If your institution is beginning your cloud journey with Internet2 NET+ AWS, join this webinar to learn how to get started. This webinar will spend 30 minutes covering how to connect to AWS via the Internet2 Network, and then deep dive into networking topics. You’ll learn high-level network design, how to transfer packets to and from the AWS Cloud, and the basics of Amazon Virtual Private Cloud (VPC), VPNs to AWS, and Direct Connect. Finally, you’ll get an overview of how the Internet2 Network facilitates connections to Regional Networks in the US and other National Research and Education Networks (NREN) internationally.
Injustice - Developers Among Us (SciFiDevCon 2024)
An Overview to Networking in the AWS Cloud for Education [Webinar Slides]
1. Mike Kuentz
Senior Solutions Architect - Education
5/23/2017
An Overview to Networking in the
AWS Cloud for Education
2. What to Expect from the Session
• AWS networking overview
• Connectivity options
• Configuration options
• Edu specific problems and solutions
3. AWS Global Infrastructure
16 Regions – 42 Availability Zones – 74 Edge Locations
Region & Number of Availability Zones
AWS GovCloud (2) EU
Ireland (3)
US West Frankfurt (2)
Oregon (3) London (2)
Northern California (3)
Asia Pacific
US East Singapore (2)
N. Virginia (5), Ohio (3) Sydney (2), Tokyo (3),
Seoul (2), Mumbai (2)
Canada
Central (2) China
Beijing (2)
South America
São Paulo (3)
Announced Regions
Sweden, Paris, Ningxia
6. Virtual Private Cloud
A VPC is a virtual network within an AWS
Region where you can launch resources
You define:
• Address space (RFC 1918)
• Network subnets
• Route tables
• Firewall and ACL rules
• Internet connectivity
Peer multiple VPCs across one or more
accounts
Extend your on-premises network into
AWS
View the “From One To Many: Evolving
VPC Design” video
10.0.0.0/24 10.0.1.0/24
10.0.0.0/16
7. Amazon Virtual Private Cloud (VPC)
Root Account
(Payer)
Sandbox Central IT Researcher Department
8. Amazon Virtual Private Cloud (VPC)
Root Account
(Payer)
Sandbox Central IT Researcher Department
9. A != C
VPC Peering
Root Account
(Payer)
Sandbox Central IT Researcher Department
A B C
A == B && B == C A == C
13. Public and Private Subnets
10.0.0.0/16
10.0.0.0/24 10.0.1.0/24
10.0.4.0/24 10.0.5.0/24
10.0.0.5 10.0.1.5
10.0.4.5 10.0.5.5
54.54.54.127 54.54.54.128
Availability Zone A Availability Zone B
0.0.0.0/0 → Internet Gateway
0.0.0.0/0 → NAT
15. Management VPC
Use
rs
Quick Start Design with Management, Production, and Notional Development VPCs
Archive
Logs
Bucket
S3 Lifecycle
Policies to
Glacier
CloudTr
ail
AWS
Config
Rules
CloudWatch
Alarms
NAT
us-east-1b
Bastion
us-east-1c
Potential
use for
security
appliances
for
monitoring,
logging,
etc.
17. Hardware VPN
• Fully managed and highly available VPN termination
endpoint at AWS end
• 1 connection, 2 VPN tunnels per VPC
• IPSec site-to-site tunnel with AES-256, SHA-2, and
latest DH groups
• Support for NAT-T
• Pay 0.05$ per hour per VPN connection
• Static or dynamic (BGP)
39. AWS Direct Connect
• Dedicated, private connection into AWS
• 1 Gbps / 10 Gbps
• Smaller options through partners
• Create private (VPC) or public virtual interfaces to AWS
• Consistent network performance
• Option for redundant connections
• Multiple AWS accounts can share a connection
• Uses BGP to exchange routing information over a VLAN
40. Direct Connect Locations (US)
Oregon
N. Virginia
Direct Connect location(s)
AWS Region
GovCloud
N. California
Ohio New York City
Newark
Philadelphia
Dallas
Chicago
Reston
Ashburn
Seattle
Las Vegas
Los Angeles
Santa Clara
San Jose
Portland
41. Terminology For physical connections
• Dark fiber, DWDM
• Leased line
• Ethernet private line
• Pseudo-wire
• Point-to-point circuit
• LAN extension
• MPLS / VPLS / IP-VPN / L3-VPN
• MetroE, L2 link, eline, QinQ, EoMPLS
42. Physical connection
• Cross connect at the location
• Single mode fiber
- 1000Base-LX or 10GBASE-LR
• Potential onward delivery via Direct Connect Partner
• Customer router
44. Public Virtual Interface
AWS router
54.54.54.1/30
Customer router
54.54.54.3/30
BGP session
VLAN
Direct Connect
Customer
provides /30
Customer
advertises
public routes
AWS
advertises
public routes
Amazon S3
Elastic Load
Balancing
Other Services
and APIs
