Extending Data Centers to the Cloud: Connectivity Options and Best Practices (NET302) - AWS re:Invent 2018

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Extending Data Centers to the
Cloud: Connectivity Options and
Best Practices
Sid Chauhan
AWS Solutions Architect
Amazon Web Services
N E T 3 0 2

About me

Importance of Network Connectivity

Key takeaways
What are the options for connecting into Amazon Web
Services (AWS)?
What is appropriate for my workloads?
What’s new? How does it affect my architecture?

Hybrid connectivity
CORP

Hybrid connectivity—storage/archive
CORP
Amazon
S3
DB
App
Archive

Hybrid connectivity—DR/app migration
CORP
DB
App
App

Hybrid connectivity—Virtual desktops
CORP
Amazon
WorkSpaces
DB
App

Hybrid connectivity—Split architecture
CORP
Web App DB

Connectivity options
- Public IPs
- Elastic IPs
- Internet data out
pricing
- IPsec authentication
and encryption
- Three main options
- AWS Managed VPN
- Software VPN (EC2)
- Transit GW
- Launched in 2011
- Private connection
- Separate from the
Internet
- Consistent network
experience
- Port speeds of 1 Gbps,
10 Gbps or sub-1 Gbps
- Connect through 89
locations
- Global Connectivity
AWS Direct ConnectVPNPublic Internet
N E W !

Digital Realty UK
Eircom
Interxion Frankfurt
Equinix OS
Equinix TY
Equinix FR
Equinix SY
Global Switch Sydney
Equinix SG
CIDS
Sinnet
Equinix LD
Interxion Dublin
Interxion Madrid
Interxion Stockholm
Equinix AM
Global Switch Singapore
GPX Mumbai
Sify Rabale
Telehouse
Equinix MU
CE Colo Prague
Equinix WA
Interxion Marseille
Interxion Zurich
Interxion Vienna
Interxion IPB Berlin
iAdvantage HK
Kinx Seoul
LG U+ Seoul
Menara Kuala Lumpur
NEXTDC Canberra
NEXTDC
Melbourne
NEXTDC Perth
AWS Direct Connect locations
Equinix HE
Itconic Madrid 2
STT GDC Chennai

Seoul
NEXTDC Perth
Mumbai
Frankfurt
Sydney
Ireland
Tokyo
Singapore
Beijing
London
AWS backbone

Key pillars
Flexibility
Cost
Resiliency
Performance

Connectivity architectures
CORP

Connectivity architectures
CORP
VPC
VPC
VPC

VPC
VPC
VPC
AWS managed VPN
Internet
CORP

VPC
VPC
VPC
AWS managed VPN - VGW
Internet
VGW
CORP
CGW

VPC
VPC
VPC
Internet
VGW
Supported features:
• AES-256
• SHA-2
• Phase 1 DH groups—2, 14–18, 22, 23, and 24
• Phase 2 DH groups—1, 2, 5, 14–18, 22, 23, and 24
• NAT-T
CORP
CGW

VPC
VPC
VPC
Internet
VGW
Supported features:
• Custom Pre-Shared Keys (PSKs)
• Custom inside tunnel IPs
• BGP or static routing routing
• Bring your own Autonomous System Number (ASN)
• Amazon CloudWatch metrics CORP
CGW

Connecting to resources over AWS
managed VPN
What can you access?
• Any resource with private IP in your VPC
(with exceptions)
• Amazon Elastic Compute Cloud (Amazon
EC2), Amazon Relational Database
Service (Amazon RDS), Amazon Redshift,
AWS Lambda, and others
• Network Load Balancer, Elastic File
System
• Interface VPC endpoints
• Private link endpoints
• Amazon Route 53 Resolver
What can you not access?
• VPC DNS IP (.2)
• Gateway VPC endpoint
• AWS public IP range
N E W !
N E W !
N E W !
N E W !

