aws direct connect 및 vpn을 이용한 클라우드 아키텍쳐 설계:: steve seymour :: aws...

© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Steve SeymourSpecialist Solutions Architect

May 2016

AWS Direct Connect and VPNCloud Architecture Design

@sseymour

VPN vs. Direct Connect

• Both allow secure connections between your network and your VPC

• VPN is a pair of IPSec tunnels over the Internet

• Direct Connect is a dedicated line with lower per-GB data transfer rates

• For highest availability: Use both

Foundations: Amazon VPCYour own private, isolated section of the AWS cloud

VPC CIDR 10.1.0.0/16

Availability Zone A Availability Zone B

Public Subnet Public Subnet

Private Subnet Private Subnet

Instance A10.1.1.11 /24

Instance B10.1.2.22 /24

Instance C10.1.3.33 /24

Instance D10.1.4.44 /24

10.1.1.0/16

10.1.2.0/16

10.1.3.0/16

Only 1 IGW and 1 VGW per VPC

Foundations: Other ServicesLets add some AWS services outside of VPC

AWS Region - eg: US-WEST1

Our VPC from Earlier

AWS Region

AWS Region Level Services (plus many more)

AWS VPC Internal Services (e.g. Amazon EMR, Elastic Load Balancing, Amazon RDS)

IGW, gateway between AWS region level services and internal VPC services

Instance A10.1.1.11 /24

Availability Zone A Availability Zone B

Public Subnet Public Subnet

Private Subnet Private Subnet

Instance B10.1.2.22 /24

Instance C10.1.3.33 /24

Instance D10.1.4.44 /24

10.1.1.0/16

10.1.2.0/16

10.1.3.0/16

Amazon SNS

Amazon SQS

Amazon SWF

Amazon SES

Amazon S3

Amazon Glacier

Amazon DynamoDB

AWS Lambda

AP-NORTHEAST-2

The Environment

The Environment

CORP

The Toolbox

Virtual Private Cloud (VPC)

Route Tables

Internet Gateway(IGW)

Virtual Private Gateway (VGW)

VPN Connection(VPN)

Customer Gateway(CGW)

AWS Direct Connect(DX)

AWS Hardware VPN

Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session.

IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session.

Reference: Wikipedia - http://en.wikipedia.org/wiki/IPsec

VPN Connection – IPsec

AWS VPN Features

• Static or Dynamic (BGP)

• Static requires routes (IP Prefixes) to be specified

• Dynamic VPN supports max-prefixes of 100

AWS VPN Requirements

• Connections initiated from the Customer Gateway• IKE Security Association using a Pre-Shared Key• IPSec Security Associations in Tunnel Mode• AES 128 or 256-bit encryption, SHA-1 or SHA-256 hashing• Diffie-Hellman Perfect Forward Secrecy –

Phase 1 groups: 2, 14-18, 22, 23, and 24Phase 2 groups: 1, 2, 5, 14-18, 22, 23, and 24

• Dead Peer Detection• Fragment IP Packets before encryption• Optional Support for NAT Traversal (NAT-T)

Static VPN

CORP

• 1 unique Security Association (SA) pair per tunnel• 1 inbound and 1 outbound• 2 unique pairs for 2 tunnels – 4 SA’s

10.0.0.0 /16

10.0.0.0 /16

192.168.0.0 /16

192.168.0.0 /16

10.0.0.0 /16

Static VPN

CORP

• Consolidate ACL’s to cover all IP’s• Filter to block unwanted traffic

0.0.0.0/0 (any)

0.0.0.0/0 (any)

172.16.0.0 /12192.168.1.0 /24192.168.9.0 /24

192.168.1.0 /24192.168.9.0 /24172.16.0.0 /12

10.0.0.0 /16

Static VPN

CORP

• Consolidate ACL’s to cover all IP’s• Filter to block unwanted traffic

0.0.0.0 /0 (any)

0.0.0.0 /0(any)

10.0.0.0 /16

0.0.0.0/0 (any)

0.0.0.0/0 (any)

What is BGP ?

