AWS Meetup - surviving the hybrid cloud - a network perspective
- 2. ©2017 Cloudreach
Agenda
Surviving the Hybrid Cloud
Why Hybrid?
Transitive routing
Hybrid Challenges
Requirements
$$Cost$$
Availability / resiliency
Outbound internet
Summary
Q&A
Options (..many options)
Accessing resources
- 3. ©2017 Cloudreach Limited
First things first …
Surviving the Hybrid Cloud 3
Why On-premises?
● Medium - Large enterprise
● CAPEX investments
● Cloud Trust issues
● Monolit applications
● Security policies
● Compliance issues
● Team skills
● Ongoing partnerships
- 4. ©2017 Cloudreach Limited
Why Hybrid?
Surviving the Hybrid Cloud 4
● On-premise
● High fixed cost
● Known security
● Full control
● Low reskill cost
On-premises Hybrid Cloud
● Necessary “evil”
● Lower cost
● Trusted security
● Partial reskill
● Elasticity/Availability
● Cloud native services
● Modern applications
● More adoption
● Organic evolution
● Less disruptive
Public Cloud
● Off-premise
● Low variable cost
● New security model
● Elasticity
● Availability
● Flexibility
● Cloud native services
- 5. ©2017 Cloudreach Limited
Hybrid Cloud
Surviving the Hybrid Cloud 5
.. a lot of them ... Access Management
Network connectivity
Service availability
Security enforcement
Network services
App Extension
...
App Migration
Compliance
- 6. ©2017 Cloudreach Limited
Connectivity requirements
Surviving the Hybrid Cloud 6
● Latency - what are the acceptable limits?
● Bandwidth - what is the average need? How big are the spikes?
● Traffic type - understand the traffic type, choose the best option
● Cloud usage - primary, secondary, elastic backend
● Internet access - inbound/outbound? Use AWS IGW or existing?
● Availability - is HA valid end to end? Need for uptime
● Cost - budget?
● Maintenance/Management - network team available? willing?
● Emergency - how quickly is the connection(s) needed?
● Security - what are the accepted levels?
● Routing - static/dynamic
- 8. ©2017 Cloudreach Limited
Connectivity options (Site to site)
Surviving the Hybrid Cloud 8
● Transport - physical
○ Over Public Network
○ Over Private Line - DirectConnect
● Routing
○ Static - manually maintained routes
○ Dynamic - BGP
● Traffic engineering
○ Link resiliency
○ Link aggregation
● Access
○ Outbound Internet
○ Transitive: Meshed vs Hub and Spoke
- 9. ©2017 Cloudreach Limited
Options
Surviving the Hybrid Cloud 9
AWS managed VPN - single connection, single location
1 VPN connection, 2 IPsec tunnels
1 location, 1 CGW
1 on-premise network
1 SA per tunnel, 2 in total
- 10. ©2017 Cloudreach Limited
More options
Surviving the Hybrid Cloud 10
AWS managed VPN - multiple connections, single location
2 VPN connections, 4 VPN tunnels
1 location, 2 CGWs
1 on-premise network
1 SA per tunnel, 4 in total
For BGP: ASN (public or private), peer IPs
- 11. ©2017 Cloudreach Limited
Even more options
Surviving the Hybrid Cloud 11
AWS managed VPN - multiple connections, multiple locations
2 VPN connections, 4 VPN tunnels
1 location, 2 CGWs
2 on-premises networks
- 12. ©2017 Cloudreach Limited
Different options
Surviving the Hybrid Cloud 12
Software VPN - customer maintained VPN appliance
Vendor (Cisco CSR1000v, Sophos UTM9,
Paloalto, Fortinet)
or opensource (pfsense, vns3, mikrotik)
Extra:
- ensure tunnel availability
- Ensure appliance HA
- Manage patching/configuration
- Manage security
- 13. ©2017 Cloudreach Limited
Dedicated or hosted options
Surviving the Hybrid Cloud 13
Direct connect (DX)
- At least 2 DX locations per region (Frankfurt has 13!!)