VPC
VPC
VPC
Internet
VGW
23.22.66.xx
50.16.172.yy
CORP
CGW

VPC
VPC
VPC
AWS managed VPN, 2 x CGW
Internet
VGW
CGW
CORP
CGW

VPC
VPC
VPC
AWS managed VPN, multiple VPCs
Internet
VGW
CGW
VGW
CORP
CGW

AWS managed VPN - at scale
EC2 VPC
EC2 VPC
EC2 VPC
EC2 VPC
EC2 VPC
EC2 VPC
EC2 VPC
CORP

AWS managed VPN
Cost
Performance
Flexibility
Resiliency
• Easy install, minutes to set up
• NAT-T, AES-256, SHA-2 and latest
DH groups
• Static (1 prefix) or BGP (<100
prefixes)
• Repeat for every VPC
• $0.05 per VPN connection hour
• Data transfer
• Leverage both VGW endpoints (two
tunnels per VPC)
• Think about CGW redundancy (four
tunnels per VPC)
• Up to 1.25 Gbps per VPN tunnel
• No equal-cost multi-path routing
(ECMP)

VPC
VPC
VPC
Software VPN (Amazon EC2)
Internet
CORP

VPC
VPC
Software VPN (EC2)
Internet
CORP

VPN consolidation using Software VPN
EC2 VPC
EC2 VPC
EC2 VPC
EC2 VPC
EC2 VPC
EC2 VPC
EC2 VPC
CORP

VPN consolidation using Software VPN
EC2 VPC
EC2 VPC
EC2 VPC
EC2 VPC
EC2 VPC
EC2 VPC
EC2 VPC
CORP
VPC
EC2 EC2

Software VPN (EC2)
Cost
Performance
Flexibility
Resiliency
• Any open-source or commercial vendor
• Opens up proprietary feature sets
• Customer responsible for HA and scaling
• Advanced solutions can be built using
automation
• Vendor licensing
• Amazon EC2 hourly cost
• High availability cost
• Data transfer
• VPC endpoint HA achieved by
additional Amazon EC2 instance in
second AZ
• Customer-side HA also recommended
• Defined by Amazon EC2 instance
size & type
• Multi Gbps can be achieved per
VPN instance (for all tunnels)
• Multiple instances for the same VPC
are possible

Transit GW
New!EC2 VPC
EC2 VPC
EC2 VPC
EC2 VPC
EC2 VPC
EC2 VPC
EC2 VPC
CORP
52.39.78.54
54.65.78.98

Transit GW
New!EC2 VPC
EC2 VPC
EC2 VPC
EC2 VPC
EC2 VPC
EC2 VPC
EC2 VPC
CORP
VPC
EC2
52.39.78.54
54.65.78.98

Transit GW - A deeper look
VPC
EC2
VPC
EC2
VPC
EC2
Remote Customer Office
Corporate Office
AWS Direct
Connect
Gateway

Transit GW - Multiple route tables
VPC
EC2
VPC
EC2
VPC
EC2
Corporate Office

Transit GW - Software appliance on Amazon EC2
VPC
EC2
VPC
EC2
VPC
EC2
VPC
EC2
Corporate Office

AWS managed VPN on Transit GW Cost
Performance
Flexibility
Resiliency
• Easy install, minutes to set up
• Same features as AWS managed VPN
• VPN consolidation and peering for
1000’s VPC
• Advanced routing capabilities including
multiple route tables
• Ability to route traffic to software
appliance on Amazon EC2
AWS managed VPN pricing
• $0.05 per VPN connection hour
• Data transfer
TGW Pricing
• TGW attachment charge (hourly)
• Per GB data processed charge
• TGW offers built-in HA
• Think about CGW redundancy
• Up to 1.25 Gbps per VPN tunnel
• Highly scalable with ECMP support
• Tested up to 50Gbps

Transit GW - A new default?
Thursday, Nov 29, 12:15 PM - 1:15 PM– Mirage, Mirage
Events Center B

AWS Direct Connect
VPC
VPC
VPC
CORP

AWS Direct Connect
DX Location
VPC
VPC
VPC
CORP

AWS Direct Connect
AWS Direct
Connect Devices
DX Location
VPC
VPC
VPC
CORP

AWS Direct Connect—Physical connectivity

AWS Direct Connect - Physical connectivity
1) Customer presence in the same DX location

AWS Direct Connect
Letter of Authorization and Connecting Facility Assignment
Please consider this letter as notification for connecting facility assignment for the purpose of
establishing or augmenting connectivity between the parties identified above. This document authorizes
a connection to the ports indicated above. All charges for the physical connection are the sole
responsibility of company.
For location specific information on requesting a cross-connect, visit the "Requesting Cross-Connects"
section of the user guide:
http://docs.aws.amazon.com/DirectConnect/latest/UserGuide/Colocation.html
The requester(s) use of AWS services will be governed by the terms of the AWS Customer Agreement
(available at http://aws.amazon.com/agreement), or a separate agreement between the requester(s)
and AWS.
EXPIRATION NOTICE The authorized connectivity must be completed within 90 days of this LOA-CFA's
issue date or this LOA-CFA will expire.
* Amazon Corporate LLC is a subsidiary of Amazon.com, Inc.
Issue Date .
Oct 13, 2016
Issued By* .
Amazon Web Services Spain S.L.
Facility - Meet Me Room .
Interxion MAD2 – MAD2.211
Customer Demarcation/ZSide .
Rack: R77B1.R99B09
Patch Panel: PP2:SOUTH
Strands: 40818
Requested By .
Company requesting name
Issued To .
Interxion, Madrid, ESP
Connection ID ..
MAD50_Test
Optic and Connector Types ..
1000BASE-LX Single Mode Fiber (SMF)
Lucent Connector (LC)
Letter of
Authorization and
Connecting Facility
Assignment

