AWS Direct Connect 및 VPN을 이용한 클라우드 아키텍쳐 설계:: Steve Seymour :: AWS Summit Seoul 2016

© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Steve Seymour
Specialist SolutionsArchitect
May 2016
AWS Direct Connect and VPN
Cloud Architecture Design
@sseymour

VPN vs. Direct Connect
• Both allow secure connections between your
network and your VPC
• VPN is a pair of IPSec tunnels over the
Internet
• Direct Connect is a dedicated line with lower
per-GB data transfer rates
• For highest availability: Use both

Foundations: Amazon VPC
Your own private, isolated section of the AWS cloud

VPC CIDR 10.1.0.0/16
Availability Zone A Availability Zone B
Public Subnet Public Subnet
Private Subnet Private Subnet
Instance A
10.1.1.11 /24
Instance B
10.1.2.22 /24
Instance C
10.1.3.33 /24
Instance D
10.1.4.44 /24
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
Only 1 IGW and 1 VGW per VPC

Foundations: Other Services
Lets add some AWS services outside of VPC

AWS Region - eg: US-WEST1
Our VPC from Earlier
AWS Region
AWS Region Level Services (plus many more)
AWS VPC Internal Services (e.g. Amazon EMR,
Elastic Load Balancing, Amazon RDS)
IGW, gateway between AWS region level
services and internal VPC services
Instance A
10.1.1.11 /24
Availability Zone A Availability Zone B
Public Subnet Public Subnet
Private Subnet Private Subnet
Instance B
10.1.2.22 /24
Instance C
10.1.3.33 /24
Instance D
10.1.4.44 /24
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
Amazon SNS
Amazon SQS
Amazon SWF
Amazon SES
Amazon S3
Amazon Glacier
Amazon DynamoDB
AWS Lambda
AP-NORTHEAST-2

The Toolbox
Virtual Private Cloud
(VPC)
Route Tables
Internet Gateway
(IGW)
Virtual Private Gateway
(VGW)
VPN Connection
(VPN)
Customer Gateway
(CGW)
AWS Direct Connect
(DX)

Internet Protocol Security (IPsec) is a protocol suite for securing Internet
Protocol (IP) communications by authenticating and encrypting each IP packet
of a communication session.
IPsec includes protocols for establishing mutual authentication between agents
at the beginning of the session and negotiation of cryptographic keys to be used
during the session.
Reference: Wikipedia - http://en.wikipedia.org/wiki/IPsec
VPN Connection – IPsec

AWS VPN Features
• Static or Dynamic (BGP)
• Static requires routes (IP Prefixes) to be specified
• Dynamic VPN supports max-prefixes of 100

AWS VPN Requirements
• Connections initiated from the Customer Gateway
• IKE Security Association using a Pre-Shared Key
• IPSec Security Associations in Tunnel Mode
• AES 128 or 256-bit encryption, SHA-1 or SHA-256 hashing
• Diffie-Hellman Perfect Forward Secrecy –
Phase 1 groups: 2, 14-18, 22, 23, and 24
Phase 2 groups: 1, 2, 5, 14-18, 22, 23, and 24
• Dead Peer Detection
• Fragment IP Packets before encryption
• Optional Support for NAT Traversal (NAT-T)

Static VPN
CORP
• 1 unique Security Association (SA) pair per tunnel
• 1 inbound and 1 outbound
• 2 unique pairs for 2 tunnels – 4 SA’s
10.0.0.0 /16
10.0.0.0 /16
192.168.0.0 /16
192.168.0.0 /16
10.0.0.0 /16

Static VPN
CORP
• Consolidate ACL’s to cover all IP’s
• Filter to block unwanted traffic
0.0.0.0/0 (any)
0.0.0.0/0 (any)
172.16.0.0 /12
192.168.1.0 /24
192.168.9.0 /24
192.168.1.0 /24
192.168.9.0 /24
172.16.0.0 /12
10.0.0.0 /16

Static VPN
CORP
• Consolidate ACL’s to cover all IP’s
• Filter to block unwanted traffic
0.0.0.0 /0
(any)
0.0.0.0 /0
(any)
10.0.0.0 /16
0.0.0.0/0 (any)
0.0.0.0/0 (any)

What is BGP ?
• TCP based protocol on port 179
• BGP Neighbors exchange routing information - prefixes
• More specific prefixes are preferred
• Uses Autonomous System Numbers – AS Numbers
• iBGP – between peers in the same AS
• eBGP – between peers in different AS
• AS_PATH – measure of network “distance”
• Local Preference – weighting of identical prefixes

