Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Steve Seymour
Specialist SolutionsArchitect
May ...
VPN vs. Direct Connect
• Both allow secure connections between your
network and your VPC
• VPN is a pair of IPSec tunnels ...
Foundations: Amazon VPC
Your own private, isolated section of the AWS cloud
VPC CIDR 10.1.0.0/16
Availability Zone A Availability Zone B
Public Subnet Public Subnet
Private Subnet Private Subnet
Ins...
Foundations: Other Services
Lets add some AWS services outside of VPC
AWS Region - eg: US-WEST1
Our VPC from Earlier
AWS Region
AWS Region Level Services (plus many more)
AWS VPC Internal Serv...
The Environment
The Environment
CORP
The Toolbox
Virtual Private Cloud
(VPC)
Route Tables
Internet Gateway
(IGW)
Virtual Private Gateway
(VGW)
VPN Connection
(...
AWS Hardware VPN
Internet Protocol Security (IPsec) is a protocol suite for securing Internet
Protocol (IP) communications by authenticatin...
Internet Protocol Security (IPsec) is a protocol suite for securing Internet
Protocol (IP) communications by authenticatin...
AWS VPN Features
• Static or Dynamic (BGP)
• Static requires routes (IP Prefixes) to be specified
• Dynamic VPN supports m...
AWS VPN Requirements
• Connections initiated from the Customer Gateway
• IKE Security Association using a Pre-Shared Key
•...
Static VPN
CORP
• 1 unique Security Association (SA) pair per tunnel
• 1 inbound and 1 outbound
• 2 unique pairs for 2 tun...
Static VPN
CORP
• Consolidate ACL’s to cover all IP’s
• Filter to block unwanted traffic
0.0.0.0/0 (any)
0.0.0.0/0 (any)
1...
Static VPN
CORP
• Consolidate ACL’s to cover all IP’s
• Filter to block unwanted traffic
0.0.0.0 /0
(any)
0.0.0.0 /0
(any)...
What is BGP ?
• TCP based protocol on port 179
• BGP Neighbors exchange routing information - prefixes
• More specific pre...
Dynamic VPN
CORP
Tunnel 1
IP 169.254.169.1 /30
BGP AS 7224
Route Table
Destination Target
10.0.0.0/16 Local
172.16.0.0/16 ...
Dynamic VPN
CORP
Tunnel 1
IP 169.254.169.1 /30
BGP AS 17493
Tunnel 2
IP 169.254.169.5 /30
BGP AS 17493
10.0.0.0 /16
Tunnel...
Path Selection – inside the VGW
1. Most specific IP prefix
192.168.10.0/24 over 192.168.0.0/16
2. Direct Connect (irreleva...
Resilient Dynamic VPN
CORP
iBGP
OSPF
eBGP
Resilient Dynamic VPN – Multiple VPC’s
CORP
AWS Direct Connect
What is AWS Direct Connect…
Dedicated, private pipes into AWS
Create private (VPC) or public virtual interfaces to AWS
Red...
Direct Connect - Locations
Asia Pacific (Seoul)
KINX, Seoul, Korea
Asia Pacific (Singapore)
Equinix SG2, Singapore
GlobalS...
Terminology For Physical Connections
Leased Line
Ethernet Private Line
Pseudo-wire
Point-to-point circuit
LAN Extension
MP...
Physical Connection
• Cross Connect at the location
• Single Mode Fiber
- 1000Base-LX or 10GBASE-LR
• Potential onward Del...
At the Direct Connect Location
CORP
AWS Direct
Connect
Routers
Customer
Router
Colocation
DX Location
Customer
Network
`
A...
Dedicated Port via Direct Connect Partner
CORP
AWS Direct
Connect
Routers
Colocation
DX Location
Partner Network
AWS Backb...
Layers of Direct Connect
Single Mode Fiber – 1G or 10GLayer 1 - Physical
Ethernet – 802.1Q VLANLayer 2 – Data Link
Peer & ...