2) Circuit between customer data center and DX location

APN Partners supporting AWS Direct Connect
https://aws.amazon.com/directconnect/partners

2) Circuit between customer data center and DX location
3) Leverage Service Provider’s existing circuit to DX location

DX physical connectivity considerations
Adding/removing virtual interfaces?

Routing ownership?

Time to get connectivity to a VPC

End-to-end costs?

End-to-end costs
Choosing the right location(s)
Latency
Geographic redundancy

AWS Direct Connect
AWS Direct
Connect Devices
Customer
Router
Colocation
DX Location
`
VPC
VPC
VPC
CORP

AWS Direct Connect + VPN
Internet
Customer
Router
Colocation
DX Location
`
VPC
VPC
VPC
CORP
AWS Direct
Connect Devices

AWS Direct Connect - Link Aggregation (LAG)
Customer
Router
Colocation
DX Location
`
VPC
VPC
VPC
CORP
AWS Direct
Connect Devices

Customer
Router
Colocation
DX Location
`
VPC
VPC
VPC 40 Gbps
CORP
AWS Direct
Connect Devices

Customer
Router
Colocation
DX Location
`
VPC
VPC
VPC 40 Gbps
4 x 10 G = 40 G
CORP
AWS Direct
Connect Devices

AWS Direct Connect – BGP Redundancy
AWS Direct
Connect Devices
Customer
Router
Colocation
DX Location
`
VPC
VPC
VPC
CORP
New!
AWS Direct
Connect Devices
Equinix SV5 San Jose Location only

2 x DX Connections
Customer
Router
Colocation
DX Location
`
VPC
VPC
VPC
CORP
AWS Direct
Connect Devices

Colocation
DX Location
`
Customer
Routers
`
VPC
VPC
VPC
CORP
AWS Direct
Connect Devices
2 x DX ports, 2 Customer routers

DX Location
2 x DX ports, 2 x circuits into two data centers
VPC
VPC
VPC
CORP
AWS Direct
Connect Devices

2 x DX, active/active
DX Location
10 Gbps active
10 Gbps active
20 Gbps
VPC
VPC
VPC
CORP
AWS Direct
Connect Devices

2 x DX, active/standby
DX Location
10 Gbps standby
10 Gbps
VPC
VPC
VPC
CORP
AWS Direct
Connect Devices
10 Gbps active

Facility failure
DX Location
VPC
VPC
VPC
CORP
AWS Direct
Connect Devices

2 x DX, 2 x DX locations
Customer
Routers
Colocation
DX Location 1
`
Customer
Routers
Colocation
DX Location 2
`
AWS Direct
Connect Devices
AWS Direct
Connect Devices
VPC
VPC
VPC
CORP

2 x DX, 2 x DX locations
Customer
Routers
Colocation
DX Location 1
`
Customer
Routers
Colocation
DX Location 2
`
VPC
VPC
VPC
CORP
AWS Direct
Connect Devices
AWS Direct
Connect Devices

VPN backup
CORP
Internet
Customer
Routers
Colocation
DX Location 1
`
Customer
Routers
Colocation
DX Location 2
`
VPC
VPC
VPC
AWS Direct
Connect Devices
AWS Direct
Connect Devices

AWS Direct Connect (DX)
Cost
Performance
Flexibility
Resiliency
• Global Connectivity, 89 POPs worldwide
• LOA available within up to 72 hours
• Lead time of circuit build-out could take
weeks
• Port hours
• Data out transfer
• Service provider circuit/MPLS
• Colo cage (if applicable)
2 x DX in two locations + VPN
2 x DX in two separate locations
2 x DX in one DX location
DX + VPN
DX
• 1 Gbps or 10 Gbps ports
• 100, 200, 300, 400, or 500 Mbps
ports available through partners
• LAG several connections in a group
for aggregate bandwidth
• ECMP across multiples

AWS Direct Connect features
- Bring your own private Autonomous
System Number (ASN)
- Amazon CloudWatch metrics to monitor
connection health and activity
- IPv6 support
- HIPAA Eligible Service
- Jumbo Frames support
N E W !