Dynamic VPN
CORP
Tunnel 1
IP 169.254.169.1 /30
BGP AS 7224
Route Table
Destination Target
10.0.0.0/16 Local
172.16.0.0/16 VGW
Tunnel 2
IP 169.254.169.5 /30
BGP AS 7224
10.0.0.0 /16
Tunnel 1
IP 169.254.169.2 /30
BGP AS 65001
Tunnel 2
IP 169.254.169.6 /30
BGP AS 65001
172.16.0.0 /16

Dynamic VPN
CORP
Tunnel 1
IP 169.254.169.1 /30
BGP AS 17493
Tunnel 2
IP 169.254.169.5 /30
BGP AS 17493
10.0.0.0 /16
Tunnel 1
IP 169.254.169.2 /30
BGP AS 65001
Tunnel 2
IP 169.254.169.6 /30
BGP AS 65001
172.16.0.0 /16
• BGP Peer IP Addresses are automatically generated
• Customer AS Number – owned or private ASN
• Amazon AS Number is fixed per region

Path Selection – inside the VGW
1. Most specific IP prefix
192.168.10.0/24 over 192.168.0.0/16
2. Direct Connect (irrelevant of AS PATH length)
3. Static VPN Connection
4. Dynamic (BGP) VPN Connection
4. Shortest AS PATH
65001 i over 65001 65001 i

Resilient Dynamic VPN
CORP
iBGP
OSPF
eBGP

Resilient Dynamic VPN – Multiple VPC’s
CORP

What is AWS Direct Connect…
Dedicated, private pipes into AWS
Create private (VPC) or public virtual interfaces to AWS
Reduced data-out rates (data-in still free))
Consistent network performance
At least 1 location to each AWS region
Option for redundant connections
Multiple AWS accounts can share a connection
Inter-Region enables connectivity to multiple regions in US
Uses BGP to exchange routing information over a VLAN

Direct Connect - Locations
Asia Pacific (Seoul)
KINX, Seoul, Korea
Asia Pacific (Singapore)
Equinix SG2, Singapore
GlobalSwitch, Singapore
GPX, Mumbai, India
Asia Pacific (Sydney)
Equinix SY3, Sydney, Australia
Global Switch, Sydney, Australia
Asia Pacific (Tokyo)
Equinix OS1, Osaka, Japan
Equinix TY2, Tokyo, Japan
AWS GovCloud (US)
Equinix SV1 & SV5, San Francisco, CA
China (Beijing)
CIDS Jiachuang IDC, Beijing, China
Sinnet Jiuxianqiao IDC, Beijing, China
EU Central (Frankfurt)
Equinix FR5, Frankfurt, Germany
Interxion Frankfurt, Germany
EU West (Ireland)
Equinix LD4 - LD6, London, England
Eircom Clonshaugh, Dublin,Ireland
TelecityGroup, London Docklands',London, England
South America (Sao Paulo)
Terremark NAP do Brasil, Sao Paulo, Brasil
Tivit, Sao Paulo, Brasil
US East (Virginia)
CoreSite NY1 & NY2, New York, NY
Equinix DA1 - DA3 & DA6, Dallas, TX
Equinix DC1 - DC6 & DC10, Ashburn, VA
US West (Northern California)
CoreSite One Wilshire & 900 North Alameda, CA
Equinix SV1 & SV5, San Francisco, CA
US West (Oregon)
EdgeConneX Portland, OR
Equinix SE2 & SE3, Seattle, WA
Switch SUPERNAP 8, Las Vegas, NV

Terminology For Physical Connections
Leased Line
Ethernet Private Line
Pseudo-wire
Point-to-point circuit
LAN Extension
MPLS / VPLS / IP-VPN / L3-VPN

Physical Connection
• Cross Connect at the location
• Single Mode Fiber
- 1000Base-LX or 10GBASE-LR
• Potential onward Delivery via Direct Connect Partner
• Customer Router

At the Direct Connect Location
CORP
AWS Direct
Connect
Routers
Customer
Router
Colocation
DX Location
Customer
Network
`
AWS Backbone
Network
Cross
Connect
Customer
Router
Access
Circuit
Customers Network
Backbone
Access
Circuit
Demarcation

Dedicated Port via Direct Connect Partner
CORP
AWS Direct
Connect
Routers
Colocation
DX Location
Partner Network
AWS Backbone
Network
Cross
Connect
Customer
Router
Partner
Network
Access
Circuit
Demarcation
Partner
Equipment

