If your institution is beginning your cloud journey with Internet2 NET+ AWS, join this webinar to learn how to get started. This webinar will spend 30 minutes covering how to connect to AWS via the Internet2 Network, and then deep dive into networking topics. You’ll learn high-level network design, how to transfer packets to and from the AWS Cloud, and the basics of Amazon Virtual Private Cloud (VPC), VPNs to AWS, and Direct Connect. Finally, you’ll get an overview of how the Internet2 Network facilitates connections to Regional Networks in the US and other National Research and Education Networks (NREN) internationally.

1. Mike Kuentz
Senior Solutions Architect - Education
5/23/2017
An Overview to Networking in the
AWS Cloud for Education

2. What to Expect from the Session
• AWS networking overview
• Connectivity options
• Configuration options
• Edu specific problems and solutions

3. AWS Global Infrastructure
16 Regions – 42 Availability Zones – 74 Edge Locations
Region & Number of Availability Zones
AWS GovCloud (2) EU
Ireland (3)
US West Frankfurt (2)
Oregon (3) London (2)
Northern California (3)
Asia Pacific
US East Singapore (2)
N. Virginia (5), Ohio (3) Sydney (2), Tokyo (3),
Seoul (2), Mumbai (2)
Canada
Central (2) China
Beijing (2)
South America
São Paulo (3)
Announced Regions
Sweden, Paris, Ningxia

4. This is
YOU!
Regional
Network
Internet2
Research &
Education
Network
Public
Bilateral
Peering
Commercial
Transit
Internet2
Transit Rail
Commercial
Peering
Service
Privately
Owned or
Carrier
Network
AWS
Direct
Connect
Location
Common Scenarios

5. AWS Accounts
Root Account
(Payer)
Sandbox Central IT Researcher Department

6. Virtual Private Cloud
A VPC is a virtual network within an AWS
Region where you can launch resources
You define:
• Address space (RFC 1918)
• Network subnets
• Route tables
• Firewall and ACL rules
• Internet connectivity
Peer multiple VPCs across one or more
accounts
Extend your on-premises network into
AWS
View the “From One To Many: Evolving
VPC Design” video
10.0.0.0/24 10.0.1.0/24
10.0.0.0/16

7. Amazon Virtual Private Cloud (VPC)
Root Account
(Payer)
Sandbox Central IT Researcher Department

8. Amazon Virtual Private Cloud (VPC)
Root Account
(Payer)
Sandbox Central IT Researcher Department

9. A != C
VPC Peering
Root Account
(Payer)
Sandbox Central IT Researcher Department
A B C
A == B && B == C A == C

10. Scenario 1:
Commercial Transit

11. This is
YOU!
Regional
Network
Internet2
Research &
Education
Network
Public
Bilateral
Peering
Commercial
Transit
Internet2
Transit Rail
Commercial
Peering
Service
Privately
Owned or
Carrier
Network
AWS
Direct
Connect
Location
Common Scenarios

12. This is
YOU!
Commercial
Transit
Commercial Transit

13. Public and Private Subnets
10.0.0.0/16
10.0.0.0/24 10.0.1.0/24
10.0.4.0/24 10.0.5.0/24
10.0.0.5 10.0.1.5
10.0.4.5 10.0.5.5
54.54.54.127 54.54.54.128
Availability Zone A Availability Zone B
0.0.0.0/0 → Internet Gateway
0.0.0.0/0 → NAT

14. CloudTr
ail
AWS
Config
CloudWatch
Alarms
Archive
Logs
Bucket
S3
Lifecycle
Policies
to
Glacier
AWS Account
Standard Architecture Deployed by AWS Quick Start
us-east-1b
us-east-1c
Proxies
NAT
RDS DB
DMZSubnet
PrivateSubnet
PrivateSubnet
RDS DB
PrivateSubnet
PrivateSubnet
Production VPC
DMZSubnet
Proxies

15. Management VPC
Use
rs
Quick Start Design with Management, Production, and Notional Development VPCs
Archive
Logs
Bucket
S3 Lifecycle
Policies to
Glacier
CloudTr
ail
AWS
Config
Rules
CloudWatch
Alarms
NAT
us-east-1b
Bastion
us-east-1c
Potential
use for
security
appliances
for
monitoring,
logging,
etc.

