Best Practices for Extending the WAN into AWS (IaaS) with SD-WAN
Rob McBride Marketing
@digitalmcb
Ariful HuqProduct Management
@arifulhuq&
Viptela Confidential2
Industry trends impacting networking
Cloud Mobile
Social
Viptela Confidential3
The What:
Software Defined WAN (SD-WAN) is the approach to architect the WAN utilizing Software Defined Networking (SDN) to optimize and control traffic between locations.
The How:
Controllers create an encrypted overlay tunnel architecture on top of the existing WAN transport infrastructure.
What is SD-WAN: The Basics
Transport Independent Fabric
Robust Forwarding Infrastructure
Application Policies
Analytics, Monitoring and Operations
Viptela Confidential4
Little more detail into what it gives you
OperationalSimplicity
ZeroTouchProvisioning
CentralizedMonitoringand
Visibility
Interoperabilitytolegacy
HybridWan
Carrieragnostic
Multi-Transportsupport(MPLS,LTE,
Broadband)
IntelligentActive/Activeutilization
ApplicationandCloudAwareness
Applicationbasedtrafficsteering
DistributedAnalytics
Multi-topologysupporperapplication
SecureandRouted
Infrastructure
CentralizedControlandDistributedforwarding
Secureconnecivitybetweenforwarding
elements
Embeddedenterprisegrade
networking
Viptela Confidential5
Great, now lets look at Cloud.
Specifically, Amazon (AWS)
Viptela Confidential6
Hybrid Cloud Today
Public Cloud Provider in Region 1
Public Cloud Provider in Region 2
On premDC
On premDC
On premDC
VPN Gateway
VPN Gateway
Point to Point IPSec Tunnels/ Direct Connect
WAN
Challenges
Scale
Isolation & Security
Resilient Access
Application Visibility & Steering
Centralized Monitoring & Management
Inter region peering
Viptela Confidential7
Extend the SEN Overlay to the Public CloudPublic Cloud
Provider Region 1
ViptelaCloud GW
Branch vEdge
Enterprise DC Private CloudLine of
Business A
Line of Business
B
Data Center vEdge
Virtual Private Cloud Virtual Private Cloud
Public Cloud Provider Region 2
ViptelaCloud GW
Private (MPLS) Internet
VPN1
VPN2
VPN1
VPN2
VPN1
VPN2
VPN1
VPN2
• Public Cloud becomes an extension of the Enterprise WAN
• Leverage SD-WAN technology• Hybrid Transport• Topology driven VPN
Segmentation• Application visibility for
steering
• Centralized configuration and policy management across on premise and cloud end-points
Viptela Confidential8
Public Cloud Connectivity Options
Branch vEdge
Partner
Carrier PE
Option 1: Direct Connect to Public Cloud through Partner
Public Cloud Provider
IaaS/PaaS
MPLS carrier (ATT & Verizon) offers direct connect into public cloud provider. Ex. ATT NetBond, Verizon SCI. Enterprise does not need to worry about collocating routers with public cloud providers. Offers best network performance (bandwidth guarantees & latency)
Internet
Branch vEdge
Colo vEdge
Public Cloud Provider
IaaS/PaaS
Enterprise collocated with public cloud carriers in meet me locations i.e Equinixcloud exchange. Performance guarantees from collocation facility only. No guarantees over the internet.
Option 2: Direct Connect to Public Cloud through meet-me locations
Internet
Branch vEdge
Public Cloud Provider
IaaS/PaaS
Internet only for connectivity.No performance guarantees on any segment.
Option 3: Internet connection to Public cloud
Viptela Confidential9
Amazon VPC Routing
• By default, every subnet can talk to every other subnet
• This is enabled by a virtual router that sits in a star topology between all subnets
• To get to this router, the VPC DHCP service hands out a .1 default gateway to each instance coming up in a subnet (in a /24 subnet)
Public Subnet
Availability Zone A
Private Subnet
Public Subnet
Availability Zone B
Private Subnet
Instance A10.1.1.11 /24
Instance C10.1.3.33 /24
Instance B10.1.2.22 /24
Instance D10.1.4.44 /24
VPC CIDR: 10.1.0.0 /16
.1
.1 .1
.1
Viptela Confidential10
Direct Connect 101
Viptela Confidential11
Example Customer Deployment - Before
AWS Region A
VGWDirect
Connect
• MPLS is the WAN technology for Branch and Data Center locations• Data center has a direct connect via carrier to AWS• All AWS bound traffic goes through the Data center
Customer wants• Augment public transport in all locations• Maintain compliance while adopting hybrid cloud• Maintain control of routing into AWS VPCs• Extend Data center segmentation to AWS• Remove hub and spoke nature of AWS hosted traffic
MPLSMPLS
DC
Branch
Branch
EC2 workload
Viptela Confidential12
Example Customer Deployment– After with SD-WAN technology
IGW
AWS Region A
• Redundant Transport from AWS cloud and all enterprise locations• VPC vEdge can make a decision on primary and secondary path based on policy• Direct connect is limited to 100 routes so only learn underlay routes for establishing connectivity between
DC and VPC. LAN side routes are learnt through the overlay• End result: Bandwidth augmentation, more control and an operationally simple solution to deploy
Direct Connect
MPLS
Internet
VGW
vEdgecloudEC2
workload
Branch vEdge
Branch vEdge
DC vEdge
Viptela Confidential13
Amazon VPC LayoutCID
R:
10.0
.0.0
/16
Subnet-410.0.3.0/24
Subnet-110.0.0.0/24
EIP:Subnet-2
10.0.1.0/24
Subnet-310.0.2.0/24
EIP:
vEdge Cloud
Transport 1
MgmtTransport 2
Service Interface (ENI)
Subnet-1 Route table
Destination Target
10.0.0.0/16 local
0.0.0.0/0 igw
VPC Router
Subnet-2 Route table
Destination Target
10.0.0.0/16 local
0.0.0.0/0 vgw
Subnet-3 Route table
Destination Target
10.0.0.0/16 local
0.0.0.0/0 igw
Subnet-4 Route table
Destination Target
10.0.0.0/16 local
0.0.0.0/0 eni
Subnet-5 Route table
Destination Target
10.0.0.0/16 local
0.0.0.0/0 eni
Subnet-6 Route table
Destination Target
10.0.0.0/16 local
0.0.0.0/0 eni
Subnet-510.0.4.0/24 Subnet-6
10.0.5.0/24
IGW
VGW
vEdge cloud transport & management VPC
route tables
EC2 subnet route tables
Viptela Confidential14
Viptela AWS EC2 instance guide
# Transport links Throughput Recommendation
1 (3 x ENIs) <100Mbps c3.large
2 (4 x ENIs) <100Mbps c3.xlarge
1 (3 x ENIs) >100Mbps c3.xlarge
2 (4 x ENIs) >100Mbps c3.xlarge
Viptela Confidential15
VPC Deployment Best Practice
Any-to-any connectivity to remove network choke-points and better user experience
Visibility for application steering and resiliency
Segment/Isolate workloads for security and compliance
Contact us:
Twitter @Viptelawww.viptela.com