AWS Direct Connect & VPN's - Pop-up Loft Tel Aviv

AWS Direct Connect & VPN’sSteve SeymourSpecialist Solutions Architect

Amazon VPC

Availability Zone

Virtual Private Cloud

AWS Cloud

Public Subnet

Internet

VirtualPrivateCloud

Availability Zone

Private Subnet

Availability Zone

VPN Only Subnet

ApplicationServers

WebServer WebServer

NAT

CorporateNetwork

R

Database Servers

Amazon VPC

Corporate NetworkInternet

ISP 2(BGP)

FIREWALL

Internet ISP 1

InternetISP 3

OS

PF

Router

Public IP

Router

BGPInside GRE Tunnels

Over IPSEC

FIREWALL

InternetISP 4

InternetISP 5

OS

PF

.1

Wireless Controller

Backup GRE Tunnels

Router

Corporate Network

The Environment

The Environment

CORP

The Toolbox

Virtual Private Cloud

Route Tables

Internet Gateway

Virtual Private Gateway

VPN Connection

Customer Gateway

AWS Direct Connect

The Toolbox

VPC

Route Tables

IGW

VGW

VPN

CGW

DX

Connectivity Options

AWS Hardware VPN

Demo

AWS Direct Connect

AWS Hardware VPN

Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session.

IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session.

Reference: Wikipedia - http://en.wikipedia.org/wiki/IPsec

VPN Connection – IPsec

AWS VPN Features

• Static or Dynamic (BGP)

• Static requires routes (IP Prefixes) to be specified

• Dynamic VPN supports max-prefixes of 100

• BGP over VPN supports 2-byte AS Numbers

AWS VPN Requirements

• Connections initiated from the Customer Gateway• IKE Security Association using a Pre-Shared Key• IPSec Security Associations in Tunnel Mode• AES 128-bit encryption, SHA-1 hashing function• Diffie-Hellman Perfect Forward Secrecy – Group 2• Dead Peer Detection• Fragment IP Packets before encryption

Static VPN

CORP

• 1 unique Security Association (SA) pair per tunnel• 1 inbound and 1 outbound• 2 unique pairs for 2 tunnels – 4 SA’s

10.0.0.0 /16

10.0.0.0 /16

192.168.0.0 /16

192.168.0.0 /16

10.0.0.0 /16

Static VPN

CORP

• Consolidate ACL’s to cover all IP’s• Filter to block unwanted traffic

0.0.0.0/0 (any)

0.0.0.0/0 (any)

172.16.0.0 /12192.168.1.0 /24192.168.9.0 /24

192.168.1.0 /24192.168.9.0 /24172.16.0.0 /12

10.0.0.0 /16

Static VPN

CORP

• Consolidate ACL’s to cover all IP’s• Filter to block unwanted traffic

10.0.0.0 /16

10.0.0.0 /16

0.0.0.0 /0 (any)

0.0.0.0 /0(any)

10.0.0.0 /16

What is BGP ?

• TCP based protocol on port 179• BGP Neighbors exchange routing information - prefixes• More specific prefixes are preferred• Uses Autonomous System Numbers – AS Numbers• iBGP – between peers in the same AS• eBGP – between peers in different AS• AS_PATH – measure of network “distance”• Local Preference – weighting of identical prefixes

Dynamic VPN

CORP

Tunnel 1

IP 169.254.169.1 /30

BGP AS 7224

Route TableDestination Target10.0.0.0/16 Local

172.16.0.0/16 VGW

Tunnel 2

IP 169.254.169.5 /30

BGP AS 7224

10.0.0.0 /16

Tunnel 1

IP 169.254.169.2 /30

BGP AS 65001

Tunnel 2

IP 169.254.169.6 /30

BGP AS 65001

172.16.0.0 /16

Dynamic VPN

CORP

Tunnel 1

IP 169.254.169.1 /30

BGP AS 17493

Tunnel 2

IP 169.254.169.5 /30

BGP AS 17493

10.0.0.0 /16

Tunnel 1

IP 169.254.169.2 /30

BGP AS 65001

Tunnel 2

IP 169.254.169.6 /30

BGP AS 65001

172.16.0.0 /16

• BGP Peer IP Addresses are automatically generated• Customer AS Number – owned or private ASN• Amazon AS Number is fixed per region

