The document outlines cloud connectivity options for campuses and data centers utilizing AWS, focusing on the importance of VPC connectivity via VPN and Direct Connect. It includes case studies on connecting multiple branch networks to the cloud, a hybrid cloud approach, and the advantages of using Juniper SRX for secure AWS connectivity. Additionally, it presents a lab setup for establishing a VPN connection to AWS using Juniper devices.

1. AWS Cloud Connectivity
options for the Campus and
Data Center
Jay Ratford
BlueChipTek
3/31/16
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 1

2. • Introduction to BlueChipTek
• VPC Overview: Why do I need VPC Connectivity
• Connectivity VPN vs Direct Connect
• Cast Studies:
– Connecting Branch and Campus Networks to Cloud
– Connecting Data Centers to the Cloud
– Hybrid Data Center connectivity options
• Why Juniper SRX for AWS Connectivity
• Other Juniper Cloud-Solutions (vSRX, vMX)
• Lab: Setup VPN to Amazon VPN on SRX
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 2
Agenda

3. Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 4
Campus or Data Center Resources
Connectivity to AWS
From Campus, Branch and Data Center

4. Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 5
VPN Overview
Why do I need VPN Connectivity?
• Local IPSec-VPN Connectivity to VPC Subnets (back-
ends)
• Allows secure and authenticated connectivity from AWS
back to your internal Network(s) over Internet
Bi-Directional
Data Flows
VGW CP
E

5. Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 6
Direct Connect Overview
• Direct IP Connectivity to
AWS and your VPC(s)
• Provisioned as a P2P
Circuit between AWS Cage
and your Cage
• 1 Gig and 10 Gig Ports
available
• VLAN mapping to VPCs
Virtual Interfaces
P
2
P

6. Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 7
Direct Connect Process
Available at limited locations see FAQ for latest info http://aws.amazon.com/directconnect/faqs/

7. Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 8
VPC vs DirectConnect
Compare and Contrast
• VPC IPSec VPNs:
+ Easy to setup and provision new connections
+ Easy to re-IP or re-configure VPN endpoints
= 10 VPNs per VPC with 4 Gbps maximum theoretical
- Performance is dependent on available bandwidth on ISP
• VPC Direct-Connect:
– Connectivity provided only from an AWS Supported DC (Equinix)
– More complex to provision like a P2P Circuit
+ Dedicated Bandwidth to your AWS backend
+ 1Gig and 10Gig Ports available
+ Supports multiple VLANs (virtual Interfaces) for multi-VPCs

8. Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 9
VPC vs DirectConnect
Compare and Contrast

9. Customer
Private LAN/WAN
10.0.0.0/8
Internet
Policy Enforcement
ISP
Router
Juniper SRXVPC1
VPC2
Primary VPN / BGP Peer
Backup VPN / BGP Peer
Servers
Wired Users
Wireless Users PoS
Security
Phones
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 10
VPN Case Studies
Connecting Offices to the Cloud

10. Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 11
VPN Case Studies
Connecting Multiple Offices to the Cloud
• Connect up to 10 locations directly to AWS VPC
over the Internet using IPSec VPNs
• Dual tunnels and BGP Routing facilitate failover
and/or traffic load balancing

11. Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 12
Case Studies
Mixing VPNs and Direct Connect for best availability
• Hybrid Cloud = Private Cloud + Public Cloud
– Facilitates migrations by supporting legacy private
DC Services with Public Cloud due to investment
in current infrastructure
– Requires high 9s availability and failover
– Requires Security enforcement between clouds

12. Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 14
Juniper SRX Overview
Cost-effective security for AWS Connectivity
• Low cost, High performance Security platform
provides an efficient entry-point to VPC
• Advanced routing features including BGP and
Policy-based routing allow for flexible designs
• High availability features that enable high-9s
availability for production grade connectivity
• Wide range of Hardware models with vSRX Virtual
Firewall also supported all run JunOS

13. Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 15
Juniper SRX Overview
New SRX Models

14. Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 16
Juniper SRX Overview
New SRX Models

15. 17 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
BRANCH SRX DELIVERS…
CONSOLIDATED SECURITY AND NETWORKING
SRX Platform
 Single device for routing, switching,
and security
 Comprehensive security
 Easy to activate new layers of security
Firewall
VPN
IPS
Anti-Virus
Anti-Spam
Web filtering
Routing / WAN
UTM
LAN, Switching

16. Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 18
Juniper SRX
Detailed Architecture View

17. Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 19
Juniper SRX
Dual ISP Architecture

18. • Other Juniper AWS/Cloud Solutions
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 20

19. Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 21
Juniper vSRX Overview
Cost-effective virtual security in the cloud
http://www.slideshare.net/AmazonWebServices/net208-enable-secure-your-business-
app-via-the-hybrid-cloud-on-aws

20. Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 22
Juniper vMX Overview
Cost-effective virtual routing in the cloud
http://www.slideshare.net/AmazonWebServices/net208-enable-secure-your-business-
app-via-the-hybrid-cloud-on-aws

21. • Break before Lab
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 23

22. Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 24
Lab: Setup VPN to AWS
On Juniper SRX
• Requirements
• Review VPC setup on AWS Test Instance
• Load Configuration on Juniper vSRX
• Testing and Troubleshooting connectivity
• Failover Scenario's
• Real-world Performance Considerations

23. Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 25
Lab: Create Gateway
Enter your SRX Public IP address
If your Public IP is BGP advertised select Dynamic

24. Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 26
Lab: Create VPN
Choose Existing Gateway or create new
Select Dynamic (BGP Routing)

25. Lab: Setup VPN to AWS
BGP – not so scary…
• BGP – Ideal method for load balancing and VPN
Failover supported by Juniper and AWS
• BGP License not required!
• BGP Configuration and Filters provided by AWS
– Once setup configuration remains static
– No “BGP Traffic Engineering” (or engineer) required

26. Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 28
Lab: Associate Routes
Choose Existing Route Tables
Create Static Routes to Target VPN Gateway

27. Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 30
Lab: Download Config
Creates a text file for your SRX.
Select Vendor: Juniper
Select Platform: J-Series
(same configuration applies to SRX)

28. Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 31
Lab: Open Text Configlet
Lets examine and replace some values

29. Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 32
Lab: Open Text Configlet
Validate external-interface name
External Interface

30. Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 33
Lab: Open Text Configlet
Tunnel interface and Security Zones
Tunnel Interface
Zone Configuration

31. Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 34
Lab: Open Text Configlet
TCP-MSS Values (Global)
TCP-MSS Values
(to avoid fragmentation)

32. Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 35
Lab: Open Text Configlet
BGP Export Policies
BGP Export Policy
BGP Neighbors

33. Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 36
Lab: Download from SRX
SFTP Files from your SRX for the Lab
jratford$ sftp root@192.168.110.X  Your vSRX Internal IP
Password: BCTLab64
## Download SSH Key for AWS Host Connectivity
sftp> mget *.pem
## Alternative Download AWS Config for your Virtual SRX
sftp> mget studentX.txt

34. Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 37
Lab: Copy AWS Config set
jratford-mbp:~ jratford$ ssh -l root 192.168.10.X  Your SRX
Password:
--- JUNOS 15.1X49-D15.4 built 2015-07-31 02:20:21 UTC
…
root@SRX-Student-01% vi aws.cfg
If pasting a new configuration from Copy/Paste Method
<press a>
<paste text file>
<press :wq>
root@SRX-Student-01% more aws.cfg
…
…
…

35. Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 38
Lab: Load Config set
root@SRX-Student-01> cli
root@SRX-Student-01> edit
Entering configuration mode
[edit]
root@SRX-Student-01# load set studentX.txt
aws.cfg:3:(0) unknown command: #
aws.cfg:4:(0) unknown command: #
…. (Ignore Comments)
load complete
[edit]
root@SRX-Student-01# show | compare
…
…
[edit]
root@SRX-Student-01# commit
commit complete
[edit]
root@SRX-Student-01# exit
Exiting configuration mode

36. Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 39
Lab: Validating VPN
root@SRX-Student-01> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
2035194 UP 5aa1515cd4221384 fa53c54fcbe7ca01 Main 52.34.241.19
2035195 UP b1716906e762473c 5622cc5ade054f97 Main 52.36.241.28
root@SRX-Student-01> show security ipsec security-associations
Total active tunnels: 2
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:aes-cbc-128/sha1 fd294c37 3564/ unlim - root 4500 52.34.241.19
>131073 ESP:aes-cbc-128/sha1 45ddf9 3564/ unlim - root 4500 52.34.241.19
<131074 ESP:aes-cbc-128/sha1 bd7b76db 3568/ unlim - root 4500 52.36.241.28
>131074 ESP:aes-cbc-128/sha1 11ec056d 3568/ unlim - root 4500 52.36.241.28
root@SRX-Student-01> show interfaces terse | match st0
st0 up up
st0.1 up up inet 169.254.12.218/30
st0.2 up up inet 169.254.13.150/30

37. Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 40
Lab: Validating VPN
root@SRX-Student-01> show bgp summary
Groups: 1 Peers: 2 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0
2 1 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
169.254.12.217 7224 33 36 0 0 4:52
0/1/1/0 0/0/0/0
169.254.13.149 7224 31 35 0 0 4:48
1/1/1/0 0/0/0/0
root@SRX-Student-01> show route advertising-protocol bgp 169.254.12.217
inet.0: 11 destinations, 12 routes (11 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
* 0.0.0.0/0 Self I
root@SRX-Student-01> show route receive-protocol bgp 169.254.12.217
inet.0: 11 destinations, 12 routes (11 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
172.16.1.0/24 169.254.12.217 200 7224 I

38. Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 41
Lab: Validating VPN
root@SRX-Student-01> show route 172.16.1.0/24
inet.0: 11 destinations, 12 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
172.16.1.0/24 *[BGP/170] 00:06:03, MED 100, localpref 100
AS path: 7224 I, validation-state: unverified
> to 169.254.13.149 via st0.2
[BGP/170] 00:05:37, MED 200, localpref 100
AS path: 7224 I, validation-state: unverified
> to 169.254.12.217 via st0.1

39. Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 42
Lab: VPN Failover
root@SRX-Student-01> edit
Entering configuration mode
[edit]
root@SRX-Student-01# set interfaces st0.2 disable
[edit]
root@SRX-Student-01# show | compare
[edit interfaces st0 unit 2]
+ disable;
[edit]
root@SRX-Student-01# commit
commit complete
root@SRX-Student-01# run show route 172.16.1.0
inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
172.16.1.0/24 *[BGP/170] 00:00:01, MED 200, localpref 100
AS path: 7224 I, validation-state: unverified
> to 169.254.12.217 via st0.1

40. Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 43
Lab: Security Policies
Security Policy Enforcement
root@SRX-Student-01> show security policies
Default policy: deny-all
From zone: trust, To zone: trust
Policy: default-permit, State: enabled, Index: 4, Scope Policy: 0, Sequence
number: 1
Source addresses: any
Destination addresses: any
Applications: any
Action: permit, log

41. Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 44
Lab: Accessing VPC Hosts
172.16.X.0/24  Replace Student Number

42. Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 45
Lab: Accessing VPC Hosts
Logging in via SSH
jratford$ sudo route add -net 172.16.X.0/24 192.168.110.X  Use your IPs
## Lab - Static Route is required for your PC to access the VPC Networks
jratford$ chmod 400 student1-5.pem
jratford$ ssh -i student1-5.pem ubuntu@172.16.1.252
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.13.0-74-generic x86_64)
* Documentation: https://help.ubuntu.com/
System information as of Tue Mar 22 16:33:26 UTC 2016
System load: 0.48 Memory usage: 5% Processes: 81
Usage of /: 9.9% of 7.74GB Swap usage: 0% Users logged in: 0
Graph this data and manage this system at:
https://landscape.canonical.com/
…
ubuntu@ip-172-16-1-252:~$ ping 192.168.110.X  Your SRX Internal IP or your PC
PING 192.168.110.102 (192.168.110.102) 56(84) bytes of data.
64 bytes from 192.168.110.102: icmp_seq=1 ttl=62 time=27.4 ms
64 bytes from 192.168.110.102: icmp_seq=2 ttl=62 time=49.6 ms
^C

43. Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 46
Additional Material
• Ref; other whitepapers and app notes
• https://www.cloudreach.com/gb-en/2013/01/comparing-amazon-vpc-connectivity-
options/
• Amazon Guides
• http://www.slideshare.net/AmazonWebServices/using-virtual-private-cloud-vpc
• Juniper marketing collateral
• BCT Whitepaper from Mark T.
• http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Juniper.html
• http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Juniper_Trouble
shooting.html
• http://www.juniper.net/us/en/products-services/security/srx-series/compare/

44. Thank you for attending please visit
out event page on our website to
check out upcoming events:
http://bluechiptek.com/about/event
s
@bluechiptek
For any questions please contact us at
408-731-7000 or bct-
sales@bluechiptek.com