VPC and Datacenter Connectivity Options
Download as PPTX, PDF0 likes657 views
This document discusses connectivity options for connecting a VPC to on-premises datacenters and third-party networks. It describes VPC IPsec VPN as the cheapest and easiest option, using an encrypted tunnel over the public internet. Direct Connect is also presented as an option for private and consistent network performance up to 10Gbps, but requires an APN partner. A combination of Direct Connect with IPsec failover is suggested for redundancy. VPC peering allows inter-VPC communication without an internet gateway.
VPC and Datacenter Connectivity Options
- 1. VPC & DATACENTER CONNECTIVITY OPTIONS John Homer Alvero jhalvero@voyagerinnovation.com Service Engineering Voyager Innovations, Inc.
- 2. VOYAGER INNOVATIONS, INC. • Established in 2013 • Wholly subsidiary of Smart Communications • Drives exploration and creation of disruptive digital services • We focus on digital innovations • We are hiring. CACua@smart.com.ph
- 3. VPC
- 4. WHY VPC • Logical isolation of AWS assets (think of VLAN) • Control over IP addressing, subnets, routing, gateways • VPN Connectivity to datacenter or 3rd party networks • VPC Peering • S3 Security • NACL apart from Sec Groups • Assign private static IP to EC2 instance • New features / services are VPC-only
- 5. USES CASES • Public facing sites • Multi-tier web applications • Host scalable applications that are connected to on-prem resources • Extend on-prem network into the cloud • Disaster recovery
- 8. WHY THE CONNECTIVITY • On-prem components • HSM • MediaServers • Slowly migrating infrastructure from On-Prem to AWS • Connecting to 3rd party networks • Secure administrative access from office network • Compliance
- 9. • VPC VPN - IPSec • Direct Connect • Combination • Roll-You-Own (RYO) • VPC Peering CONNECTIVITY OPTIONS
- 10. VPC IPSEC • Cheapest, easiest and the quickest to implement • Static or Dynamic Routing (no public AS required) • Secure tunnel through public internet • Supports dual tunnel for redundancy • Supports the most common hardware VPN • Cisco, Fortinet, Juniper, Microsoft, Palo Alto, Yamaha, IIJ • Checkpoint, H3C, etc • … and software • Racoon • StrongSWAN • OpenSWAN
- 13. DIRECT CONNECT • Consistent network performance • PH – SG ~40ms through PLDT • Private access to AWS services such as EC2, S3, VPC, etc • 1Gbps to 10Gbps, but depends on the capability of your Direct Connect Provider • Needs APN partner • SG – Equinix, Tata, Verizon, Level 3, NTT, Pacnet • Philippines – PLDT • Implementation from weeks to months
- 15. COMBINATION DIRECT CONNECT WITH IPSEC FAIL-OVER • IPSec is cost-effective redundancy for Direct Connect • IP Routing through APN Partner • Static • AWS – force Direct Connect by propagating specific routes through BGP (10.10.10.10/32 – BGP, 10.10.10.0/24 IPSec) • IPSec – use static routing • Customer – IPSLA • Need the Direct Connect Provider to propagate for you • Dynamic • AWS – Automatic • Customer - BGP AS-PATH Prepending • You propagate your own routes
- 17. ROLL YOUR OWN • IPSec, PPTP, L2TP, SSL • OpenVPN is the easiest to implement • Sites-to-Site connectivity • Can be used Road-Warrior Style • Force routes to remote peer • Integrates with LDAP and TOTP • Requires client software • Free
- 18. VPC PEERING • Inter-VPC communication as if they are on the same VPC • Your own or 3rd Party VPC • Think of VLAN trunking • Apply routing policies on both sides • Maybe peer w another VPC in another region (future) • NACL and Sec Groups still apply • Peered VPC to IPSec/Direct Connect not supported • But can use a proxy