Path Selection – inside the VGW

1. Most specific IP prefix192.168.10.0/24 over 192.168.0.0/16

2. Direct Connect (irrelevant of AS PATH length)3. Static VPN Connection4. Dynamic (BGP) VPN Connection4. Shortest AS PATH

65001 i over 65001 65001 i

Resilient Dynamic VPN

CORP

iBGP

OSPFeBGP

Resilient Dynamic VPN – Multiple VPC’s

CORP

Recent VPN Updates

• NAT Traversal (NAT-T)• Re-usable Customer Gateway

• Allows for the same Customer Gateway (CGW) IP• Create a new VGW and VPN then attach to your VPC

Note: Only one VGW can be attached to a VPC at one time.

• Additional Encryption Options• AES256, SHA-256• Phase 1 can now use DH groups 2, 14-18, 22, 23, and 24.• Phase 2 can now use DH groups 1, 2, 5, 14-18, 22, 23, and 24.

How to Create a VPN Connection

1. Create a VGW

2. Attach it to the VPC

3. Create a CGW

4. Create a VPN

5. Update Route Tables

6. Configure CGW

AWS Direct Connect

What is AWS Direct Connect…

Dedicated, private pipes into AWS

Create private (VPC) or public virtual interfaces to AWSReduced data-out rates (data-in still free))Consistent network performance

At least 1 location to each AWS region Option for redundant connections

Multiple AWS accounts can share a connectionInter-Region enables connectivity to multiple regions in US

Uses BGP to exchange routing information over a VLAN

Direct Connect - LocationsAWS Region AWS Direct Connect LocationAsiaPacific(Seoul) KINX,Seoul,KoreaAsiaPacific(Singapore) EquinixSG2,SingaporeAsiaPacific(Singapore) GPX,Mumbai,IndiaAsiaPacific(Sydney) EquinixSY3,Sydney,AustraliaAsiaPacific(Sydney) GlobalSwitch,Sydney,AustraliaAsiaPacific(Tokyo) Equinix OS1,Osaka,JapanAsiaPacific(Tokyo) EquinixTY2,Tokyo, JapanAWSGovCloud (US) EquinixSV1&SV5,SanFrancisco,CAChina(Beijing) CIDSJiachuangIDC,Beijing,ChinaChina(Beijing) SinnetJiuxianqiaoIDC,Beijing,ChinaEUCentral(Frankfurt) EquinixFR5,Frankfurt,GermanyEUCentral(Frankfurt) InterxionFrankfurt,GermanyEUWest(Ireland) EquinixLD4- LD6,London,EnglandEUWest(Ireland) EircomClonshaugh,Dublin,IrelandEUWest(Ireland) TelecityGroup,LondonDocklands',London,EnglandSouthAmerica(SaoPaulo) TerremarkNAPdoBrasil,SaoPaulo,BrasilSouthAmerica(SaoPaulo) Tivit,SaoPaulo,BrasilUSEast(Virginia) CoreSiteNY1&NY2,NewYork,NYUSEast(Virginia) EquinixDA1- DA3&DA6,Dallas,TXUSEast(Virginia) EquinixDC1 - DC6&DC10,Ashburn,VAUSWest(NorthernCalifornia) CoreSiteOneWilshire&900NorthAlameda,CAUSWest(NorthernCalifornia) EquinixSV1&SV5,SanFrancisco,CAUSWest(Oregon) EquinixSE2&SE3,Seattle,WAUSWest(Oregon) SwitchSUPERNAP8,LasVegas,NV

Layers of Direct Connect

Single Mode Fiber – 1G or 10GLayer 1 - Physical

Ethernet – 802.1Q VLANLayer 2 – Data Link

Peer & Amazon IPLayer 3 - Network

TCPLayer 4 - Transport

BGPLayer 7 - Application

“Routing of traffic”

Terminology For Physical Connections

Leased LineEthernet Private LinePseudo-wirePoint-to-point circuitLAN ExtensionMPLS / VPLS / IP-VPN / L3-VPN



All generally deliver an “extension” of a port from a Direct Connect Location to a Customer Location}



