VPC and Datacenter Connectivity Options
-
Upload
john-homer-alvero -
Category
Internet
-
view
94 -
download
2
Transcript of VPC and Datacenter Connectivity Options
VPC
&
DATACENTER CONNECTIVITY OPTIONS
John Homer [email protected] EngineeringVoyager Innovations, Inc.
VOYAGER INNOVATIONS, INC.• Established in 2013
• Wholly subsidiary of Smart Communications
• Drives exploration and creation of disruptive digital services
• We focus on digital innovations
• We are hiring. [email protected]
WHY VPC• Logical isolation of AWS assets (think of VLAN)
• Control over IP addressing, subnets, routing, gateways
• VPN Connectivity to datacenter or 3rd party networks
• VPC Peering
• S3 Security
• NACL apart from Sec Groups
• Assign private static IP to EC2 instance
• New features / services are VPC-only
USES CASES• Public facing sites
• Multi-tier web applications
• Host scalable applications that are connected to on-prem resources
• Extend on-prem network into the cloud
• Disaster recovery
WHY THE CONNECTIVITY• On-prem components
• HSM• MediaServers
• Slowly migrating infrastructure from On-Prem to AWS
• Connecting to 3rd party networks
• Secure administrative access from office network
• Compliance
• VPC VPN - IPSec• Direct Connect• Combination• Roll-You-Own (RYO)• VPC Peering
CONNECTIVITY OPTIONS
VPC IPSEC• Cheapest, easiest and the quickest to implement
• Static or Dynamic Routing (no public AS required)
• Secure tunnel through public internet
• Supports dual tunnel for redundancy
• Supports the most common hardware VPN
• Cisco, Fortinet, Juniper, Microsoft, Palo Alto, Yamaha, IIJ
• Checkpoint, H3C, etc• … and software
• Racoon• StrongSWAN• OpenSWAN
DIRECT CONNECT• Consistent network performance
• PH – SG ~40ms through PLDT
• Private access to AWS services such as EC2, S3, VPC, etc
• 1Gbps to 10Gbps, but depends on the capability of your Direct Connect Provider
• Needs APN partner
• SG – Equinix, Tata, Verizon, Level 3, NTT, Pacnet• Philippines – PLDT• Implementation from weeks to months
COMBINATIONDIRECT CONNECT WITH IPSEC FAIL-OVER
• IPSec is cost-effective redundancy for Direct Connect
• IP Routing through APN Partner
• Static• AWS – force Direct Connect by propagating specific routes
through BGP (10.10.10.10/32 – BGP, 10.10.10.0/24 IPSec)• IPSec – use static routing• Customer – IPSLA• Need the Direct Connect Provider to propagate for you
• Dynamic• AWS – Automatic• Customer - BGP AS-PATH Prepending• You propagate your own routes
ROLL YOUR OWN• IPSec, PPTP, L2TP, SSL
• OpenVPN is the easiest to implement
• Sites-to-Site connectivity• Can be used Road-Warrior Style
• Force routes to remote peer• Integrates with LDAP and TOTP• Requires client software
• Free
VPC PEERING• Inter-VPC communication as if they are on the same VPC
• Your own or 3rd Party VPC
• Think of VLAN trunking
• Apply routing policies on both sides
• Maybe peer w another VPC in another region (future)
• NACL and Sec Groups still apply
• Peered VPC to IPSec/Direct Connect not supported
• But can use a proxy