Beruflich Dokumente
Kultur Dokumente
NET402
@sseymour
December 2016
2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Am I in the right room?
@sseymour
400 Level - EXPERT
where they explain how to use VPN & AWS Direct Connect ?
Existing knowledge
10.0.0.0 /16
10.0.0.0 /16
192.168.0.0 /16
192.168.0.0 /16
10.0.0.0 /16
10.0.0.0 /16
10.0.0.0 /16
0.0.0.0 /0
(any)
0.0.0.0 /0
(any)
10.0.0.0 /16
Tunnel 2
IP 169.254.169.6 /30
Tunnel 2
BGP AS 65001
IP 169.254.169.5 /30
BGP AS 17493
CORP
FAQs
VPN connections
Connection hours
Data transfer
Customer router
1G / 10G dedicated vs. hosted connections
Public or private
Virtual interfaces (VIFs)
Public or private
802.1Q VLAN
Virtual interfaces (VIFs)
Public or Private
802.1Q VLAN
BGP session
1G/10G dedicated connections
Your Account
Your Account
Your Account
Your Account
Virtual Interface
dxvif-xxxxxx
VLAN: 103
1G/10G dedicated connections, hosted VIF
Hosted Connection
Interconnect dxcon-xxxxxx
VLAN: 101
Port Speed: 50-500 Mbps
Hosted connections (sub-1 G)
AWS Direct
Connect Routers
DX Location 2
AWS Direct
Connect Routers
Direct Connect resilient & diverse paths
DX Location 1
AZ Transit
AWS Direct
Connect Routers
AZ AZ AZ
DX Location 2
AZ Transit
AWS Direct
Connect Routers
Direct Connect resilient & diverse paths
DX Location 1
AZ Transit
AWS Direct
Connect Routers
AZ AZ AZ
DX Location 2
AZ Transit
AWS Direct
Connect Routers
FAQs
Private VIF
All data transfer out of your VPC via the VGW
Public VIF
Access your resources (S3 bucket, etc.) you pay
Access resources in your consolidated bill you pay
Access resources owned by someone else they pay
IPv6 on Direct Connect
IPv6 over Direct Connect
Always Check!
eu-west-1 (Ireland) AS 9059
eu-central-1 (Frankfurt) AS 7224
eu-central-1 (Frankfurt) AS 7224
ap-southeast-1 (Singapore) AS 17493
Customer gateway configuration check ASN
Public virtual interface
IP 54.239.244.57 /31
BGP AS 7224
AS PATH considerations
AS_PATH considerations
AS-OVERRIDE
AS-OVERRIDE
Why?
Because AS 7224 is used internally
AS_PATH considerations
AS-OVERRIDE
ORIGINATE-DEFAULT
VGW 0.0.0.0/0
via CORP (AS65000)
AS9059 CORP
AS 65000
Routing inside the VGW
The Internet
EU-WEST-1 AKA 0.0.0.0/0
10.3.0.0/16
IGW
VGW 0.0.0.0/0
via CORP (AS65000)
AS9059 CORP
AS 65000
Routing inside the VGW
The Internet
EU-WEST-1 AKA 0.0.0.0/0
10.3.0.0/16
IGW
VGW 0.0.0.0/0
via CORP (AS65000)
10.3.0.0/16 local
AS9059 CORP
AS 65000
Routing inside the VGW
The Internet
EU-WEST-1 AKA 0.0.0.0/0
10.3.0.0/16
IGW
VGW 0.0.0.0/0
via CORP (AS65000)
10.3.0.0/16 local
0.0.0.0/0 IGW AS9059 CORP
AS 65000
Routing inside the VGW
The Internet
EU-WEST-1 AKA 0.0.0.0/0
10.3.0.0/16
IGW
VGW 0.0.0.0/0
via CORP (AS65000)
10.3.0.0/16 local
0.0.0.0/0 IGW AS9059 CORP
10.0.0.0/8 VGW AS 65000
Routing preference
1. Local routes to the VPC (no override with more specific routing)
2. Longest prefix match first
3. Static route table entries preferred over dynamic
4. Dynamic routes:
a) Prefer DX BGP routes
i. Shorter AS Path
ii. Considered equivalent, and will balance traffic per flow
b) VPN static routes (defined on VPN connection)
c) BGP routes from VPN
i. Shorter AS Path
AWS VPN CloudHub
AWS VPN CloudHub
AS65001
eBGP
AS65002
AS65003
AWS VPN CloudHub and software VPN EU-CENTRAL-1
US-EAST-1 VPN
VPN
AS65001
eBGP
AS65002
Note: You can use the same Border Gateway Protocol (BGP)
Autonomous System Numbers (ASNs) for each site, or use a
unique ASN if you prefer. ALLOWAS-IN may be required. AS65003
AWS VPN CloudHub and software VPN EU-CENTRAL-1
US-EAST-1 VPN
VPN
AS65001
US-WEST-2
eBGP
VPN
VPN
AS65002
AWS VPN CloudHub and software VPN EU-CENTRAL-1
US-EAST-1 VPN
VPN
AS65001
US-WEST-2
eBGP
VPN
VPN
AS65002
AS65003
AWS VPN CloudHub and software VPN EU-CENTRAL-1
US-EAST-1 VPN
VPN
AS65001
US-WEST-2
eBGP
VPN
VPN
AS65002
Transit VPC?