Layers of Direct Connect
Single Mode Fiber – 1G or 10GLayer 1 - Physical
Ethernet – 802.1Q VLANLayer 2 – Data Link
Peer & Amazon IPLayer 3 - Network
TCPLayer 4 - Transport
BGPLayer 7 - Application
“Routing of traffic”

Layers of Direct Connect
Direct Connect Connection
Ethernet – 802.1Q VLAN
Peer & Amazon IP
Virtual Interface
(One per VLAN)
BGP
A/C 1
Single Mode Fiber – 1G or 10G

Public and Private Virtual Interfaces
• 802.1Q VLAN
• eBGP Session
Note: Max Prefixes on the AWS peer : 100
• Private Virtual Interface – Access to VPC
Note: Not VPC Endpoints or transitive via VPC Peering
• Public Virtual Interface – Access to non-VPC Services

Account ownership of Direct Connect
Direct Connect Connection
Peer & Amazon IP
Hosted Virtual Interface
(One per VLAN)
BGP
A/C 1
A/C 2

Sub-1G via Direct Connect Partner
Direct Connect Interconnect
Hosted Connection
Virtual Interface
(Single)
BGP
PartnerCustomer
Bandwidth VLAN
Peer & Amazon IP’s
50Mbps, 100Mbps, 200Mbps, 300Mbps, 400Mbps and 500Mbps

Sharing Hosted Connections
Direct Connect Interconnect
Hosted Connection
Hosted Virtual Interface
(Single)
BGP
PartnerCustomerA/C2
Bandwidth VLAN
Peer & Amazon IP’s
A/C 1

Private Virtual Interface
• Only provides access to resources in a VPC
Note: Not VPC Endpoints or transitive via VPC Peering
• Attaches to the Virtual Private Gateway
Same as a VPN Connection
• Multiple Private VIF’s can be attached for resilience
• Any IP Addresses and ASN for BGP Peering acceptable

Single Private Virtual Interface
CORP
Route Table
Destination Target Propagated
10.0.0.0/16 Local
172.16.0.0/16 VGW Yes
10.0.0.0 /16 172.16.0.0 /16
dxvif-wwxxyyzz
VLAN 100
IP 169.254.254.9 /30
BGP AS 7224
MD5 Key
Interface gi0/0.100
VLAN 100
IP 169.254.254.10 /30
BGP AS 65001
MD5 Key
eBGP
AS65001 Announcing
172.16.0.0 /16
AS7224 Announcing
10.0.0.0 /16

Adding Redundancy
“Everything fails, all the time.” – Werner Vogels

Dual DX – Single Location
CORP
AWS Direct
Connect
Routers
Customer
Router
Colocation
DX Location
Service Provider
Network
`

eBGP
eBGP
Dual Private Virtual Interface
CORP
10.0.0.0 /16 172.16.0.0 /16
dxvif-wwxxyyzz
VLAN 100
IP 169.254.254.9 /30
BGP AS 7224
MD5 Key
Interface gi0/0.100
VLAN 100
IP 169.254.254.10 /30
BGP AS 65001
MD5 Key
dxvif-aabbccdd
VLAN 100
IP 169.254.254.13 /30
BGP AS 7224
MD5 Key
Interface gi0/0.100
VLAN 100
IP 169.254.254.14 /30
BGP AS 65001
MD5 Key

Dual DX – Single Location revisited
CORP
AWS Direct
Connect
Routers
Customer
Router
Colocation
DX Location
Service Provider
Network
`

Dual DX – Single Location revisited
CORP
AWS Direct
Connect
Routers
Customer
Routers
Colocation
DX Location
`
Service Provider
Network
`

Single DX – Dual Location
CORP
Customer
Routers
Colocation
DX Location 1
`
Customer
Routers
Colocation
DX Location 2
`
Service Provider
Network
AWS Direct
Connect Routers
AWS Direct
Connect Routers

Dual DX – Dual Location
CORP
AWS Direct
Connect Routers
Customer
Routers
Colocation
DX Location 1
`
`
AWS Direct
Connect Routers
Customer
Routers
Colocation
DX Location 2
`
`
Service Provider
Network