Layers of Direct Connect
Direct Connect Connection
Ethernet – 802.1Q VLAN
Peer & Amazon IP
Virtual Interface
(One per VLAN...
Public and Private Virtual Interfaces
• 802.1Q VLAN
• eBGP Session
Note: Max Prefixes on the AWS peer : 100
• Private Virt...
Account ownership of Direct Connect
Direct Connect Connection
Ethernet – 802.1Q VLAN
Peer & Amazon IP
Hosted Virtual Inter...
Sub-1G via Direct Connect Partner
Direct Connect Interconnect
Ethernet – 802.1Q VLAN
Hosted Connection
Virtual Interface
(...
Sharing Hosted Connections
Direct Connect Interconnect
Ethernet – 802.1Q VLAN
Hosted Connection
Hosted Virtual Interface
(...
Private Virtual Interface
• Only provides access to resources in a VPC
Note: Not VPC Endpoints or transitive via VPC Peeri...
Single Private Virtual Interface
CORP
Route Table
Destination Target Propagated
10.0.0.0/16 Local
172.16.0.0/16 VGW Yes
10...
Adding Redundancy
“Everything fails, all the time.” – Werner Vogels
Dual DX – Single Location
CORP
AWS Direct
Connect
Routers
Customer
Router
Colocation
DX Location
Service Provider
Network
`
eBGP
eBGP
Dual Private Virtual Interface
CORP
10.0.0.0 /16 172.16.0.0 /16
dxvif-wwxxyyzz
VLAN 100
IP 169.254.254.9 /30
BGP...
eBGP
eBGP
Dual Private Virtual Interface
CORP
10.0.0.0 /16 172.16.0.0 /16
dxvif-wwxxyyzz
VLAN 100
IP 169.254.254.9 /30
BGP...
Dual DX – Single Location revisited
CORP
AWS Direct
Connect
Routers
Customer
Router
Colocation
DX Location
Service Provide...
Dual DX – Single Location revisited
CORP
AWS Direct
Connect
Routers
Customer
Routers
Colocation
DX Location
`
Service Prov...
Single DX – Dual Location
CORP
Customer
Routers
Colocation
DX Location 1
`
Customer
Routers
Colocation
DX Location 2
`
Ser...
Dual DX – Dual Location
CORP
AWS Direct
Connect Routers
Customer
Routers
Colocation
DX Location 1
`
`
AWS Direct
Connect R...
Dual VIF – Active/Active
IP 169.254.254.9 /30
IP 169.254.254.13 /30
Active/Active – the VGW Perspective
IP 169.254.254.10 /30
IP 169.254.254.14 /30
Dual VIF – Active/Passive
IP 169.254.254.9 /30
IP 169.254.254.13 /30
Active/Passive – the VGW Perspective
IP 169.254.254.10 /30
IP 169.254.254.14 /30
Dual VIF – Active/Passive
IP 169.254.254.9 /30
IP 169.254.254.13 /30
Active/Passive – the VGW Perspective
IP 169.254.254.10 /30
IP 169.254.254.14 /30
Public Virtual Interface
• Provides access to Amazon Public IP Addresses
• Requires Public IP Addresses for BGP Session
If...
Public Virtual Interface
CORP
172.16.0.0 /16
dxvif-wwxxyyzz
VLAN 200
IP 54.239.244.57 /31
BGP AS 7224
MD5 Key
Interface gi...
Public Virtual Interface
IP 54.239.244.57 /31
BGP AS 7224
Ordering Process
How to order AWS Direct Connect
1. Select Your Region
2. Create a Connection
3. Receive LOA-CFA
4. Cross Connect
5. Create...
How to order sub-1G via an APN Partner
1. Provide your Direct Connect Partner with Account Number
2. Accept Hosted Connect...
Direct Connect with VPN Backup
CORP
DX Location 1
DX Location 2
Hardware VPN over DX Public VIF
CORP
172.16.0.0 /16
dxvif-wwxxyyzz
VLAN 200
IP 54.239.244.57 /31
BGP AS 7224
MD5 Key
Inter...
