Expanding Your AWS and On-premise Footprint to AWS GovCloud (US)

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
David Cruley
Solutions Architect Manager/GovCloud, Amazon Web Services
Shwetha Anand
Senior Solutions Architect/GovCloud, Amazon Web Services
Session # 19343
Expanding Your AWS and On-Premises
Footprint to AWS GovCloud (US)
Jason Shaffer
Senior Solutions Architect/GovCloud, Amazon Web Services

Agenda for this session
Intro and
Differences
Connectivity
Options
Migration
Options
Q&A

AWS GovCloud (US) Region
Isolated AWS Region intended for customers with strict
regulatory and compliance requirements and sensitive data
August 2011
Available to qualified customers
Compliance
Safeguard sensitive data/systems
Addresses US government regulations, policies, and security requirements

AWS global infrastructure
18
Regions
55
Availability
Zones
AWS GovCloud (US-East)

When do you need to use GovCloud?
or

Typically for compliance reasons
DOD Cloud Security Req’s
Guide IL 4 or 5
FedRAMP High
GovCloud is the only Region certified
for workloads with these requirementsInternational Traffic and
Arms Regulation
CJIS
Defense Federal
Acquisition Regulation
Supplement

Or for AWS GovCloud (US)’s distinguishing features
“Community Cloud” with
vetted account holders
Managed by U.S.
citizens on U.S. soil

Expanding into GovCloud… How do you….
• Set up network connectivity to
GovCloud?
• Migrate assets into GovCloud?

Paving the Road to AWS GovCloud – Connectivity
Options
• AWS VPN GovCloud Connectivity Options Update
• AWS Direct Connect GovCloud Connectivity Options
Update
• Available Connectivity Options for GovCloud Workloads

Extend an on-premises network into your VPC
VPN
AWS Direct
Connect
172.16.0.0/1610.0.0.0/16

• Classic VPN solution
• The new AWS VPN solution
AWS VPN options

Previous - Classic VPN Connectivity
VPN between GovCloud and on-prem environments
• Extend on-prem network enclaves to GovCloud VPCs
• Hardware-based VPN solution
• FIPS Validated Hardware
172.31.0.0/16
Your premises
Virtual Private
Gateway

Hybrid Connectivity
VPN between GovCloud and US East/West VPCs
• Use case: hybrid workloads with multi-region architectures
• Enforce policies to prevent sensitive data from leaving GovCloud
• Note: use VPC peering to connect multiple GovCloud VPCs
VPN
172.31.0.0/16 10.0.0.0/16

New AWS VPN Solution- Differentiators
B e f o r e : A W S a l l o c a t e d t h e / 3 0 t u n n e l a d d r e s s r a n g e a n d o n e P r e s h a r e d - K e y p e r V P N
c o n n e c t i o n
A f t e r : C u s t o m e r s c a n d e f i n e t h e t u n n e l I P a d d r e s s e s a n d P r e s h a r e d K e y p e r
t u n n e l
* N e w V P N s o l u t i o n i s F I P S c o m p l i a n t s o l u t i o n
Tunnel 1 IP Range
Tunnel 1 PSK
Tunnel 2 IP Range
Tunnel 2 PSK

Why move to new AWS VPN?
On-Premises
• H e l p s s c a l e M a n y V P N c o n n e c t i o n s f r o m o n p r e m t o V P C
• Ab i l i t y t o r e - u s e C u s t o m e r G a t e w a y I P a d d r e s s

Migrate to new AWS VPN
Simple steps…..
Create a new virtual private gateway and AWS VPN connection
Detach old VGW from your Amazon Virtual Private Cloud (VPC)
Attach the new VGW to your Amazon VPC connection
Finally, enable the new tunnels on your customer gateway device
Disable and delete the old tunnels
Your premises
New VGW
Old VGW

AWS Direct Connect

Direct Connect Connectivity
Dedicated, private connection into AWS
Public Virtual Interface
Provides access to Amazon Public IP Addresses
Requires Public IP Addresses for BGP Session
Public ASN must be owned by customer – Private is OK
Private Virtual Interface
Only provides access to resources in a VPC
Attaches to the Virtual Private Gateway
Multiple Private VIF’s can be attached for resilience