AWS Direct
Connect Device
Customer
router
Colocation
DX Location
Region – Asia Pacific (Singapore)
Private VIF
Region – U.S West (Oregon)
AWSglobalBackbone
Connecting to VPC - Using AWS Direct Connect Gateway
VPC
VPCEC2
EC2
AWS Direct
Connect Gateway
VPCEC2
VLAN 100
Switch SUPERNAP 8,
Las Vegas, NV
App 1
App 2
App 1 DR

Customer
router
Colocation
DX Location
Private VIF
Connecting to VPC
VPC
VPCEC2
EC2
Direct Connect
Gateway
VPCEC2
AWS Direct
Connect Device
App 1
App 2
App 1 DR
VLAN 100

Connecting to resources over AWS Direct
Connect Gateway
What can you access?
• Any resource with private IP in your VPC
(with exceptions)
• Amazon Elastic Compute Cloud (Amazon
EC2), Amazon Relational Database
Service (Amazon RDS), Amazon Redshift,
AWS Lambda, and others
• Network Load Balancer, Elastic File
System
• Interface VPC endpoints
• Private link endpoints
• Amazon Route 53 Resolver
What can you not access?
• VPC DNS IP (.2)
• Gateway VPC endpoint
• AWS public IP range
N E W !

Customer
router
Colocation
DX Location
VLAN 100
Private VIF
AmazonBackbone
Connecting to VPC
VPC
VPCEC2
EC2
AWS Direct
Connect Gateway
VPCEC2
VLAN 100
AWS Direct
Connect Device
App 1
App 2
App 1 DR

Customer
router
Colocation
DX Location
Private VIF
Connecting to Transit GW
VPC
VPCEC2
EC2
Direct Connect
Gateway
VPCEC2
AWS Direct
Connect Device
App 1
App 2
App 1 DR
VLAN 100

AWS Direct
Connect Device
Customer
router
Colocation
DX Location
Private VIF
Connecting to VPC - Redundancy
VPC
VPCEC2
EC2
AWS Direct
Connect Gateway
VPCEC2
VLAN 100
Switch SUPERNAP 8,
Las Vegas, NV
App 1
App 2
App 1 DR

VPC
VPCEC2
EC2
AWS Direct
Connect Gateway
VPCEC2
App 1
App 2
App 1 DR
Customer
router
AWS Direct
Connect
Device
Switch SUPERNAP 8,
Las Vegas, NV
Customer
router
AWS Direct
Connect
Device
TierPoint, Seattle, WA

VPC
VPCEC2
EC2
AWS Direct
Connect Gateway
VPCEC2
App 1
App 2
App 1 DR
Customer
router
AWS Direct
Connect
Device
Switch SUPERNAP 8,
Las Vegas, NV
Customer
router
AWS Direct
Connect
Device
TierPoint, Seattle, WA
7224:7100—Low preference
7224:7200—Medium preference
7224:7300—High preference

Customer
router
Colocation
DX Location
Private VIF
AmazonBackbone
Connecting to VPC - multiple accounts
VPC
VPCEC2
EC2
App 1
App 2
VPCEC2 App 1 DR
App1App1App2
Direct Connect
Gateway
VLAN 100
App 1
Region – U.S West 2 (Oregon)
AWS Direct
Connect Device

Customer
router
Colocation
DX Location
Private VIF
AmazonBackbone
Connecting to VPC - multiple accounts
VPC
VPCEC2
EC2
VPCEC2
Direct Connect
Gateway
Direct Connect
Gateway
VLAN 100
VLAN 200
App 1
App 2
AWS Direct
Connect Device
App 1
App 2
App 1 DR
App1App1App2

Customer
router
Colocation
DX Location
VPC
VPCEC2
EC2
AWS Direct
Connect Gateway
Connecting to VPC endpoints
Interface VPC endpoint
AWS Direct
Connect Device
Shared Services
Prod

Customer
router
Colocation
DX Location
VPC
VPCEC2
EC2
AWS Direct
Connect Gateway
Amazon Kinesis
Elastic Load Balancing APIs
Amazon Elastic Compute Cloud (Amazon EC2) APIs
Amazon EC2 Systems Manager (SSM)
AWS Service Catalog
AWS Direct
Connect Device
Shared Services
Prod