16. VPC Peering
Root Account
(Payer)
Sandbox Central IT Researcher Department
A B C

17. Hardware VPN
• Fully managed and highly available VPN termination
endpoint at AWS end
• 1 connection, 2 VPN tunnels per VPC
• IPSec site-to-site tunnel with AES-256, SHA-2, and
latest DH groups
• Support for NAT-T
• Pay 0.05$ per hour per VPN connection
• Static or dynamic (BGP)

18. Site-to-site VPN
VPC
Virtual
Private
Gateway
Customer
Gateway
VPN
Router 1
VPN
Router 2
IKE: UDP port 500
IPsec: IP protocol 50
On-premises
hosts
Account 1

19. Redundant Customer Gateways
Customer Gateway 1
VPC
Virtual
Private
Gateway
VPN
Router 1
VPN
Router 2
Account 1 Customer Gateway 2

20. Multiple VPCs / Multiple VPN Tunnels
VPC
Virtual Private
Gateway
Account 1
VPC
Virtual Private
Gateway
Account 2
Customer Gateway

21. Tunnel Home
Root Account
(Payer)
Sandbox Central IT Researcher Department
A B C
Customer Gateway

22. Scenario 2:
Public Bilateral Peering

23. This is
YOU!
Regional
Network
Internet2
Research &
Education
Network
Public
Bilateral
Peering
Commercial
Transit
Internet2
Transit Rail
Commercial
Peering
Service
Privately
Owned or
Carrier
Network
AWS
Direct
Connect
Location
Common Scenarios

24. This is
YOU!
Public
Bilateral
Peering
Public Bilateral Peering

25. Scenario 3:
Regional Network

26. This is
YOU!
Regional
Network
Internet2
Research &
Education
Network
Public
Bilateral
Peering
Commercial
Transit
Internet2
Transit Rail
Commercial
Peering
Service
Privately
Owned or
Carrier
Network
AWS
Direct
Connect
Location
Common Scenarios

27. This is
YOU!
Regional
Network
Public
Bilateral
Peering
Regional Network - Peering

28. Tunnel Home
Root Account
(Payer)
Sandbox Central IT Researcher Department
A B C
Customer Gateway

29. Scenario 4:
Internet2
Research & Education Network

30. This is
YOU!
Regional
Network
Internet2
Research &
Education
Network
Public
Bilateral
Peering
Commercial
Transit
Internet2
Transit Rail
Commercial
Peering
Service
Privately
Owned or
Carrier
Network
AWS
Direct
Connect
Location
Common Scenarios

31. This is
YOU!
Regional
Network
Internet2
Research &
Education
Network
Internet2 Research & Education Network

32. This is
YOU!
Internet2
Research &
Education
Network
Internet2 Research & Education Network

33. Use Internet2 to Access Your Workloads
us-west-2
us-east-1
AWS and Internet2
Network Peering Location
And Bandwidth
AWS Region
80 Gbps
20 Gbps

34. Other Regions?
us-west-2
us-east-1
AWS and Internet2
Network Peering Location
And Bandwidth
AWS Region
80 Gbps
20 Gbps
us-east-2

35. Tunnel Home
Root Account
(Payer)
Sandbox Central IT Researcher Department
A B C
Customer Gateway

36. Scenario 5:
AWS Direct Connect

37. This is
YOU!
Regional
Network
Internet2
Research &
Education
Network
Public
Bilateral
Peering
Commercial
Transit
Internet2
Transit Rail
Commercial
Peering
Service
Privately
Owned or
Carrier
Network
AWS
Direct
Connect
Location
Common Scenarios

38. This is
YOU!
Privately
Owned or
Carrier
Network
AWS
Direct
Connect
Location
AWS Direct Connect (DX)

39. AWS Direct Connect
• Dedicated, private connection into AWS
• 1 Gbps / 10 Gbps
• Smaller options through partners
• Create private (VPC) or public virtual interfaces to AWS
• Consistent network performance
• Option for redundant connections
• Multiple AWS accounts can share a connection
• Uses BGP to exchange routing information over a VLAN

40. Direct Connect Locations (US)
Oregon
N. Virginia
Direct Connect location(s)
AWS Region
GovCloud
N. California
Ohio New York City
Newark
Philadelphia
Dallas
Chicago
Reston
Ashburn
Seattle
Las Vegas
Los Angeles
Santa Clara
San Jose
Portland

