Notes on: Linux Academy: AWS CSAA: 12) Hybrid Environments and VPC Peering

Just a place to put some notes on the “AWS Certified Solutions Architect - Associate (New!)” course from https://linuxacademy.com

Things to Know

VPN Essentials:

- A virtual private network enables the ability to extend a subnet from one geographic location to another geographic location on two separate networks

- Extending the subnets allows the network at location “A” to communicate internally with all resources at location “B”

- This is essentially “extending” the on-premise network to the cloud, or the cloud to the on-premise network

- For AWS, this allows us to communicate with all resources (like an EC2 instance) internally without the need for public IP addresses and an internet gateway

- It also provides an additional level of security by ensuring that traffic sent using the VPN is encrypted

- The VPN connection has two parallel routes (IPsec tunnels), which is for redundancy

- Only one Virtual Private Gateway can be attached to a VPC (just like only one IGW can be attached to a VPC)

- A VPC can have both a VPG and an IGW attached at the same time

Customer Gateways:

- A customer gateway is a physical device or software application at the on-premise location that acts as the “connector” to the VPN connection

- In your AWS account, the customer gateway component is where you configure the public IP (internet routable static IP) address of the physical device or software application at the on-premise location

Note: Both a VPG and a Customer Gateway are required to establish a VPN connection

VPN Connection:

- The VPN connection is the actual link between the virtual private gateway and the customer gateway

- This connection is setup and managed in AWS

- Each connection uses two IPsec tunnels for redundancy

Virtual Private Gateway (VPG):

- A virtual private gateway acts as the “connector” on the VPC (AWS) side of the VPN connection

- The VPG is connected to the VPC

Note: Both a VPG and a Customer Gateway are required to establish a VPN connection

Router:

- AWS has dispensed with the concept of having users physically setup and manage a “router”

- However, it is important to understand that route tables are actually part of a “router” assigned to your VPC

- When setting up a VPN, the route table (for the subnet you wish to extend) must include routes for the on-premise network that are used by the VPN, and point them to the Virtual Private Gateway

Direct Connect Essentials:

- AWS Direct Connect is a service that provides a dedicated network connection between your network and one of the AWS Direct Connect locations

- This is done through an authorized Direct Connect Provider (i.e. Verizon or other ISPs)

- Does not require hosting any router/hardware at the Direct Connect Partner location, only requires a Direct Connect location and a participating backbone provider

- An AWS Direct Connect location provides access to the AWS region it is associated with

- It does not provide access to other AWS regions

Direct Connect Benefits:

+ Reduce network costs:

-- Reduce bandwidth commitment to corporate ISP over public internet

-- Data transferred over direct connect is billed at a lower rate by Amazon (data in/out)

+ Increase network consistency

-- Dedicated private connections reduce latency (over sending the traffic via public routing)

+ Dedicated private network connection to on-premise:

-- Connect the direct connect connection to a VGW in your VPC for a dedicated private connection from on-premise to VPC

-- Use Multiple VIFs (Virtual Interfaces) to connect to multiple VPCs

Image: ‘Route w/out Direct Connect’ v ‘Route with Direct Connect’

Cross-network Connection (Cross Connect):

The physical connection between your network and the Direct Connect authorized partner, which then handles the routes and connections to AWS networks

Private Virtual Interface:

- A Private Virtual Interface allows you to interface with an AWS (VPC)

-- With automatic route discovery using BGP

-- Requires a public or private ASN number

- Can only communicate with internal IP addresses inside of EC2

- Cannot access public IP addresses, as Direct Connect is NOT an internet provider

- This is a dedicated private connection which works like a VPN

- For best practice, use two Direct Connect connections for active-active or active-failover availability

- You can also use VPN as a backup to direct connect connections

- You can create multiple private virtual interfaces to multiple VPC’s at the same time

Public Virtual Interface:

- A Public Virtual Interface allows you to use a Direct Connect connection to connect to public AWS endpoints:

-- Any AWS service (for example: DynamoDB and Amazon S3)

- Requires public CIDR block range

- And even though we are accessing public endpoints, the connection maintains consistent traffic consistency as it is sent over your dedicated network

