
Data Center
1G Ethernet Access
Native or 802.1Q
Level 3
Global Network
VLAN per
Customer EVC
200Mbps Customer EVC
Level 3 Ethernet AWS Direct Connect
Customers
Branch Offices
CSP -
Layer 2 PE
Public Internet
• Secure and Private MPLS network
• Quality of Service (QoS) Aware
• Each customer presented to CSP as separate
VLAN interface
• Dynamic Capacity to increase bandwidth 3x
Common Use Cases
• Elastic Cloud Bursting
• Big Data Analysis &
Storage
• eCommerce Workloads
• New Product Launches
Customer CE
Layer 3 Router
NID device Ethernet
Access Visibility Level 3 –
Layer 2 PE
Legend:
CE – Customer Edge Router
PE – Provider Edge Router
EVC – Ethernet Virtual Circuit
Hybrid environments, leveraging private and public connectivity
Key Benefits
• Multi-tier security strategy across AWS & private
infrastructure
• VLAN segmentation to logically separate compliance
sensitive data flows
• Compliant with existing data governance policies
BGP neighbor
relationship
MD5 Password
for session
security
Customer to CSP BGP

Compliance and
security
security
certifications and
accreditations
AWS has
15+

Level 3 Cloud Connect SolutionsAWS Direct Connect
AWS Enterprise IT Environment
CHALLENGE
• Making sure that my data is safe and secure when using the cloud
SOLUTION
• With private network connectivity, build hybrid environments where security and compliance are critical
• Hybrid environments allow you to extend your private on-premises infrastructure with the elasticity and economic benefits of AWS
• Encrypt your data and replicate your security policies in the cloud
Replicate
Security
Policies
Encrypted workloads

HIPAA compliance bundle
Secure and reliable,
private network
connectivity
Modular
multiservice cloud
networking router
Reference architecture designed to assist customers in highly regulated industries
to securely migrate sensitive data workloads to and from AWS
Agile, flexible virtual
application delivery
platforms
Experts at architecting
HIPAA-compliant
technology solutions

Reference architecture
AWS Cloud
Virtual Private Cloud (VPC)
Corporate Data Center
VPC Public Subnet
VPC Private Subnets
Virtual
Private
Gateway
CSR 1000V
Enterprise Subnets
Cisco
ISR/ASR
AWS Direct
Connect
DMVPN
High performance and security for hybrid workloads over AWS Direct Connect
Cloud Connect Solutions

HIPAA-compliant architectures
30%
Jason McKay SVP/CTO Logicworks
jmckay@logicworks.net
Logicworks Booth #1324

Design principles
• Network isolation
• Use internal ELBs for traffic between
tiers
• Hub-and-spoke model for shared
services
• Account-level isolation where prudent
• Turn on and enforce AWS CloudTrail
and AWS Config
• Subnets/route tables/NACLs/SecGrps
are cheap (free)
• Only downside risk is complexity
• Architecture Best Practices

Architectural overview

Encryption at rest: Amazon S3 and Amazon
Elastic Block Store (Amazon EBS)
{
"Version":"2012-10-17",
"Id":"PutObjPolicy",
"Statement":[{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect":"Deny",
"Principal":"*",
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::YourBucket/*",
"Condition":{
"StringNotEquals":{
"s3:x-amz-server-side-encryption":
"AES256"
}
}
}]
}
BEST PRACTICES:
Create encrypted Amazon EBS
volumes to store the most sensitive
data
Use Amazon S3 bucket policies to
force use of server-side encryption
Use Puppet to configure applications
to use encrypted storage for sensitive
data
Force SSL ciphers and encryption
standards across all web hosts

Powered By:
AWS EastAWS West
Amazon
WorkSpaces
AWS
Direct Connect
The Venetian
Amazon
EC2
Amazon
S3
Try AWS Direct Connect in the Test Drive Lab!

Thank you!
Booth #1317

Remember to complete
your evaluations!