A little different …}

Physical Connection

• Cross Connect at the location

• Single Mode Fiber- 1000Base-LX or 10GBASE-LR

• Potential onward Delivery via Direct Connect Partner

• Customer Router

At the Direct Connect Location

CORP

AWS DirectConnect Routers

Customer Router

Colocation

DX Location

CustomerNetwork`

AWS BackboneNetwork

Cross Connect

Customer Router

AccessCircuit

Customers Network Backbone

AccessCircuit

Demarcation

Dedicated Port via Direct Connect Partner

CORP


Colocation

DX Location

Partner Network

AWS BackboneNetwork

Cross Connect

Customer Router

PartnerNetwork

AccessCircuit

Demarcation

PartnerEquipment

At the Direct Connect Location – via MPLS

CORP


PartnerPE Router

Colocation

DX Location

MPLS Core`

AWS BackboneNetwork

Cross Connect

ProviderEdge

Partner MPLSCore

AccessCircuit to CE

Demarcation

`

`

CE Router

CE Router

Layers of Direct Connect

Direct Connect Connection

Ethernet – 802.1Q VLAN

Peer & Amazon IP

Virtual Interface(One per VLAN)

BGP


A/C 1


Single Mode Fiber – 1G or 10G

Public and Private Virtual Interfaces

• 802.1Q VLAN

• eBGP SessionNote: Max Prefixes on the AWS peer : 100

• Private Virtual Interface – Access to VPCNote: Not VPC Endpoints or transitive via VPC Peering

• Public Virtual Interface – Access to non-VPC Services

Account ownership of Direct Connect

Direct Connect Connection


Peer & Amazon IP

Hosted Virtual Interface(One per VLAN)

BGP


A/C 1

A/C 2



Sub-1G via Direct Connect Partner

Direct Connect Interconnect


Hosted Connection

Virtual Interface(Single)

BGP


Partn

erC

usto

mer

Bandwidth VLAN

Peer & Amazon IP’s



50Mbps, 100Mbps, 200Mbps, 300Mbps, 400Mbps and 500Mbps

Sharing Hosted Connections

Direct Connect Interconnect


Hosted Connection

Hosted Virtual Interface(Single)

BGP


Partn

erC

usto

mer

A/C

2

Bandwidth VLAN

Peer & Amazon IP’s

A/C 1



Private Virtual Interface

• Only provides access to resources in a VPCNote: Not VPC Endpoints or transitive via VPC Peering