Storage Gateway Essentials:

- Storage Gateway connects local data center software appliances to cloud based storage such as Amazon S3

- It does this through the Storage Gateway virtual appliance, which connects directly to your local infrastructure as a file server, a local disk volume, or as a virtual tape library (VTL)

- It can maintain frequently accessed data on-premises (providing low-latency performance) which storing all other data in:

-- S3

-- EBS

-- Glacier

- Storage Gateway also integrates your data with:

-- AWS encryption

-- Identity management

-- Monitoring

Gateway-Cached Volumes

- Create storage volumes and mount them as iSCSI devices on the on-premise servers

- The gateway will store the data written to this volume in Amazon S3 and will cache frequently accessed data on-premise in the storage device

Gateway-Stored Volumes

- Store all the data locally (on-premise) in storage volumes

- Gateway will periodically take snapshots of the data as incremental backups and stores them on Amazon S3

VPC Peering Essentials:

- VPC peering is used to extend your private network from one VPC, or one subnet, or specifically one instance, to another VPC

- This is for sharing internal resources, via private IP addresses

- VPC peering can only occur between two VPCs that are in the same region

- You cannot configure VPC peering between VPCs in two different regions

- You can however configure VPC peering between two VPCs in different accounts (but only if they are in the same region)

- To peer VPCs, they must have separate (non-overlapping) CIDR block ranges

- Transitive connections are not allowed

- You can configure the peering to connect the entire VPC, or just specific subnets

Architecture Diagrams

Image: AWS Physical & Networking Layer (Hybrid Environments)

Image: AWS Physical & Networking Layer (Virtual Private Networks)

Image: Physical & Networking Layer (AWS Direct Connect)

Image: Physical & Networking Layer (AWS Storage Gateway)

Image: Physical & Networking Layer (VPC Peering)

Quiz: Hybrid Quiz

Q: If AWS asks you to configure the connection between your on-premise data center and a Direct Connect Authorized Provider, what would you be configuring?

A: The cross-network connection

E: The cross-network connection is the connection between your on-premise data center and the Direct Connect Authorized Provider.

Q: You are trying to establish a VPC peering connection but are having difficulties locating the other VPC. What is most likely the cause?

A: The other VPC is in a different region

E: For a VPC peering connection to be established, both VPCs must be in the same region.

T: You can peer VPCs that are in two different AWS accounts, but they must be in the same region.

Q: What two components are required to establish a VPN connection?

A: Virtual Private Gateway and Customer Gateway

E: The VPG and Customer Gateway are the two "connectors" on both sides of the VPN connection (and both are required).

T: An AWS VPC connection automatically has two parallel IPsec tunnels for redundancy

T: A VPC can have both an IGW and a VPG attached at the same time (but only one of each).

Q: You have set up an AWS Direct Connect connection for your company but still want to create a backup solution in case the Direct Connect connections fails. What solution should use as the backup?

A: AWS virtual private network

E: A virtual private network is a great backup solution for AWS direct connect. A virtual private network provides the same access, just with fewer benefits.

T: VPC peering does not allow transitive connections.

Q: If you need a dedicated, low latency connection to AWS from your on-premises data center, what solution should you choose?

A: AWS Direct Connect

E: AWS Direct Connect is a service that provides a dedicated network connection between your data center and one of AWS's Direct Connect locations. One of the main benefits of Direct Connect is a low-latency connection.

Q: You have been asked to set up architecture that extends the AWS VPC to your company's on-premise data center. What do you need to set up to accomplish this?

A: Virtual Private Network

E: You will need to set up and configure a virtual private network. A VPN is what allows you to extend subnets inside your VPC to your on-premise data center.

Q: What best describes a Customer Gateway?

A: An on-premises, physical device that acts as the "connector" for the VPN connection.

E: The Customer Gateway is a physical or software application that is located at your on-premise data center. It is the VPN connector on the data center side (of the connection) and must be configured with a static public IP address.

T: A Public Virtual Interface allows you to interface with AWS resources that have a public endpoint (like S3 or DynamoDB).