AWS Virtual EdgeDeployment SolutionsGuide

VMware SD-WAN by VeloCloud 3.3

You can find the most up-to-date technical documentation on the VMware website at:

https://docs.vmware.com/

If you have comments about this documentation, submit your feedback to

docfeedback@vmware.com

VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com

Copyright © 2019 VMware, Inc. All rights reserved. Copyright and trademark information.

AWS Virtual Edge Deployment Solutions Guide

VMware, Inc. 2

Contents

1 AWS Virtual Edge Deployment Solutions Guide 4Overview of Virtual Edge on AWS 4

Single Virtual Edge with cloud-init 5

Virtual Edge on AWS VPC Topology (Single) 5

High-level Workflow 5

Hub Clustering Deployment 14

Deployment Procedures 15

VMware, Inc. 3

AWS Virtual Edge DeploymentSolutions Guide 1This guide describes how to deploy a Virtual Edge on AWS.

This chapter includes the following topics:

n Overview of Virtual Edge on AWS

n Single Virtual Edge with cloud-init

Overview of Virtual Edge on AWSThis document describes how to deploy a Virtual Edge on AWS.

More customers are moving their workload to a Public Cloud infrastructure and they expect to extend SD-WAN from remote sites to public cloud to guarantee SLA. VeloCloud offers multiple options, leveragingdistributed VCGs to establish IPSec towards a public cloud private network, deploy a virtual edge directlyin AWS, or leverage service providers’ Partner Gateway infrastructure to deploy a hub-less datacenter.

n For a small branch deployment that demands throughput less than 1G, a single virtual edge can bedeployed in the private network (AWS VPC).

n For larger data center deployments that demand multi-gig throughput, hub clustering can bedeployed.

VeloCloud Hub Clustering DesignIn the VeloCloud hub clustering design, we leverage the Layer 3 switch on the LAN side and run a routingprotocol between hubs in the cluster and the Layer 3 switch for route distribution in LAN. Since the AWSrouter doesn’t support dynamic routing protocol, a third party virtual router is required in the AWSinfrastructure. In this solution, we verified with a redundant Cisco Service Router (CSR) 1000v, but othervirtual routers that support HA and BGP are expected to work as well.

AssumptionsIt is assumed that you are familiar with AWS and that you have already deployed VPC as a branch ordatacenter hub site in AWS.

PrerequisitesBefore you begin, you must have:

n AWS account and login information

VMware, Inc. 4

n VCO host name and admin account to login

Single Virtual Edge with cloud-initThis section describes a single Virtual Edge with cloud-init.

Virtual Edge on AWS VPC Topology (Single)The following figure shows the Virtual Edge on AWS VPC topology (Single).

High-level WorkflowThis section describes the high-level workflow.

Complete the following steps:

1 Create VPC, Subnets, the Route Table, Security Groups, and the Internet Gateway.

2 VeloCloud: Create and configure the virtual edge in the VCO.

3 AWS Console: Launch the VeloCloud Instance from Marketplace:

a Add two Interfaces (eth0 - management and eth1 - WAN/Overlay).

b Create Cloud-Init with VCO FQDN or IP and Activation code. The virtual edge will continue itsattempt to activate per Cloud-Init until activation is successful.

c Launch Instance.

4 Assign Public/Elastic IP to eth1. Once a Public IP has been assigned to eth1, the virtual edge shouldactivate.

5 Verify the virtual edge activates in VCO.

6 Create a third interface (eth2) for LAN connectivity. A virtual Edge reboot will be required for Edge OSto detect any newly added interface.

7 Jump Host (optional).

AWS Virtual Edge Deployment Solutions Guide

VMware, Inc. 5

Step 1: Create VPC, Subnets, Route Table, Security Groups, and InternetGatewayThis section describes how to create VPC, Subnets, Route Table, Security Groups, and the InternetGateway.

Create VPC and Attach the Internet Gateway

Configure Subnets

Subnet Setting

VELO_vVCE_SN_Public_WAN 172.16.1.0/24

VELO_vVCE_SN_Private_LAN 172.16.132.0/24

Configuring Security Groups

Create Security Group to allow inbound connectivity to the virtual edge.

n VCMP: UDP port 2426

n Other ports as needed, examples below:

n SSH: TCP port 22

n SNMP UDP port 161

n ICMP Request

AWS Virtual Edge Deployment Solutions Guide

VMware, Inc. 6

Configure Route Table

This section describes how to configure the route table.

In this example, two route tables are used: VCE WAN and VCE LAN. The packet flow needs to traversethe virtual edge to reach the LAN-side services via the WAN-side interface, and vice versa. This step mayvary depending on deployment needs and/or already existing infrastructure. A Default Route (0.0.0.0/0)must be associated to the Main Routing Table pointing to the Internet Gateway to ensure WANconnectivity for Virtual Edge activation. Secondly, a Private Routing Table will utilize a Default Route pointto the LAN Interface (GE3) on the VCE.