• TCP based protocol on port 179• BGP Neighbors exchange routing information - prefixes• More specific prefixes are preferred• Uses Autonomous System Numbers – AS Numbers• iBGP – between peers in the same AS• eBGP – between peers in different AS• AS_PATH – measure of network “distance”• Local Preference – weighting of identical prefixes

Dynamic VPN

CORP

Tunnel 1

IP 169.254.169.1 /30BGP AS 7224

Route TableDestination Target

10.0.0.0/16 Local

172.16.0.0/16 VGW

Tunnel 2

IP 169.254.169.5 /30BGP AS 7224

10.0.0.0 /16

Tunnel 1

IP 169.254.169.2 /30BGP AS 65001

Tunnel 2

IP 169.254.169.6 /30BGP AS 65001

172.16.0.0 /16

Dynamic VPN

CORP

Tunnel 1

IP 169.254.169.1 /30BGP AS 17493

Tunnel 2

IP 169.254.169.5 /30BGP AS 17493

10.0.0.0 /16

Tunnel 1

IP 169.254.169.2 /30BGP AS 65001

Tunnel 2

IP 169.254.169.6 /30BGP AS 65001

172.16.0.0 /16

• BGP Peer IP Addresses are automatically generated• Customer AS Number – owned or private ASN• Amazon AS Number is fixed per region

Path Selection – inside the VGW

1. Most specific IP prefix192.168.10.0/24 over 192.168.0.0/16

2. Direct Connect (irrelevant of AS PATH length)3. Static VPN Connection4. Dynamic (BGP) VPN Connection4. Shortest AS PATH

65001 i over 65001 65001 i

Resilient Dynamic VPN

CORP

iBGP

OSPFeBGP

Resilient Dynamic VPN – Multiple VPC’s

CORP

AWS Direct Connect

What is AWS Direct Connect…

Dedicated, private pipes into AWS

Create private (VPC) or public virtual interfaces to AWSReduced data-out rates (data-in still free))Consistent network performanceAt least 1 location to each AWS region

Option for redundant connections Multiple AWS accounts can share a connectionInter-Region enables connectivity to multiple regions in USUses BGP to exchange routing information over a VLAN

Direct Connect - Locations

Asia Pacific (Seoul)KINX, Seoul, Korea

Asia Pacific (Singapore)Equinix SG2, SingaporeGlobal Switch, SingaporeGPX, Mumbai, India

Asia Pacific (Sydney)Equinix SY3, Sydney, AustraliaGlobal Switch, Sydney, Australia

Asia Pacific (Tokyo)Equinix OS1, Osaka, JapanEquinix TY2, Tokyo, Japan

AWS GovCloud (US)Equinix SV1 & SV5, San Francisco, CA

China (Beijing)CIDS Jiachuang IDC, Beijing, ChinaSinnet Jiuxianqiao IDC, Beijing, China

EU Central (Frankfurt)Equinix FR5, Frankfurt, GermanyInterxion Frankfurt, Germany

EU West (Ireland)Equinix LD4 - LD6, London, EnglandEircom Clonshaugh, Dublin, IrelandTelecityGroup, London Docklands', London, England

South America (Sao Paulo)Terremark NAP do Brasil, Sao Paulo, BrasilTivit, Sao Paulo, Brasil

US East (Virginia)CoreSite NY1 & NY2, New York, NYEquinix DA1 - DA3 & DA6, Dallas, TXEquinix DC1 - DC6 & DC10, Ashburn, VA

US West (Northern California)CoreSite One Wilshire & 900 North Alameda, CAEquinix SV1 & SV5, San Francisco, CA

US West (Oregon)EdgeConneX Portland, OREquinix SE2 & SE3, Seattle, WASwitch SUPERNAP 8, Las Vegas, NV

Terminology For Physical Connections

Leased LineEthernet Private LinePseudo-wirePoint-to-point circuitLAN ExtensionMPLS / VPLS / IP-VPN / L3-VPN