Billing
• VPN Connections
Connection Hours
Data Transfer (Internet rates)
• Direct Connect
Port Hours
Reduced Data Transfe...
Things to remember
All Direct Connect locations are at 3rd party data centers
You will have to work with at least one othe...
Demo
Demo Architecture
192.168.51.0 /24
192.168.51.10
Gi0/1: 192.168.51.254
Gi0/0
Internet
Gi0/0/0
DX 1
DX Location
(Telecity L...
여러분의 피드백을 기다립니다!
https://www.awssummit.co.kr
모바일 페이지에 접속하셔서, 지금 세션 평가에
참여하시면, 행사후 기념품을 드립니다.
#AWSSummit 해시태그로 소셜 미디어에 여러분의...
Thank you!
@sseymour
Steve Seymour
Specialist Solutions Architect
Upcoming SlideShare
Loading in …5
×

AWS Direct Connect 및 VPN을 이용한 클라우드 아키텍쳐 설계:: Steve Seymour :: AWS Summit Seoul 2016

2,786 views

Published on

5월 17일 서울COEX에서 열린 AWS Summit Seoul 2016에서 Steve Seymour가 발표하신 "AWS Direct Connect 및 VPN을 이용한 클라우드 아키텍쳐 설계" 발표자료입니다.

Published in: Technology

AWS Direct Connect 및 VPN을 이용한 클라우드 아키텍쳐 설계:: Steve Seymour :: AWS Summit Seoul 2016

  1. 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Steve Seymour Specialist SolutionsArchitect May 2016 AWS Direct Connect and VPN Cloud Architecture Design @sseymour
  2. 2. VPN vs. Direct Connect • Both allow secure connections between your network and your VPC • VPN is a pair of IPSec tunnels over the Internet • Direct Connect is a dedicated line with lower per-GB data transfer rates • For highest availability: Use both
  3. 3. Foundations: Amazon VPC Your own private, isolated section of the AWS cloud
  4. 4. VPC CIDR 10.1.0.0/16 Availability Zone A Availability Zone B Public Subnet Public Subnet Private Subnet Private Subnet Instance A 10.1.1.11 /24 Instance B 10.1.2.22 /24 Instance C 10.1.3.33 /24 Instance D 10.1.4.44 /24 10.1.1.0/16 10.1.2.0/16 10.1.3.0/16 Only 1 IGW and 1 VGW per VPC
  5. 5. Foundations: Other Services Lets add some AWS services outside of VPC
  6. 6. AWS Region - eg: US-WEST1 Our VPC from Earlier AWS Region AWS Region Level Services (plus many more) AWS VPC Internal Services (e.g. Amazon EMR, Elastic Load Balancing, Amazon RDS) IGW, gateway between AWS region level services and internal VPC services Instance A 10.1.1.11 /24 Availability Zone A Availability Zone B Public Subnet Public Subnet Private Subnet Private Subnet Instance B 10.1.2.22 /24 Instance C 10.1.3.33 /24 Instance D 10.1.4.44 /24 10.1.1.0/16 10.1.2.0/16 10.1.3.0/16 Amazon SNS Amazon SQS Amazon SWF Amazon SES Amazon S3 Amazon Glacier Amazon DynamoDB AWS Lambda AP-NORTHEAST-2
  7. 7. The Environment
  8. 8. The Environment CORP
  9. 9. The Toolbox Virtual Private Cloud (VPC) Route Tables Internet Gateway (IGW) Virtual Private Gateway (VGW) VPN Connection (VPN) Customer Gateway (CGW) AWS Direct Connect (DX)
  10. 10. AWS Hardware VPN
  11. 11. Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. Reference: Wikipedia - http://en.wikipedia.org/wiki/IPsec VPN Connection – IPsec
  12. 12. Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. Reference: Wikipedia - http://en.wikipedia.org/wiki/IPsec VPN Connection – IPsec