• Attaches to the Virtual Private GatewaySame as a VPN Connection

• Multiple Private VIF’s can be attached for resilience

• Any IP Addresses and ASN for BGP Peering acceptable

Single Private Virtual Interface

CORP

Route TableDestination Target Propagated10.0.0.0/16 Local

172.16.0.0/16 VGW Yes

10.0.0.0 /16 172.16.0.0 /16

dxvif-wwxxyyzz

VLAN 100

IP 169.254.254.9 /30

BGP AS 7224

MD5 Key

Interface gi0/0.100

VLAN 100

IP 169.254.254.10 /30

BGP AS 65001

MD5 Key

eBGP AS65001 Announcing 172.16.0.0 /16

AS7224 Announcing 10.0.0.0 /16

Dual DX – Single Location

CORP


Customer Router

Colocation

DX Location

Service Provider Network`

eBGP

eBGP

Dual Private Virtual Interface

CORP

10.0.0.0 /16 172.16.0.0 /16

dxvif-wwxxyyzz

VLAN 100

IP 169.254.254.9 /30

BGP AS 7224

MD5 Key

Interface gi0/0.100

VLAN 100

IP 169.254.254.10 /30

BGP AS 65001

MD5 Key

dxvif-aabbccdd

VLAN 100

IP 169.254.254.13 /30

BGP AS 7224

MD5 Key

Interface gi0/0.100

VLAN 100

IP 169.254.254.14 /30

BGP AS 65001

MD5 Key

Dual DX – Single Location revisited

CORP


Customer Router

Colocation

DX Location

Service Provider Network`

Dual DX – Single Location revisited

CORP


Customer Routers

Colocation

DX Location

`

Service Provider Network

`

Single DX – Dual Location

CORP

Customer Routers

Colocation

DX Location 1

`

Customer Routers

Colocation

DX Location 2

`




Dual DX – Dual Location

CORP


Customer Routers

Colocation

DX Location 1

`

`


Customer Routers

Colocation

DX Location 2

`

`


Dual VIF – Active/ActiveIP 169.254.254.9 /30

IP 169.254.254.13 /30

Active/Active – the VGW Perspective

IP 169.254.254.10 /30

IP 169.254.254.14 /30

Dual VIF – Active/PassiveIP 169.254.254.9 /30

IP 169.254.254.13 /30

Active/Passive – the VGW Perspective

IP 169.254.254.10 /30

IP 169.254.254.14 /30

Dual VIF – Active/PassiveIP 169.254.254.9 /30

IP 169.254.254.13 /30

Active/Passive – the VGW Perspective

IP 169.254.254.10 /30

IP 169.254.254.14 /30

Public Virtual Interface

• Provides access to Amazon Public IP Addresses

• Requires Public IP Addresses for BGP SessionIf you can’t provide them, raise a case with AWS Support

• Public ASN must be owned by customer – Private is OK

• Inter-Region is available in the US

Public VIF – Inter-Region – US Only

Public VIF’s receive prefixes for all US Regions

Prefixes are identified by BGP CommunitiesAdvertisements can be controlled via BGP Communities


CORP

172.16.0.0 /16

dxvif-wwxxyyzz

VLAN 200

IP 54.239.244.57 /31

BGP AS 7224

MD5 Key

Interface gi0/0.200

VLAN 200

IP 54.239.244.56 /31

BGP AS 65001

MD5 Key

AS65001 Announcing 54.239.244.56 /31

AS7224 Announcing184.72.96.0/19 via 7224 16509 14618 i184.72.128.0/17 via 7224 16509 14618 i184.73.0.0 via 7224 16509 14618 i184.169.128.0/17 via 7224 16509 i199.127.232.0/22 via 7224 16509 i199.255.192.0/22 via 7224 16509 I…...…..


IP 54.239.244.57 /31

BGP AS 7224

Ordering Process

How to order AWS Direct Connect

1. Select Your Region

2. Create a Connection

3. Receive LOA-CFA

4. Cross Connect

5. Create Virtual Interface

6. Configure Customer Router

How to order sub-1G via an APN Partner

1. Provide your Direct Connect Partner with Account Number

2. Accept Hosted Connection

3. Create Virtual Interface

4. Configure Customer Router

Direct Connect with VPN Backup

CORP

DX Location 1

DX Location 2

Hardware VPN over DX Public VIF

CORP

172.16.0.0 /16dxvif-wwxxyyzz

VLAN 200

IP 54.239.244.57 /31

BGP AS 7224

MD5 Key

Interface gi0/0.200

VLAN 200

IP 54.239.244.56 /31

BGP AS 65001

MD5 Key

Tunnel 1

IP 169.254.169.1 /30

BGP AS 17493

Tunnel 2

IP 169.254.169.5 /30

BGP AS 17493

Tunnel 1

IP 169.254.169.2 /30

BGP AS 65001

Tunnel 2

IP 169.254.169.6 /30

BGP AS 65001

Billing

• VPN ConnectionsConnection HoursData Transfer (Internet rates)

• Direct ConnectPort HoursReduced Data Transfer RatesNo charge for resources owned by other accountsVPN Data Transfer over Direct Connect at reduced rate

Things to remember

All Direct Connect locations are at 3rd party data centersYou will have to work with at least one other organization

• Could be just the Data Center• Could be a Network Provider / Direct Connect Partner• Could be multiple Network Providers AND the Data Center

Sub-1G Hosted Connections support a single VIFYou can share VIF’s with other accountsPublic VIF’s include the Hardware VPN Endpoints

Example Implementation Plan

Demo Architecture

192.168.51.0 /24

192.168.51.10

Gi0/1: 192.168.51.254

Gi0/0Internet

Gi0/0/0DX 1

DX Location(Telecity London)

eu-west-1 (Ireland)10.0.0.0 /16

Summary

Connectivity via VPN – Static & Dynamic

Connectivity via AWS Direct Connect – Public & Private

Demo

Steve SeymourSpecialist Solutions [email protected]

@sseymour

AWS Direct Connect & VPN's - Pop-up Loft Tel Aviv

Technology

Transcript of AWS Direct Connect & VPN's - Pop-up Loft Tel Aviv