AS65003
AWS VPN CloudHub and software VPN EU-CENTRAL-1
US-EAST-1 VPN
VPN
AS65001
US-WEST-2
eBGP
VPN
VPN
AS65002
Transit VPC ?
AS65003 2x EC2 Instances per VPC
Transit VPC solution
Amazon Amazon Amazon Amazon Amazon API Amazon AWS Elastic Load Amazon
S3 Glacier DynamoDB Kinesis Gateway WorkSpaces Lambda Balancing EC2
CORP NET
Storage Gateway
Appliance
iSCSI
Backup
Software
Legacy VTL VGW
Servers
VPC:10.44.208.0/20
172.16.0.0/16
Working with AWS services AWS Storage Gateway
Internet
CORP NET
Storage Gateway
Appliance client-cp.storagegateway.region.amazonaws.com:443
dp-1.storagegateway.region.amazonaws.com:443
anon-cp.storagegateway.region.amazonaws.com:443
proxy-app.storagegateway.region.amazonaws.com:443
storagegateway.region.amazonaws.com:443
Storage Gateway
Service Endpoints
iSCSI
Backup
Software
Legacy VTL VGW
Servers
VPC:10.44.208.0/20
172.16.0.0/16
Working with AWS services AWS Storage Gateway
CORP NET
Storage Gateway
Appliance client-cp.storagegateway.region.amazonaws.com:443
dp-1.storagegateway.region.amazonaws.com:443
Public VIF anon-cp.storagegateway.region.amazonaws.com:443
proxy-app.storagegateway.region.amazonaws.com:443
storagegateway.region.amazonaws.com:443
Storage Gateway
Direct Connect
Service Endpoints
iSCSI
Backup
Software
Legacy VTL VGW
Servers
VPC:10.44.208.0/20
172.16.0.0/16
Working with AWS services Amazon WorkSpaces
Working with AWS services Amazon WorkSpaces
Internet
B A
AWS
Users Directory
Service
Data Center
corp
servers
Active
AWS Hardware VPN VGW WorkSpaces
Directory
Internet
B A
AWS
Users Directory
Service
Data Center
Active
AWS Hardware VPN VGW WorkSpaces
Directory
Internet
B A
AWS
Users Directory
Service
Data Center
Active
AWS Hardware VPN VGW WorkSpaces
Directory
B A
AWS
Users Directory
Service
Data Center
Active
AWS Hardware VPN VGW WorkSpaces
Directory
Tunnel 1 Tunnel 1
IP 169.254.169.1 /30 IP 169.254.169.2 /30
BGP AS 17493 BGP AS 65001
Tunnel 2 Tunnel 2
IP 169.254.169.5 /30 IP 169.254.169.6 /30
BGP AS 17493 BGP AS 65001
CORP
Create a DX public VIF
Router
54.239.240.240
PublicVIF Interface
Interface gi0/1
gi0/0/0.551
54.239.240.241
VRF
Create a DX public VIF
AWS public prefixes now in the VRF
Router
54.239.240.240
PublicVIF Interface
Interface gi0/1
46.51.120.0/18
gi0/0/0.551 46.51.192.0/20
46.137.0.0/17
46.137.128.0/18
54.239.240.241 ... ... ... ...
VRF
Tunnels using the VRF
Router
54.239.240.240
PublicVIF Routes Interface
Interface gi0/1
46.51.120.0/18
tun1
gi0/0/0.551 46.51.192.0/20
46.137.0.0/17 192.168.51.254
46.137.128.0/18
... ... ... ...
tun2
172.31.0.0/16 VRF
54.239.240.241
192.168.51.0/24
Build VPN tunnels using the VRF
BGP
Router
54.239.240.240
PublicVIF Routes Interface
Interface gi0/1
169.254.23.53 46.51.120.0/18
tun1
169.254.22.117 gi0/0/0.551 46.51.192.0/20
169.254.23.54
172.31.0.0 169.254.22.117
172.31.0.0 169.254.23.53
46.137.0.0/17 ... ... ... ... 192.168.51.254
46.137.128.0/18
... ... ... ...
tun2
169.254.22.118
172.31.0.0/16 VRF
192.168.51.0/24
BGP
Build VPN tunnels using the VRF
BGP
Router
54.239.240.240
PublicVIF Routes Interface
Interface gi0/1
169.254.23.53 46.51.120.0/18
tun1
169.254.22.117 gi0/0/0.551 46.51.192.0/20
169.254.23.54
172.31.0.0 169.254.22.117
172.31.0.0 169.254.23.53
46.137.0.0/17 ... ... ... ... 192.168.51.254
46.137.128.0/18
... ... ... ...
tun2
169.254.22.118
172.31.0.0/16 VRF
192.168.51.0/24
BGP
Related Sessions
@sseymour