Public VIF - Connectivity through other Regions
Direct Connect via US East and/or US West
• Configure in East/West and ride internal AWS network to GovCloud
• Requires use of public VIF and VPN tunnels for connectivity
AWS Direct Connect
Equinix, San Jose
us-west-1
us-east-1
AWS Private Network
Public Traffic
Private Traffic
VPN to VGW
In the US, with a public VIF, use AWS’s network to:
• Access public resources in remote US regions
• VPN to a remote US region and emulate a private VIF
• Public VIF + VPN is a common GovCloud scenario

Previous - Private VIF - Connectivity to GovCloud
“Direct” Direct Connect to AWS GovCloud (US)
• Equinix San Jose (CA) private connection (VIF) directly to GovCloud
Customer routers
Customer internal
network
AWS DX
routers
DX Location
Region
instances
Amazon S3

New: AWS Direct Connect Gateway
On-Premises
AWS Direct
Connect POP
Customer or
Partner Cage
Service Provider
Network
VLAN BPrivate VIF
Direct Connect
Gateway
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
Region 1
GovCloud
One Private Virtual Interface can be attached to multiple VGWs
*Govcloud account should be mapped to standard AWS account

There are some disallowed data paths
On-Premises
AWS Direct
Connect POP
Customer or
Partner Cage
Service Provider
Network
VLAN BPrivate VIF
X
Direct Connect
Gateway
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16
Region 1
Region 2
VPN Connection
X
Private VIF to Private VIF
VGW to VGW
Private VIF to VPN
X

How does this work in GovCloud?
Same feature set as commercial Regions
Use DX gateway from any AWS Direct Connect connection from
any AWS Direct Connect location
DX gateway is supported between an AWS GovCloud (US)
account and a linked commercial AWS account.
From your AWS GovCloud (US) account, you can associate a
virtual private gateway with an AWS Direct Connect gateway that's
in the linked account.

Migrating to GovCloud

Which tools and
techniques?
Migrating to GovCloud
Where am I
coming from?
What am I
migrating?
Which
combination
should I use?
How much am I
migrating?

Where are you coming from?
On-Premises Standard
Regions
Other
Clouds

What are you migrating?
Databases Servers and
Applications
Application
Data

Which Tools?

VM Import/Export (VMIE)
OVA
VDMK
VHD
VHDX
RAW
VMIE

AWS Server Migration Service (SMS)

AWS Database Migration Service (DMS)
Aurora

AWS Snowball

GovCloud Import Tool
AMI
Step Function
ImageS3
EC2
Lambda
gov-cloud-import-image
Step Function
S3
EC2
Lambda
gov-cloud-import-s3
S3

3rd Party GovCloud Migration Partners
Migration Technology Partners Migration Delivery Partners

Migration Matrix to GovCloud
On-Prem Standard Other Cloud Volume
VMIE Yes Yes Maybe Low
AWS SMS Yes No No Medium
AWS DMS Yes Yes Yes High
Snowball Yes Yes* No High
GovCloud Import Tool No Yes No Medium
3rd Party Migration Yes Yes Yes High
*Requires two Snowballs

Resources
Resource URL
AWS SMS https://aws.amazon.com/server-
migration-service/
AWS SMS Requirements https://docs.aws.amazon.com/server-
migration-
service/latest/userguide/prereqs.html
AWS DMS https://aws.amazon.com/dms
AWS DMS Walk-throughs https://docs.aws.amazon.com/dms/latest
/sbs/DMS-SBS-Welcome.html
Snowball https://aws.amazon.com/snowball/
GovCloud Import Tool http://github.com/awslabs/aws-gov-
cloud-import

Questions

Expanding Your AWS and On-premise Footprint to AWS GovCloud (US)

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Expanding Your AWS and On-premise Footprint to AWS GovCloud (US)

Similar to Expanding Your AWS and On-premise Footprint to AWS GovCloud (US) (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Expanding Your AWS and On-premise Footprint to AWS GovCloud (US)