Customer
router
Colocation
DX Location
VPC
VPCEC2
EC2
AWS Direct
Connect Gateway
AWS Direct
Connect Device
Shared Services
Prod

Customer
router
Colocation
DX Location
VPC
VPCEC2
EC2
AWS Direct
Connect Gateway
Gateway VPC endpointConnecting to VPC endpoints
AWS Direct
Connect Device
Shared Services
Prod

Customer
router
Colocation
DX Location
VPC
VPCEC2
EC2
AWS Direct
Connect Gateway
Gateway VPC endpoint
AWS Direct
Connect Device
Shared Services
Prod

Customer
router
Colocation
DX Location
Connecting to non-VPC AWS services - Public VIF
VPC
VPCEC2
EC2
VPCEC2
Prod DR
VLAN 300
Public VIF
AWS Direct
Connect Device
Shared Services
Prod

Customer
router
Colocation
DX Location
Connecting to non-VPC AWS services - Public VIF
VPC
VPCEC2
EC2
VPCEC2
Prod DR
VLAN 300
Public VIF
AWS Direct
Connect Device
Shared Services
Prod
http://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html

Customer
router
Colocation
DX Location
Connecting to non-VPC AWS services - TGW VPN
VPC
VPCEC2
EC2
VLAN 300
Public VIF
52.39.78.54
54.65.78.98
AWS Direct
Connect Device
Shared Services
Prod

AWS Direct
Connect Device
Customer
router
Colocation
DX location
 BGP 
VLAN 200
VLAN 100
AWS Direct
Connect Gateway
1
AWS Direct
Connect Gateway
2
EC2 VPC
Canada (Central)
EC2 VPC
U.S. West 2 (Oregon)
EC2 VPC
Asia Pacific (Mumbai)
EC2 VPC
U.S. East 1 (Virginia)
Connecting to VPC - Things to remember
VLAN 300
Switch SUPERNAP 8, Las Vegas, NV

AWS Direct
Connect Device
Customer
router
Colocation
DX location
 BGP 
VLAN 200
VLAN 100
AWS Direct
Connect Gateway
1
AWS Direct
Connect Gateway
2
EC2 VPC
Canada (Central)
EC2 VPC
U.S. West 2 (Oregon)
EC2 VPC
Asia Pacific (Mumbai)
EC2 VPC
U.S. East 1 (Virginia)
Connecting to VPC - Things to remember
VLAN 300
Switch SUPERNAP 8, Las Vegas, NV
10.1.0.0/16
10.1.0.0/16

What are the options for connecting into AWS?
Key takeaways

Key takeaways

• Transit GW managed VPN
• VGW based AWS managed VPN
• Software VPN (Amazon EC2)
• Private virtual interface
• AWS Direct Connect Gateway
• Public virtual interface
• Amazon S3
VPN AWS Direct Connect
Key takeaways

Your business critical hybrid application demands
consistent low latency, 10Gbps bandwidth and minimal
downtime. Which option is best ?
A. AWS VPN with tunnels to both AWS provided endpoints
B. AWS Direct Connect with connections to two different Direct
Connect locations
C. Public Internet access via two different service providers
D. Application has too many expectations and needs to be re-
designed
Key takeaways

Flexibility
Cost
Resiliency
Performance
Key takeaways

Which of the following new release allows you to
consolidate VPN connectivity for up to 1000 VPC’s and
lets you define advanced routing rules ?
A. Virtual Private Gateway (VGW) Reborn
B. Internet Gateway v6
C. Transit Gateway
D. Direct Connect Super Gateway
New!Key takeaways

• Transit GW: Build a hub-and-spoke network topology.
Enables edge consolidation and advanced routing
capabilities
• AWS Direct Connect HA: Logical Redundancy Over a
Single Virtual Interface
New!Key takeaways

Thank you!
Sidhartha Chauhan
sidhartc@amazon.com

Extending Data Centers to the Cloud: Connectivity Options and Best Practices (NET302) - AWS re:Invent 2018

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Extending Data Centers to the Cloud: Connectivity Options and Best Practices (NET302) - AWS re:Invent 2018

Similar to Extending Data Centers to the Cloud: Connectivity Options and Best Practices (NET302) - AWS re:Invent 2018 (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Extending Data Centers to the Cloud: Connectivity Options and Best Practices (NET302) - AWS re:Invent 2018