  13. 13. AWS VPN Features • Static or Dynamic (BGP) • Static requires routes (IP Prefixes) to be specified • Dynamic VPN supports max-prefixes of 100
  14. 14. AWS VPN Requirements • Connections initiated from the Customer Gateway • IKE Security Association using a Pre-Shared Key • IPSec Security Associations in Tunnel Mode • AES 128 or 256-bit encryption, SHA-1 or SHA-256 hashing • Diffie-Hellman Perfect Forward Secrecy – Phase 1 groups: 2, 14-18, 22, 23, and 24 Phase 2 groups: 1, 2, 5, 14-18, 22, 23, and 24 • Dead Peer Detection • Fragment IP Packets before encryption • Optional Support for NAT Traversal (NAT-T)
  15. 15. Static VPN CORP • 1 unique Security Association (SA) pair per tunnel • 1 inbound and 1 outbound • 2 unique pairs for 2 tunnels – 4 SA’s 10.0.0.0 /16 10.0.0.0 /16 192.168.0.0 /16 192.168.0.0 /16 10.0.0.0 /16
  16. 16. Static VPN CORP • Consolidate ACL’s to cover all IP’s • Filter to block unwanted traffic 0.0.0.0/0 (any) 0.0.0.0/0 (any) 172.16.0.0 /12 192.168.1.0 /24 192.168.9.0 /24 192.168.1.0 /24 192.168.9.0 /24 172.16.0.0 /12 10.0.0.0 /16
  17. 17. Static VPN CORP • Consolidate ACL’s to cover all IP’s • Filter to block unwanted traffic 0.0.0.0 /0 (any) 0.0.0.0 /0 (any) 10.0.0.0 /16 0.0.0.0/0 (any) 0.0.0.0/0 (any)
  18. 18. What is BGP ? • TCP based protocol on port 179 • BGP Neighbors exchange routing information - prefixes • More specific prefixes are preferred • Uses Autonomous System Numbers – AS Numbers • iBGP – between peers in the same AS • eBGP – between peers in different AS • AS_PATH – measure of network “distance” • Local Preference – weighting of identical prefixes
  19. 19. Dynamic VPN CORP Tunnel 1 IP 169.254.169.1 /30 BGP AS 7224 Route Table Destination Target 10.0.0.0/16 Local 172.16.0.0/16 VGW Tunnel 2 IP 169.254.169.5 /30 BGP AS 7224 10.0.0.0 /16 Tunnel 1 IP 169.254.169.2 /30 BGP AS 65001 Tunnel 2 IP 169.254.169.6 /30 BGP AS 65001 172.16.0.0 /16
  20. 20. Dynamic VPN CORP Tunnel 1 IP 169.254.169.1 /30 BGP AS 17493 Tunnel 2 IP 169.254.169.5 /30 BGP AS 17493 10.0.0.0 /16 Tunnel 1 IP 169.254.169.2 /30 BGP AS 65001 Tunnel 2 IP 169.254.169.6 /30 BGP AS 65001 172.16.0.0 /16 • BGP Peer IP Addresses are automatically generated • Customer AS Number – owned or private ASN • Amazon AS Number is fixed per region
  21. 21. Path Selection – inside the VGW 1. Most specific IP prefix 192.168.10.0/24 over 192.168.0.0/16 2. Direct Connect (irrelevant of AS PATH length) 3. Static VPN Connection 4. Dynamic (BGP) VPN Connection 4. Shortest AS PATH 65001 i over 65001 65001 i
  22. 22. Resilient Dynamic VPN CORP iBGP OSPF eBGP
  23. 23. Resilient Dynamic VPN – Multiple VPC’s CORP
  24. 24. AWS Direct Connect
  25. 25. What is AWS Direct Connect… Dedicated, private pipes into AWS Create private (VPC) or public virtual interfaces to AWS Reduced data-out rates (data-in still free)) Consistent network performance At least 1 location to each AWS region Option for redundant connections Multiple AWS accounts can share a connection Inter-Region enables connectivity to multiple regions in US Uses BGP to exchange routing information over a VLAN