41. Terminology For physical connections
• Dark fiber, DWDM
• Leased line
• Ethernet private line
• Pseudo-wire
• Point-to-point circuit
• LAN extension
• MPLS / VPLS / IP-VPN / L3-VPN
• MetroE, L2 link, eline, QinQ, EoMPLS

42. Physical connection
• Cross connect at the location
• Single mode fiber
- 1000Base-LX or 10GBASE-LR
• Potential onward delivery via Direct Connect Partner
• Customer router

43. Private Virtual Interface (VIF)
AWS router
169.254.255.1/30
Customer router
169.254.255.3/30
BGP session
VLAN
Direct Connect
AWS advertises
VPC routes
Customer
advertises
private routes

44. Public Virtual Interface
AWS router
54.54.54.1/30
Customer router
54.54.54.3/30
BGP session
VLAN
Direct Connect
Customer
provides /30
Customer
advertises
public routes
AWS
advertises
public routes
Amazon S3
Elastic Load
Balancing
Other Services
and APIs

45. Reach public routes advertised by all US regions
from a single PoP (North America only)
us-west-2
us-west-1
us-east-1
Direct Connect location
AWS Region
CoreSite NY1/NY2
us-east-2

46. Direct Connect Overview
VPC B
VPC C
VPC A
VIF A
VIF B
VIF C
Public VIF
VLAN 400
VLAN 300
VLAN 100
VLAN 200
Account 1
Direct Connect
Account 2
Physical
interface

47. This is
YOU!
Privately
Owned or
Carrier
Network
AWS
Direct
Connect
Location
AWS Direct Connect (DX)

48. This is
YOU!
AWS
Direct
Connect
Location
AWS Direct Connect & Internet2 AL2S
Internet2
Advanced
Layer 2
Service
(AL2S)

49. VPN
Root Account
(Payer)
Sandbox Central IT Researcher Department
A B C
Customer Gateway

50. Direct Connect
Root Account
(Payer)
Sandbox Central IT Researcher Department
A B C
Direct Connect

51. VPN over DX
Root Account
(Payer)
Sandbox Central IT Researcher Department
A B C
Customer GatewayDirect Connect

52. Scenario 5:
Use them all!

53. This is
YOU!
Regional
Network
Internet2
Research &
Education
Network
Public
Bilateral
Peering
Commercial
Transit
Internet2
Transit Rail
Commercial
Peering
Service
Privately
Owned or
Carrier
Network
AWS
Direct
Connect
Location
Common Scenarios

54. What is BGP? (Border Gateway Protocol)
• TCP-based protocol on port 179
• BGP neighbors exchange routing information - prefixes
• More specific prefixes are preferred
• Uses Autonomous System Numbers – ASNs
• iBGP – between peers in the same AS
• eBGP – between peers in different AS
• AS_PATH – measure of network “distance”
• Local preference – weighting of identical prefixes

55. {
"ip_prefix": "50.19.0.0/16",
"region": "us-east-1",
"service": "AMAZON"
}
50.19.0.0/17 *[BGP/170] 6w1d 11:50:53, localpref 500
AS path: 4901 11537 16509 14618 I, validation-state: unverified
> to 128.164.X.X via xe-X/X/X.X
[BGP/170] 12w6d 10:34:06, localpref 200
AS path: 16509 14618 I, validation-state: unverified
> to 206.126.X.X via xe-X/X/X.X
[BGP/170] 12w6d 10:59:37, localpref 200
AS path: 16509 14618 I, validation-state: unverified
> to 206.126.X.X via xe-X/X/X.X
[BGP/170] 5w4d 09:33:01, MED 50, localpref 100
AS path: 6461 16509 14618 I, validation-state: unverified
> to 64.124.X.X via ge-X/X/X.X

56. {
"ip_prefix": "54.194.0.0/15",
"region": "eu-west-1",
"service": "AMAZON"
},
54.94.0.0/17 *[BGP/170] 5w2d 04:49:17, localpref 150
AS path: 4901 11164 3549 16509 I, validation-state: unverified
> to 128.164.X.X via xe-X/X/X.X
[BGP/170] 1w6d 06:32:02, MED 50, localpref 100
AS path: 6461 12956 16509 I, validation-state: unverified
> to 64.124.X.X via ge-X/X/X.X