Physical Connection

• Cross Connect at the location

• Single Mode Fiber- 1000Base-LX or 10GBASE-LR

• Potential onward Delivery via Direct Connect Partner

• Customer Router

At the Direct Connect Location

CORP

AWS DirectConnect Routers

Customer Router

Colocation

DX Location

CustomerNetwork`

AWS BackboneNetwork

Cross Connect

Customer Router

AccessCircuit

Customers Network Backbone

AccessCircuit

Demarcation

Dedicated Port via Direct Connect Partner

CORP


Colocation

DX Location

Partner Network

AWS BackboneNetwork

Cross Connect

Customer Router

PartnerNetwork

AccessCircuit

Demarcation

PartnerEquipment

Layers of Direct Connect

Single Mode Fiber – 1G or 10GLayer 1 - Physical

Ethernet – 802.1Q VLANLayer 2 – Data Link

Peer & Amazon IPLayer 3 - Network

TCPLayer 4 - Transport

BGPLayer 7 - Application

“Routing of traffic”

Layers of Direct Connect

Direct Connect Connection

Ethernet – 802.1Q VLAN

Peer & Amazon IP

Virtual Interface(One per VLAN)

BGP

Virtual Private Gateway

A/C 1


Single Mode Fiber – 1G or 10G

Public and Private Virtual Interfaces

• 802.1Q VLAN

• eBGP SessionNote: Max Prefixes on the AWS peer : 100

• Private Virtual Interface – Access to VPCNote: Not VPC Endpoints or transitive via VPC Peering

• Public Virtual Interface – Access to non-VPC Services

Account ownership of Direct Connect

Direct Connect Connection


Peer & Amazon IP

Hosted Virtual Interface(One per VLAN)

BGP


A/C 1

A/C 2



Sub-1G via Direct Connect Partner

Direct Connect Interconnect


Hosted Connection

Virtual Interface(Single)

BGP


Partn

erC

usto

mer

Bandwidth VLAN

Peer & Amazon IP’s



50Mbps, 100Mbps, 200Mbps, 300Mbps, 400Mbps and 500Mbps

Sharing Hosted Connections

Direct Connect Interconnect


Hosted Connection

Hosted Virtual Interface(Single)

BGP


Partn

erC

usto

mer

A/C

2

Bandwidth VLAN

Peer & Amazon IP’s

A/C 1



Private Virtual Interface

• Only provides access to resources in a VPCNote: Not VPC Endpoints or transitive via VPC Peering