AWS Virtual Edge Deployment Solutions Guide

VMware, Inc. 7

Step 2: Add Virtual Edge (vVCE) to VCOThis section describes how to add the virtual Edge (vVCE) to the VCO.

Configure Virtual Edge Interfaces

Step 3: Deploy the Virtual Edge (vVCE)This step describes how to deploy the Virtual Edge (vVCE).

Prepare CLOUD-INIT file

The following is a sample CLOUD-INIT file. Replace "vco" and activation_code according to your VCOset up.

AWS Virtual Edge Deployment Solutions Guide

VMware, Inc. 8

Note For a production VCO with proper SSL certificate, this field would be "false".

Launch vVCE from the Marketplace

https://aws.amazon.com/marketplace/

AWS Virtual Edge Deployment Solutions Guide

VMware, Inc. 9

AWS Virtual Edge Deployment Solutions Guide

VMware, Inc. 10

Disable Source / Destination Check

Note Make sure that all interfaces have Source/Destination Check set to "False". Even if the Instancesays "False", a specific interface still might be set to "True". Check this by looking at each of theinterfaces (eth0, eth1, eth2) to confirm all are set to "False".

Step 4: Assign Elastic IP to WAN Interfaces (eth1)This section describes how to assign the Elastic IP to WAN interfaces (eth1).

AWS Virtual Edge Deployment Solutions Guide

VMware, Inc. 11

Step 5: Verify Virtual Edge is Up In VCOVerify that the Virtual Edge is up in the VCO.

AWS Virtual Edge Deployment Solutions Guide

VMware, Inc. 12

Step 6: Create and Attach LAN Interface (eth2)Create and attach a LAN interface (eth2).

Reboot Virtual Edge After Adding Interface

Reboot the Virtual Edge after adding interface.

AWS Virtual Edge Deployment Solutions Guide

VMware, Inc. 13

Step 7: Jump Host (Optional)A Jump Host is not required. However, if you want to have the ability to locally manage the virtual edge,then deploying a Jump Host (either now or later) and assigning an Elastic IP will accomplish thisrequirement.

Jump Host Interfaces

Interface Description

eth0 Used for SSH / WAN connectivity and Public/Elastic IP

eth1 Local Interface on the same subnet as the vVCE Management Interface (GE1)

Hub Clustering DeploymentThis section describes the topology of the VeloCloud hub clustering environment.

The following figure shows the sample topology for the VeloCloud hub clustering with redundant CSR1000v.

AWS Virtual Edge Deployment Solutions Guide

VMware, Inc. 14

With the VeloCloud Edge deployed in AWS - VPC, Edges will form BGP neighborship with the CSR1000v pair to learn all the VPC private subnets (those are configured in CSR as Static routes) andredistribute to the branches via the VeloCloud routing protocol, which will bring up the end-to-endreachability.

Deployment ProceduresThis section describes deployment procedures.

Step 1: Deployment Prerequisites on AWSAs described in the Topology section, a minimum of three subnets are needed for Virtual Edgedeployment. Be sure that three subnets (2 public and 1 private) are configured on AWS VPC.

To deploy the following prerequisites on AWS:

1 Define Security Groups. Because AWS has its own Firewall at each instance's network interfacelevel, the following entries are required for the VeloCloud Edge to work properly with its functionalityand to form a neighborship with CSR instances.

Field Description

HTTP (Optional) To Access the Local UI.

SSH An unactivated Edge can be accessed only through SSH.

TCP (Port 179) The Edge needs to form neighborship with CSR through BGP protocol to learn all private subnets.

UDP (Port 2426) This is to allow the VeloCloud proprietary Protocol Tunnel to VeloCloud GW and other branch Edges.

In the example deployment (refer to the topology section), the above rules should be applied on theinterface through which VeloCloud Edge forms the Overlay Tunnel, i.e. GE2.

AWS Virtual Edge Deployment Solutions Guide

VMware, Inc. 15

2 Route Table Definitions (required for Hub Clustering deployment). This deployment needs twodifferent routing table definitions: Routing between the LAN network and the CSR pair, and Routingbetween CSR and Edge. (See Steps 2a and 2b below).

Note Please refer to Cisco 1000v deployment guide for setting up CSR 1000v in HA mode.

a Routing between the LAN network (VPC private subnet) and the CSR pair:

n Because the CSR is the first hop that will receive all the LAN network traffic, there should bea routing table which has a default route pointing to the CSR’s Interface.

n Because the CSR is working in Redundancy mode, this routing table’s default route needs tobe modified based on which CSR is active. This is accomplished through the CSR’s inbuiltEEM Applet APIs via IAM role.

