aws best practices webinar final - viptela | network...

Best Practices for Extending the WAN into AWS (IaaS) with SD-WAN

Rob McBride Marketing

@digitalmcb

Ariful HuqProduct Management

@arifulhuq&

Viptela Confidential2

Industry trends impacting networking

Cloud Mobile

Social


The What:

Software Defined WAN (SD-WAN) is the approach to architect the WAN utilizing Software Defined Networking (SDN) to optimize and control traffic between locations.

The How:

Controllers create an encrypted overlay tunnel architecture on top of the existing WAN transport infrastructure.

What is SD-WAN: The Basics

Transport Independent Fabric

Robust Forwarding Infrastructure

Application Policies

Analytics, Monitoring and Operations


Little more detail into what it gives you

OperationalSimplicity

ZeroTouchProvisioning

CentralizedMonitoringand

Visibility

Interoperabilitytolegacy

HybridWan

Carrieragnostic

Multi-Transportsupport(MPLS,LTE,

Broadband)

IntelligentActive/Activeutilization

ApplicationandCloudAwareness

Applicationbasedtrafficsteering

DistributedAnalytics

Multi-topologysupporperapplication

SecureandRouted

Infrastructure

CentralizedControlandDistributedforwarding

Secureconnecivitybetweenforwarding

elements

Embeddedenterprisegrade

networking


Great, now lets look at Cloud.

Specifically, Amazon (AWS)


Hybrid Cloud Today

Public Cloud Provider in Region 1

Public Cloud Provider in Region 2

On premDC

On premDC

On premDC

VPN Gateway

VPN Gateway

Point to Point IPSec Tunnels/ Direct Connect

WAN

Challenges

Scale

Isolation & Security

Resilient Access

Application Visibility & Steering

Centralized Monitoring & Management

Inter region peering


Extend the SEN Overlay to the Public CloudPublic Cloud

Provider Region 1

ViptelaCloud GW

Branch vEdge

Enterprise DC Private CloudLine of

Business A

Line of Business

B

Data Center vEdge

Virtual Private Cloud Virtual Private Cloud

Public Cloud Provider Region 2

ViptelaCloud GW

Private (MPLS) Internet

VPN1

VPN2

VPN1

VPN2

VPN1

VPN2

VPN1

VPN2

• Public Cloud becomes an extension of the Enterprise WAN

• Leverage SD-WAN technology• Hybrid Transport• Topology driven VPN

Segmentation• Application visibility for

steering

• Centralized configuration and policy management across on premise and cloud end-points


Public Cloud Connectivity Options

Branch vEdge

Partner

Carrier PE

Option 1: Direct Connect to Public Cloud through Partner

Public Cloud Provider

IaaS/PaaS

MPLS carrier (ATT & Verizon) offers direct connect into public cloud provider. Ex. ATT NetBond, Verizon SCI. Enterprise does not need to worry about collocating routers with public cloud providers. Offers best network performance (bandwidth guarantees & latency)

Internet

Branch vEdge

Colo vEdge


IaaS/PaaS

Enterprise collocated with public cloud carriers in meet me locations i.e Equinixcloud exchange. Performance guarantees from collocation facility only. No guarantees over the internet.

Option 2: Direct Connect to Public Cloud through meet-me locations

Internet

Branch vEdge


IaaS/PaaS

Internet only for connectivity.No performance guarantees on any segment.

Option 3: Internet connection to Public cloud


Amazon VPC Routing

• By default, every subnet can talk to every other subnet

• This is enabled by a virtual router that sits in a star topology between all subnets

• To get to this router, the VPC DHCP service hands out a .1 default gateway to each instance coming up in a subnet (in a /24 subnet)

Public Subnet

Availability Zone A

Private Subnet

Public Subnet

Availability Zone B

Private Subnet

Instance A10.1.1.11 /24

Instance C10.1.3.33 /24

Instance B10.1.2.22 /24

Instance D10.1.4.44 /24

VPC CIDR: 10.1.0.0 /16

.1

.1 .1

.1


Direct Connect 101


Example Customer Deployment - Before

AWS Region A

VGWDirect

Connect

• MPLS is the WAN technology for Branch and Data Center locations• Data center has a direct connect via carrier to AWS• All AWS bound traffic goes through the Data center

Customer wants• Augment public transport in all locations• Maintain compliance while adopting hybrid cloud• Maintain control of routing into AWS VPCs• Extend Data center segmentation to AWS• Remove hub and spoke nature of AWS hosted traffic

MPLSMPLS

DC

Branch

Branch

EC2 workload


Example Customer Deployment– After with SD-WAN technology

IGW

AWS Region A

• Redundant Transport from AWS cloud and all enterprise locations• VPC vEdge can make a decision on primary and secondary path based on policy• Direct connect is limited to 100 routes so only learn underlay routes for establishing connectivity between

DC and VPC. LAN side routes are learnt through the overlay• End result: Bandwidth augmentation, more control and an operationally simple solution to deploy

Direct Connect

MPLS

Internet

VGW

vEdgecloudEC2

workload

Branch vEdge

Branch vEdge

DC vEdge


Amazon VPC LayoutCID

R:

10.0

.0.0

/16

Subnet-410.0.3.0/24

Subnet-110.0.0.0/24

EIP:Subnet-2

10.0.1.0/24

Subnet-310.0.2.0/24

EIP:

vEdge Cloud

Transport 1

MgmtTransport 2

Service Interface (ENI)

Subnet-1 Route table

Destination Target

10.0.0.0/16 local

0.0.0.0/0 igw

VPC Router


Destination Target

10.0.0.0/16 local

0.0.0.0/0 vgw


Destination Target

10.0.0.0/16 local

0.0.0.0/0 igw


Destination Target

10.0.0.0/16 local

0.0.0.0/0 eni


Destination Target

10.0.0.0/16 local

0.0.0.0/0 eni


Destination Target

10.0.0.0/16 local

0.0.0.0/0 eni

Subnet-510.0.4.0/24 Subnet-6

10.0.5.0/24

IGW

VGW

vEdge cloud transport & management VPC

route tables

EC2 subnet route tables


Viptela AWS EC2 instance guide

# Transport links Throughput Recommendation

1 (3 x ENIs) <100Mbps c3.large

2 (4 x ENIs) <100Mbps c3.xlarge

1 (3 x ENIs) >100Mbps c3.xlarge

2 (4 x ENIs) >100Mbps c3.xlarge


VPC Deployment Best Practice

Any-to-any connectivity to remove network choke-points and better user experience

Visibility for application steering and resiliency

Segment/Isolate workloads for security and compliance

Contact us:

Twitter @Viptelawww.viptela.com

aws best practices webinar final - viptela | network...

Documents