45. Reach public routes advertised by all US regions
from a single PoP (North America only)
us-west-2
us-west-1
us-east-1
Direct Connect location
AWS Region
CoreSite NY1/NY2
us-east-2
46. Direct Connect Overview
VPC B
VPC C
VPC A
VIF A
VIF B
VIF C
Public VIF
VLAN 400
VLAN 300
VLAN 100
VLAN 200
Account 1
Direct Connect
Account 2
Physical
interface
54. What is BGP? (Border Gateway Protocol)
• TCP-based protocol on port 179
• BGP neighbors exchange routing information - prefixes
• More specific prefixes are preferred
• Uses Autonomous System Numbers – ASNs
• iBGP – between peers in the same AS
• eBGP – between peers in different AS
• AS_PATH – measure of network “distance”
• Local preference – weighting of identical prefixes
55. {
"ip_prefix": "50.19.0.0/16",
"region": "us-east-1",
"service": "AMAZON"
}
50.19.0.0/17 *[BGP/170] 6w1d 11:50:53, localpref 500
AS path: 4901 11537 16509 14618 I, validation-state: unverified
> to 128.164.X.X via xe-X/X/X.X
[BGP/170] 12w6d 10:34:06, localpref 200
AS path: 16509 14618 I, validation-state: unverified
> to 206.126.X.X via xe-X/X/X.X
[BGP/170] 12w6d 10:59:37, localpref 200
AS path: 16509 14618 I, validation-state: unverified
> to 206.126.X.X via xe-X/X/X.X
[BGP/170] 5w4d 09:33:01, MED 50, localpref 100
AS path: 6461 16509 14618 I, validation-state: unverified
> to 64.124.X.X via ge-X/X/X.X
56. {
"ip_prefix": "54.194.0.0/15",
"region": "eu-west-1",
"service": "AMAZON"
},
54.94.0.0/17 *[BGP/170] 5w2d 04:49:17, localpref 150
AS path: 4901 11164 3549 16509 I, validation-state: unverified
> to 128.164.X.X via xe-X/X/X.X
[BGP/170] 1w6d 06:32:02, MED 50, localpref 100
AS path: 6461 12956 16509 I, validation-state: unverified
> to 64.124.X.X via ge-X/X/X.X
57. {
"ip_prefix": "54.215.0.0/16",
"region": "us-west-1",
"service": "EC2"
},
54.215.0.0/17 *[BGP/170] 5w2d 04:49:26, localpref 150
AS path: 4901 11164 16509 I, validation-state: unverified
> to 128.164.X.X via xe-X/X/X.X
[BGP/170] 5w4d 09:32:34, MED 50, localpref 100
AS path: 6461 16509 I, validation-state: unverified
> to 64.124.X.X via ge-X/X/X.X
58. {
"ip_prefix": "54.68.0.0/14",
"region": "us-west-2",
"service": "EC2"
},
54.68.0.0/15 *[BGP/170] 11w2d 06:21:56, localpref 500
AS path: 4901 11537 16509 I, validation-state: unverified
> to 128.164.X.X via xe-X/X/X.X
[BGP/170] 3w6d 02:53:33, MED 50, localpref 100
AS path: 6461 16509 I, validation-state: unverified
> to 64.124.X.X via ge-X/X/X.X
60. AS1 LVLT-1 - Level 3 Communications, Inc.,US
AS2 UDEL-DCN - University of Delaware,US
AS3 MIT-GATEWAYS - Massachusetts Institute of Technology,US
AS4 ISI-AS - University of Southern California,US
AS5 SYMBOLICS - Symbolics, Inc.,US
AS6 BULL-HN - Bull HN Information Systems Inc.,US
AS7 UK Defence Research Agency,GB
AS8 RICE-AS - Rice University,US
AS9 CMU-ROUTER - Carnegie Mellon University,US
AS10 CSNET-EXT-AS - CSNET Coordination and Information Center (CSNET-CIC),US
AS11 HARVARD - Harvard University,US
AS12 NYU-DOMAIN - New York University,US
AS13 DNIC-AS-00013 - Headquarters, USAISC,US
AS14 COLUMBIA-GW - Columbia University,US
AS15 NET-DYNAMICS-EXP - DYNAMICS,US
AS16 LBL - Lawrence Berkeley National Laboratory,US
AS17 PURDUE - Purdue University,US
AS18 UTEXAS - University of Texas at Austin,US
AS19 LEIDOS-AS - Leidos, Inc.,US
AS20 UR - University of Rochester,US
….
….
AS36427 VASSAR-ASN1 - Vassar College,US
Source: http://www.cidr-report.org/as2.0/autnums.html
Multiple class B and C networks
143.229.0.0/16
62. A Word on Data Egress
• Data going into AWS – no charge!
• Data going out
• Internet/Internet2 - $0.09/GB
• Direct Connect - $0.03/GB
• DLT NET+ Services - Data Egress Waiver Program
• AWS Global Data Egress Waiver – heavily discounted
63. AWS Global Data Egress Waiver
• Work in academic or research institutions
• For research workloads or academic workloads
• Route at least 80% of the account’s Data Egress out of
the AWS Cloud through an approved NREN
• Use institutional e-mail addresses for AWS accounts
• Work in an approved AWS Region
• https://aws.amazon.com/blogs/publicsector/aws-offers-
data-egress-discount-to-researchers/
65. This is
YOU!
Commercial
Transit
Pros / Cons – Commercial Transit
• PROS
• Readily available
• Multiple redundant paths built in
• CONS
• At the mercy of the Internet
• Public
• Higher data egress cost