  26. 26. Direct Connect - Locations Asia Pacific (Seoul) KINX, Seoul, Korea Asia Pacific (Singapore) Equinix SG2, Singapore GlobalSwitch, Singapore GPX, Mumbai, India Asia Pacific (Sydney) Equinix SY3, Sydney, Australia Global Switch, Sydney, Australia Asia Pacific (Tokyo) Equinix OS1, Osaka, Japan Equinix TY2, Tokyo, Japan AWS GovCloud (US) Equinix SV1 & SV5, San Francisco, CA China (Beijing) CIDS Jiachuang IDC, Beijing, China Sinnet Jiuxianqiao IDC, Beijing, China EU Central (Frankfurt) Equinix FR5, Frankfurt, Germany Interxion Frankfurt, Germany EU West (Ireland) Equinix LD4 - LD6, London, England Eircom Clonshaugh, Dublin,Ireland TelecityGroup, London Docklands',London, England South America (Sao Paulo) Terremark NAP do Brasil, Sao Paulo, Brasil Tivit, Sao Paulo, Brasil US East (Virginia) CoreSite NY1 & NY2, New York, NY Equinix DA1 - DA3 & DA6, Dallas, TX Equinix DC1 - DC6 & DC10, Ashburn, VA US West (Northern California) CoreSite One Wilshire & 900 North Alameda, CA Equinix SV1 & SV5, San Francisco, CA US West (Oregon) EdgeConneX Portland, OR Equinix SE2 & SE3, Seattle, WA Switch SUPERNAP 8, Las Vegas, NV
  27. 27. Terminology For Physical Connections Leased Line Ethernet Private Line Pseudo-wire Point-to-point circuit LAN Extension MPLS / VPLS / IP-VPN / L3-VPN
  28. 28. Physical Connection • Cross Connect at the location • Single Mode Fiber - 1000Base-LX or 10GBASE-LR • Potential onward Delivery via Direct Connect Partner • Customer Router
  29. 29. At the Direct Connect Location CORP AWS Direct Connect Routers Customer Router Colocation DX Location Customer Network ` AWS Backbone Network Cross Connect Customer Router Access Circuit Customers Network Backbone Access Circuit Demarcation
  30. 30. Dedicated Port via Direct Connect Partner CORP AWS Direct Connect Routers Colocation DX Location Partner Network AWS Backbone Network Cross Connect Customer Router Partner Network Access Circuit Demarcation Partner Equipment
  31. 31. Layers of Direct Connect Single Mode Fiber – 1G or 10GLayer 1 - Physical Ethernet – 802.1Q VLANLayer 2 – Data Link Peer & Amazon IPLayer 3 - Network TCPLayer 4 - Transport BGPLayer 7 - Application “Routing of traffic”
  32. 32. Layers of Direct Connect Direct Connect Connection Ethernet – 802.1Q VLAN Peer & Amazon IP Virtual Interface (One per VLAN) BGP Virtual Private Gateway A/C 1 “Routing of traffic” Single Mode Fiber – 1G or 10G
  33. 33. Public and Private Virtual Interfaces • 802.1Q VLAN • eBGP Session Note: Max Prefixes on the AWS peer : 100 • Private Virtual Interface – Access to VPC Note: Not VPC Endpoints or transitive via VPC Peering • Public Virtual Interface – Access to non-VPC Services
  34. 34. Account ownership of Direct Connect Direct Connect Connection Ethernet – 802.1Q VLAN Peer & Amazon IP Hosted Virtual Interface (One per VLAN) BGP Virtual Private Gateway A/C 1 A/C 2 “Routing of traffic” Single Mode Fiber – 1G or 10G