In the above image, the default route is pointed to CSR’s Interface.

b Routing Between CSR to Edge: a simple routing table having a default route pointing to any ofthe Edge’s GE3 Interface.

n EEM Applet APIs need an existing routing table with a default route pointing out to one of theCSRs.

n Annexure will have a sample CSR configuration to accomplish it.

n For more information, refer to the following document: https://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/aws/csraws/csrazuHA.pdf

AWS Virtual Edge Deployment Solutions Guide

VMware, Inc. 16

Step 2: Create a New Virtual Edge in VCOThis section describes how to create a new Virtual Edge in the VCO.

To create a new Virtual Edge in the VCO:

1 Go to the VCO portal Configure -> Edges -> New Edge.

a Enter the name of new Edge in the Name text box.

b In the Model drop-down menu, choose Virtual Edge.

c Click the Create button.

2 From the Interface Settings area, change the Interface Settings of the newly created Virtual Edgeprofile as follows:

a Change the GE2 interface capability from “Switched” to “Routed” and enable DHCP addressingand WAN overlay.

b In the GE3 interface, disable the WAN overlay, because this interface will be used for BGPpeering with CSRs connecting private subnets.

3 In the Firewall page, make sure you enable Support Access for the Jump Host server’s IP to allowSSH access to the Edge from the jump server.

4 Save the above changes and copy the activation key shown below to use it on the Virtual Edgeconsole to activate the Edge.

AWS Virtual Edge Deployment Solutions Guide

VMware, Inc. 17

Step 3: Launch and Activate the Virtual Edge in AWSThis step describes how to launch and activate the Virtual Edge in AWS.

To launch and activate the Virtual Edge in AWS:

1 Create a Virtual Edge Instance. Because the VeloCloud Edge instance needs a minimum of threeinterfaces, the instance type needs to be greater than xlarge instance.

2 Create a jump server. VeloCloud Edge can be accessed through the jump server via the SSHterminal.

3 Activate the Virtual Edge from the jump server. You can try to ping the VeloCloud Orchestrator tovalidate the connectivity. Run the activation script using the following syntax:

/opt/vc/bin/activate.py -s <vco_ip_or_hostname> -i <activation_key>

For example:

velocloud root:~# /opt/vc/bin/activate.py -s 172.16.4.3 -i 86K4-UFRF-PKRD-X58Q

Received activation data

Activation successful, VCO overridden back to 172.16.4.3

velocloud root:~#

Step 4. Edge Clustering (Optional)For instructions on the Edge Clustering, see Configure Network Services: Edge Clustering.

CSR Document and Sample ConfigurationThis section describes the CSR document and sample configuration.

redundancy <- - - - - CSR Redundancy Configuration

cloud provider aws 1

bfd peer 172.17.2.22

route-table rtb-9926a5e1 <- - - - - Route table to modify

cidr ip 0.0.0.0/0

eni eni-dc9c5806

region us-east-1

!

interface Tunnel1

ip address 172.17.2.21 255.255.255.0

bfd interval 500 min_rx 500 multiplier 3

tunnel source GigabitEthernet2

tunnel destination 172.20.2.22

AWS Virtual Edge Deployment Solutions Guide

VMware, Inc. 18

!

interface GigabitEthernet1

ip address dhcp

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet2

ip address dhcp

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet3

ip address dhcp

negotiation auto

no mop enabled

no mop sysid

!

router eigrp 1

bfd interface Tunnel1

network 172.17.0.0

passive-interface GigabitEthernet2

!

router bgp 100

bgp router-id 172.20.240.16

bgp log-neighbor-changes

neighbor 172.20.2.11 remote-as 101 <- - - - Edge IPs to form BGP peering

neighbor 172.20.2.12 remote-as 102

neighbor 172.20.2.13 remote-as 103

!

address-family ipv4

redistribute connected route-map redis-conn

redistribute static route-map redis-static

neighbor 172.20.2.11 activate

neighbor 172.20.2.11 send-community extended

neighbor 172.20.2.12 activate

neighbor 172.20.2.12 send-community extended

neighbor 172.20.2.13 activate

neighbor 172.20.2.13 send-community extended

exit-address-family

!

ip route 172.20.4.0 255.255.255.0 172.20.3.1 <- - - - Static route to reach Private Subnets

!

access-list 1 permit 172.20.4.0 0.0.0.255

access-list 2 permit 172.20.3.0 0.0.0.255

!

!

route-map redis-static permit 1

match ip address 1

!

route-map redis-conn permit 1

match ip address 2

!

AWS Virtual Edge Deployment Solutions Guide

VMware, Inc. 19