57. {
"ip_prefix": "54.215.0.0/16",
"region": "us-west-1",
"service": "EC2"
},
54.215.0.0/17 *[BGP/170] 5w2d 04:49:26, localpref 150
AS path: 4901 11164 16509 I, validation-state: unverified
> to 128.164.X.X via xe-X/X/X.X
[BGP/170] 5w4d 09:32:34, MED 50, localpref 100
AS path: 6461 16509 I, validation-state: unverified
> to 64.124.X.X via ge-X/X/X.X

58. {
"ip_prefix": "54.68.0.0/14",
"region": "us-west-2",
"service": "EC2"
},
54.68.0.0/15 *[BGP/170] 11w2d 06:21:56, localpref 500
AS path: 4901 11537 16509 I, validation-state: unverified
> to 128.164.X.X via xe-X/X/X.X
[BGP/170] 3w6d 02:53:33, MED 50, localpref 100
AS path: 6461 16509 I, validation-state: unverified
> to 64.124.X.X via ge-X/X/X.X

59. Tools
https://routerproxy.grnoc.iu.edu/internet2/
https://www.peeringdb.com/asn/16509
telnet://route-views2.routeviews.org

60. AS1 LVLT-1 - Level 3 Communications, Inc.,US
AS2 UDEL-DCN - University of Delaware,US
AS3 MIT-GATEWAYS - Massachusetts Institute of Technology,US
AS4 ISI-AS - University of Southern California,US
AS5 SYMBOLICS - Symbolics, Inc.,US
AS6 BULL-HN - Bull HN Information Systems Inc.,US
AS7 UK Defence Research Agency,GB
AS8 RICE-AS - Rice University,US
AS9 CMU-ROUTER - Carnegie Mellon University,US
AS10 CSNET-EXT-AS - CSNET Coordination and Information Center (CSNET-CIC),US
AS11 HARVARD - Harvard University,US
AS12 NYU-DOMAIN - New York University,US
AS13 DNIC-AS-00013 - Headquarters, USAISC,US
AS14 COLUMBIA-GW - Columbia University,US
AS15 NET-DYNAMICS-EXP - DYNAMICS,US
AS16 LBL - Lawrence Berkeley National Laboratory,US
AS17 PURDUE - Purdue University,US
AS18 UTEXAS - University of Texas at Austin,US
AS19 LEIDOS-AS - Leidos, Inc.,US
AS20 UR - University of Rochester,US
….
….
AS36427 VASSAR-ASN1 - Vassar College,US
Source: http://www.cidr-report.org/as2.0/autnums.html
Multiple class B and C networks
143.229.0.0/16

61. Multiple Options
Root Account
(Payer)
Sandbox Central IT Researcher Department
A B C
Customer Gateway
Direct Connect

62. A Word on Data Egress
• Data going into AWS – no charge!
• Data going out
• Internet/Internet2 - $0.09/GB
• Direct Connect - $0.03/GB
• DLT NET+ Services - Data Egress Waiver Program
• AWS Global Data Egress Waiver – heavily discounted

63. AWS Global Data Egress Waiver
• Work in academic or research institutions
• For research workloads or academic workloads
• Route at least 80% of the account’s Data Egress out of
the AWS Cloud through an approved NREN
• Use institutional e-mail addresses for AWS accounts
• Work in an approved AWS Region
• https://aws.amazon.com/blogs/publicsector/aws-offers-
data-egress-discount-to-researchers/

64. Choose the Right Networking
Approach for Your Institution

65. This is
YOU!
Commercial
Transit
Pros / Cons – Commercial Transit
• PROS
• Readily available
• Multiple redundant paths built in
• CONS
• At the mercy of the Internet
• Public
• Higher data egress cost

66. This is
YOU!
Regional
Network
Internet2
Research &
Education
Network
Pros / Cons – Internet2
• PROS
• Multiple redundant paths built in
• FAST!!!
• CONS
• Shared infrastructure
• Semi Public
• Higher data egress cost (AWS sees it as
out over the Internet)

67. This is
YOU!
Privately
Owned or
Carrier
Network
AWS
Direct
Connect
Location
Pros / Cons – AWS Direct Connect
• PROS
• Private circuit
• Low latency
• Lower data egress costs
• CONS
• Longer setup times at start
• Can be more expensive to do
redundantly
• Need network engineering help

68. Thank you!