  35. 35. Sub-1G via Direct Connect Partner Direct Connect Interconnect Ethernet – 802.1Q VLAN Hosted Connection Virtual Interface (Single) BGP Virtual Private Gateway PartnerCustomer Bandwidth VLAN Peer & Amazon IP’s “Routing of traffic” Single Mode Fiber – 1G or 10G 50Mbps, 100Mbps, 200Mbps, 300Mbps, 400Mbps and 500Mbps
  36. 36. Sharing Hosted Connections Direct Connect Interconnect Ethernet – 802.1Q VLAN Hosted Connection Hosted Virtual Interface (Single) BGP Virtual Private Gateway PartnerCustomerA/C2 Bandwidth VLAN Peer & Amazon IP’s A/C 1 “Routing of traffic” Single Mode Fiber – 1G or 10G
  37. 37. Private Virtual Interface • Only provides access to resources in a VPC Note: Not VPC Endpoints or transitive via VPC Peering • Attaches to the Virtual Private Gateway Same as a VPN Connection • Multiple Private VIF’s can be attached for resilience • Any IP Addresses and ASN for BGP Peering acceptable
  38. 38. Single Private Virtual Interface CORP Route Table Destination Target Propagated 10.0.0.0/16 Local 172.16.0.0/16 VGW Yes 10.0.0.0 /16 172.16.0.0 /16 dxvif-wwxxyyzz VLAN 100 IP 169.254.254.9 /30 BGP AS 7224 MD5 Key Interface gi0/0.100 VLAN 100 IP 169.254.254.10 /30 BGP AS 65001 MD5 Key eBGP AS65001 Announcing 172.16.0.0 /16 AS7224 Announcing 10.0.0.0 /16
  39. 39. Adding Redundancy “Everything fails, all the time.” – Werner Vogels
  40. 40. Dual DX – Single Location CORP AWS Direct Connect Routers Customer Router Colocation DX Location Service Provider Network `
  41. 41. eBGP eBGP Dual Private Virtual Interface CORP 10.0.0.0 /16 172.16.0.0 /16 dxvif-wwxxyyzz VLAN 100 IP 169.254.254.9 /30 BGP AS 7224 MD5 Key Interface gi0/0.100 VLAN 100 IP 169.254.254.10 /30 BGP AS 65001 MD5 Key dxvif-aabbccdd VLAN 100 IP 169.254.254.13 /30 BGP AS 7224 MD5 Key Interface gi0/0.100 VLAN 100 IP 169.254.254.14 /30 BGP AS 65001 MD5 Key
  42. 42. eBGP eBGP Dual Private Virtual Interface CORP 10.0.0.0 /16 172.16.0.0 /16 dxvif-wwxxyyzz VLAN 100 IP 169.254.254.9 /30 BGP AS 7224 MD5 Key Interface gi0/0.100 VLAN 100 IP 169.254.254.10 /30 BGP AS 65001 MD5 Key dxvif-aabbccdd VLAN 100 IP 169.254.254.13 /30 BGP AS 7224 MD5 Key Interface gi0/0.100 VLAN 100 IP 169.254.254.14 /30 BGP AS 65001 MD5 Key
  43. 43. Dual DX – Single Location revisited CORP AWS Direct Connect Routers Customer Router Colocation DX Location Service Provider Network `
  44. 44. Dual DX – Single Location revisited CORP AWS Direct Connect Routers Customer Routers Colocation DX Location ` Service Provider Network `
  45. 45. Single DX – Dual Location CORP Customer Routers Colocation DX Location 1 ` Customer Routers Colocation DX Location 2 ` Service Provider Network AWS Direct Connect Routers AWS Direct Connect Routers
  46. 46. Dual DX – Dual Location CORP AWS Direct Connect Routers Customer Routers Colocation DX Location 1 ` ` AWS Direct Connect Routers Customer Routers Colocation DX Location 2 ` ` Service Provider Network
  47. 47. Dual VIF – Active/Active IP 169.254.254.9 /30 IP 169.254.254.13 /30
  48. 48. Active/Active – the VGW Perspective IP 169.254.254.10 /30 IP 169.254.254.14 /30
  49. 49. Dual VIF – Active/Passive IP 169.254.254.9 /30 IP 169.254.254.13 /30