Dual VIF – Active/Active
IP 169.254.254.9 /30
IP 169.254.254.13 /30

Active/Active – the VGW Perspective
IP 169.254.254.10 /30
IP 169.254.254.14 /30

Dual VIF – Active/Passive
IP 169.254.254.9 /30
IP 169.254.254.13 /30

Active/Passive – the VGW Perspective
IP 169.254.254.10 /30
IP 169.254.254.14 /30

Public Virtual Interface
• Provides access to Amazon Public IP Addresses
• Requires Public IP Addresses for BGP Session
If you can’t provide them, raise a case with AWS Support
• Public ASN must be owned by customer – Private is OK
• Inter-Region is available in the US

CORP
172.16.0.0 /16
dxvif-wwxxyyzz
VLAN 200
IP 54.239.244.57 /31
BGP AS 7224
MD5 Key
Interface gi0/0.200
VLAN 200
IP 54.239.244.56 /31
BGP AS 65001
MD5 Key
AS65001 Announcing
54.239.244.56 /31
AS7224 Announcing
184.72.96.0/19 via 7224 16509 14618 i
184.72.128.0/17 via 7224 16509 14618 i
184.73.0.0 via 7224 16509 14618 i
184.169.128.0/17 via 7224 16509 i
199.127.232.0/22 via 7224 16509 i
199.255.192.0/22 via 7224 16509 I
…...
…..

IP 54.239.244.57 /31
BGP AS 7224

How to order AWS Direct Connect
1. Select Your Region
2. Create a Connection
3. Receive LOA-CFA
4. Cross Connect
5. Create Virtual Interface
6. Configure Customer Router

How to order sub-1G via an APN Partner
1. Provide your Direct Connect Partner with Account Number
2. Accept Hosted Connection
3. Create Virtual Interface
4. Configure Customer Router

Direct Connect with VPN Backup
CORP
DX Location 1
DX Location 2

Hardware VPN over DX Public VIF
CORP
172.16.0.0 /16
dxvif-wwxxyyzz
VLAN 200
IP 54.239.244.57 /31
BGP AS 7224
MD5 Key
Interface gi0/0.200
VLAN 200
IP 54.239.244.56 /31
BGP AS 65001
MD5 Key
Tunnel 1
IP 169.254.169.1 /30
BGP AS 17493
Tunnel 2
IP 169.254.169.5 /30
BGP AS 17493
Tunnel 1
IP 169.254.169.2 /30
BGP AS 65001
Tunnel 2
IP 169.254.169.6 /30
BGP AS 65001

Billing
• VPN Connections
Connection Hours
Data Transfer (Internet rates)
• Direct Connect
Port Hours
Reduced Data Transfer Rates
No charge for resources owned by other accounts
VPN Data Transfer over Direct Connect at reduced rate

Things to remember
All Direct Connect locations are at 3rd party data centers
You will have to work with at least one other organization
• Could be just the Data Center
• Could be a Network Provider / Direct Connect Partner
• Could be multiple Network Providers AND the Data Center
Sub-1G Hosted Connections support a single VIF
You can share VIF’s with other accounts
Public VIF’s include the Hardware VPN Endpoints

Demo Architecture
192.168.51.0 /24
192.168.51.10
Gi0/1: 192.168.51.254
Gi0/0
Internet
Gi0/0/0
DX 1
DX Location
(Telecity London)
eu-west-1 (Ireland)
10.0.0.0 /16
DemoInst
10.0.0.50

여러분의 피드백을 기다립니다!
https://www.awssummit.co.kr
모바일 페이지에 접속하셔서, 지금 세션 평가에
참여하시면, 행사후 기념품을 드립니다.
#AWSSummit 해시태그로 소셜 미디어에 여러분의
행사 소감을 올려주세요.
발표 자료 및 녹화 동영상은 AWS Korea 공식 소셜
채널로 곧 공유될 예정입니다.

Thank you!
@sseymour
Steve Seymour
Specialist Solutions Architect

AWS Direct Connect 및 VPN을 이용한 클라우드 아키텍쳐 설계:: Steve Seymour :: AWS Summit Seoul 2016

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a AWS Direct Connect 및 VPN을 이용한 클라우드 아키텍쳐 설계:: Steve Seymour :: AWS Summit Seoul 2016

Semelhante a AWS Direct Connect 및 VPN을 이용한 클라우드 아키텍쳐 설계:: Steve Seymour :: AWS Summit Seoul 2016 (20)

Mais de Amazon Web Services Korea

Mais de Amazon Web Services Korea (20)

Último

Último (20)

AWS Direct Connect 및 VPN을 이용한 클라우드 아키텍쳐 설계:: Steve Seymour :: AWS Summit Seoul 2016