- 3 DX transport options
1. Owned router in the location (only 1 or 10gbps)
2. Partner provided circuit (sub-gig)
3. Service provider MPLS extension
- Can be paired with a hardware VPN connection
- 14. ©2017 Cloudreach Limited
Connectivity cost
Surviving the Hybrid Cloud 14
● Over Public Network - Internet
■ AWS Managed VPN (single or multi region)
● $0.05 / VPN connection hour (available time)
● Outbound traffic only
■ Software VPN
● Instance + license cost
● Outbound traffic only
● Over Private Line - DirectConnect
■ DX - You own location Router (1gbps or 10gbps)
● Port-hour ($0.30 or $2.25) +
● Data Out $0.02/GB (e.g. EU to EU)
■ DX - AWS Partner provided L2 circuit (>50mbps)
● Port-hour ($0.03 or $0.30) + data out
■ DX - Service Provider network (MPLS circuit)
● Circuit/colocation cost
- 15. ©2017 Cloudreach Limited
Connection availability
Surviving the Hybrid Cloud 15
DirectConnect + VPN 2 x DX, 1 x circuit (router)
2 x DX, 2 x circuits (routers) 2 x DX, 2 x circuits (routers), 2 x DC
- 16. ©2017 Cloudreach Limited
Routing preference
Surviving the Hybrid Cloud 16
So how is the routing decision taken in case of overlap?
● Most prefered: VPC local routes
● Then: Most specific prefix wins
● Still prefered: Static routes
● Not quite last: Dynamic DirectConnect routes
● Second last: VPN static routes
● Last resort: VPN BGP routes: shortest AS_PATH first
- 17. ©2017 Cloudreach Limited
Connection resiliency and aggregation
Surviving the Hybrid Cloud 17
● Active-Active
○ BGP equal-cost (ECMP)
○ Aggregate bandwidth
● Active-Standby
○ One prefered path
○ Use BGP AS_PATH or BGP local pref
● BGP fact sheet
○ Dynamic routing
○ Peering, sessions, prefix exchange
○ Uses ASN (ex. AWS has fixed ASN)
○ iBGP, eBGP
- 18. ©2017 Cloudreach Limited
VPC outbound internet
Surviving the Hybrid Cloud 18
VGW + AWS IGW --->>>
<<<--- VGW + DC Internet
- Originate default route (how?)
- Reuse existing connection
- Control outbound connection (proxy?)
- A must: VPC endpoints (S3, SSM, KMS, etc)
- 19. ©2017 Cloudreach Limited
Accessing VPC resources
Surviving the Hybrid Cloud 19
● Private Virtual interface to access the
VPC
● The same VGW is used for both DX and
Managed VPN
● Virtual Interface is mapped with a
unique VLAN ID
● No transitive routing
● Hairpinning (router on a stick) possible
● Public virtual interface needed for VPC
endpoints access
- 20. ©2017 Cloudreach Limited
Transitive routing?
Surviving the Hybrid Cloud 20
WHY?
● Routing between VPCs is non-transitive
● Connection limits:
○ Managed VPN: Per region, per VGW
○ DX: per VIF, per region, routes per session
● Scale and number of VPC which participate
How exactly?
● Using software VPN appliances
● Opting for
○ Partially or fully meshed design
○ Or Hub and spoke design
● Challenges:
○ Management overhead / Deploy time / Automation
- 21. ©2017 Cloudreach Limited
Summary
Surviving the Hybrid Cloud 21
● Understanding hybrid cloud challenges and motivation
● Focus on Network connectivity - requirements
● Connectivity options
○ VPN
■ AWS Managed
■ Software VPN
○ DX
■ Hosted equipment - full port
■ Dedicated connection (sub-gig)
■ Service Provider MPLS circuit
● Availability and resiliency
● Outbound internet
● Transitive routing
- 22. ©2017 Cloudreach 22
Vielen Dank!
Thank you!
Mulțumesc
The nice thing about standards is that you have
so many to choose from.
Andrew S. Tanenbaum,
Computer Networks, 2nd ed.