  50. 50. Active/Passive – the VGW Perspective IP 169.254.254.10 /30 IP 169.254.254.14 /30
  51. 51. Dual VIF – Active/Passive IP 169.254.254.9 /30 IP 169.254.254.13 /30
  52. 52. Active/Passive – the VGW Perspective IP 169.254.254.10 /30 IP 169.254.254.14 /30
  53. 53. Public Virtual Interface • Provides access to Amazon Public IP Addresses • Requires Public IP Addresses for BGP Session If you can’t provide them, raise a case with AWS Support • Public ASN must be owned by customer – Private is OK • Inter-Region is available in the US
  54. 54. Public Virtual Interface CORP 172.16.0.0 /16 dxvif-wwxxyyzz VLAN 200 IP 54.239.244.57 /31 BGP AS 7224 MD5 Key Interface gi0/0.200 VLAN 200 IP 54.239.244.56 /31 BGP AS 65001 MD5 Key AS65001 Announcing 54.239.244.56 /31 AS7224 Announcing 184.72.96.0/19 via 7224 16509 14618 i 184.72.128.0/17 via 7224 16509 14618 i 184.73.0.0 via 7224 16509 14618 i 184.169.128.0/17 via 7224 16509 i 199.127.232.0/22 via 7224 16509 i 199.255.192.0/22 via 7224 16509 I …... …..
  55. 55. Public Virtual Interface IP 54.239.244.57 /31 BGP AS 7224
  56. 56. Ordering Process
  57. 57. How to order AWS Direct Connect 1. Select Your Region 2. Create a Connection 3. Receive LOA-CFA 4. Cross Connect 5. Create Virtual Interface 6. Configure Customer Router
  58. 58. How to order sub-1G via an APN Partner 1. Provide your Direct Connect Partner with Account Number 2. Accept Hosted Connection 3. Create Virtual Interface 4. Configure Customer Router
  59. 59. Direct Connect with VPN Backup CORP DX Location 1 DX Location 2
  60. 60. Hardware VPN over DX Public VIF CORP 172.16.0.0 /16 dxvif-wwxxyyzz VLAN 200 IP 54.239.244.57 /31 BGP AS 7224 MD5 Key Interface gi0/0.200 VLAN 200 IP 54.239.244.56 /31 BGP AS 65001 MD5 Key Tunnel 1 IP 169.254.169.1 /30 BGP AS 17493 Tunnel 2 IP 169.254.169.5 /30 BGP AS 17493 Tunnel 1 IP 169.254.169.2 /30 BGP AS 65001 Tunnel 2 IP 169.254.169.6 /30 BGP AS 65001
  61. 61. Billing • VPN Connections Connection Hours Data Transfer (Internet rates) • Direct Connect Port Hours Reduced Data Transfer Rates No charge for resources owned by other accounts VPN Data Transfer over Direct Connect at reduced rate
  62. 62. Things to remember All Direct Connect locations are at 3rd party data centers You will have to work with at least one other organization • Could be just the Data Center • Could be a Network Provider / Direct Connect Partner • Could be multiple Network Providers AND the Data Center Sub-1G Hosted Connections support a single VIF You can share VIF’s with other accounts Public VIF’s include the Hardware VPN Endpoints
  63. 63. Demo
  64. 64. Demo Architecture 192.168.51.0 /24 192.168.51.10 Gi0/1: 192.168.51.254 Gi0/0 Internet Gi0/0/0 DX 1 DX Location (Telecity London) eu-west-1 (Ireland) 10.0.0.0 /16 DemoInst 10.0.0.50
  65. 65. 여러분의 피드백을 기다립니다! https://www.awssummit.co.kr 모바일 페이지에 접속하셔서, 지금 세션 평가에 참여하시면, 행사후 기념품을 드립니다. #AWSSummit 해시태그로 소셜 미디어에 여러분의 행사 소감을 올려주세요. 발표 자료 및 녹화 동영상은 AWS Korea 공식 소셜 채널로 곧 공유될 예정입니다.
  66. 66. Thank you! @sseymour Steve Seymour Specialist Solutions Architect

×