• Attaches to the Virtual Private GatewaySame as a VPN Connection

• Multiple Private VIF’s can be attached for resilience

• Any IP Addresses and ASN for BGP Peering acceptable

Single Private Virtual Interface

CORP

Route TableDestination Target Propagated

10.0.0.0/16 Local

172.16.0.0/16 VGW Yes

10.0.0.0 /16 172.16.0.0 /16dxvif-wwxxyyzz

VLAN 100

IP 169.254.254.9 /30

BGP AS 7224

MD5 Key

Interface gi0/0.100

VLAN 100

IP 169.254.254.10 /30

BGP AS 65001

MD5 Key

eBGP AS65001 Announcing 172.16.0.0 /16

AS7224 Announcing 10.0.0.0 /16

Adding Redundancy“Everything fails, all the time.” – Werner Vogels

Dual DX – Single Location

CORP


Customer Router

Colocation

DX Location

Service Provider Network`

eBGP

eBGP

Dual Private Virtual Interface

CORP

10.0.0.0 /16 172.16.0.0 /16

dxvif-wwxxyyzz

VLAN 100

IP 169.254.254.9 /30

BGP AS 7224

MD5 Key

Interface gi0/0.100

VLAN 100

IP 169.254.254.10 /30

BGP AS 65001

MD5 Key

dxvif-aabbccdd

VLAN 100

IP 169.254.254.13 /30

BGP AS 7224

MD5 Key

Interface gi0/0.100

VLAN 100

IP 169.254.254.14 /30

BGP AS 65001

MD5 Key

Dual DX – Single Location revisited

CORP


Customer Router

Colocation

DX Location

Service Provider Network`

Dual DX – Single Location revisited

CORP


Customer Routers

Colocation

DX Location

`

Service Provider Network

`

Single DX – Dual Location

CORP

Customer Routers

Colocation

DX Location 1

`

Customer Routers

Colocation

DX Location 2

`




Dual DX – Dual Location

CORP


Customer Routers

Colocation

DX Location 1

`

`


Customer Routers

Colocation

DX Location 2

`

`


Dual VIF – Active/ActiveIP 169.254.254.9 /30

IP 169.254.254.13 /30

Active/Active – the VGW Perspective

IP 169.254.254.10 /30

IP 169.254.254.14 /30

Dual VIF – Active/PassiveIP 169.254.254.9 /30

IP 169.254.254.13 /30

Active/Passive – the VGW Perspective

IP 169.254.254.10 /30

IP 169.254.254.14 /30

Dual VIF – Active/PassiveIP 169.254.254.9 /30

IP 169.254.254.13 /30

Active/Passive – the VGW Perspective

IP 169.254.254.10 /30

IP 169.254.254.14 /30

Public Virtual Interface

• Provides access to Amazon Public IP Addresses

• Requires Public IP Addresses for BGP SessionIf you can’t provide them, raise a case with AWS Support

• Public ASN must be owned by customer – Private is OK

• Inter-Region is available in the US


CORP

172.16.0.0 /16dxvif-wwxxyyzz

VLAN 200

IP 54.239.244.57 /31

BGP AS 7224

MD5 Key

Interface gi0/0.200

VLAN 200

IP 54.239.244.56 /31

BGP AS 65001

MD5 Key

AS65001 Announcing 54.239.244.56 /31

AS7224 Announcing184.72.96.0/19 via 7224 16509 14618 i184.72.128.0/17 via 7224 16509 14618 i184.73.0.0 via 7224 16509 14618 i184.169.128.0/17 via 7224 16509 i199.127.232.0/22 via 7224 16509 i199.255.192.0/22 via 7224 16509 I…...…..


IP 54.239.244.57 /31

BGP AS 7224

Ordering Process

How to order AWS Direct Connect

1. Select Your Region

2. Create a Connection

3. Receive LOA-CFA

4. Cross Connect

5. Create Virtual Interface

6. Configure Customer Router

How to order sub-1G via an APN Partner

1. Provide your Direct Connect Partner with Account Number

2. Accept Hosted Connection

3. Create Virtual Interface

4. Configure Customer Router

Direct Connect with VPN Backup

CORP

DX Location 1

DX Location 2

Hardware VPN over DX Public VIF

CORP

172.16.0.0 /16dxvif-wwxxyyzz

VLAN 200

IP 54.239.244.57 /31

BGP AS 7224

MD5 Key

Interface gi0/0.200

VLAN 200

IP 54.239.244.56 /31

BGP AS 65001

MD5 Key

Tunnel 1

IP 169.254.169.1 /30BGP AS 17493

Tunnel 2

IP 169.254.169.5 /30BGP AS 17493

Tunnel 1

IP 169.254.169.2 /30BGP AS 65001

Tunnel 2

IP 169.254.169.6 /30BGP AS 65001

Billing

• VPN ConnectionsConnection HoursData Transfer (Internet rates)

• Direct ConnectPort HoursReduced Data Transfer RatesNo charge for resources owned by other accountsVPN Data Transfer over Direct Connect at reduced rate

Things to remember

All Direct Connect locations are at 3rd party data centersYou will have to work with at least one other organization

• Could be just the Data Center• Could be a Network Provider / Direct Connect Partner• Could be multiple Network Providers AND the Data Center

Sub-1G Hosted Connections support a single VIFYou can share VIF’s with other accountsPublic VIF’s include the Hardware VPN Endpoints

Demo Architecture

192.168.51.0 /24

192.168.51.10

Gi0/1: 192.168.51.254

Gi0/0Internet

Gi0/0/0DX 1

DX Location(Telecity London)

eu-west-1 (Ireland)10.0.0.0 /16

DemoInst10.0.0.50

여러분의 피드백을 기다립니다!

https://www.awssummit.co.kr

모바일 페이지에 접속하셔서, 지금 세션 평가에참여하시면, 행사후 기념품을 드립니다.

#AWSSummit 해시태그로 소셜 미디어에 여러분의행사 소감을 올려주세요.

발표 자료 및 녹화 동영상은 AWS Korea 공식 소셜채널로 곧 공유될 예정입니다.

Thank you!

@sseymour

Steve SeymourSpecialist Solutions Architect

aws direct connect 및 vpn을 이용한 클라우드 아키텍쳐 설계:: steve seymour :: aws...

Technology