Вы находитесь на странице: 1из 25

eBook

Deploy a highly available, scalable,


and secure transit VPC on AWS
Simplify network management with a reduced number of connections

Copyright © 2018. Amazon Web Services or its affiliates. All rights reserved.
Table of Contents
Introduction�������������������������������������������������������������������������������������������������������������������������������������������4

Transit VPC���������������������������������������������������������������������������������������������������������������������������������������������7

How it works����������������������������������������������������������������������������������������������������������������������������������������10

Transit VPC Use Cases �����������������������������������������������������������������������������������������������������������������������13

AWS partner network solutions: Aviatrix Controller�������������������������������������������������������������������15

AWS partner network solutions: Juniper Networks��������������������������������������������������������������������19

Conclusion��������������������������������������������������������������������������������������������������������������������������������������������23

Getting started������������������������������������������������������������������������������������������������������������������������������������24

DEPLOY A HIGHLY AVAILABLE, SCALABLE, AND SECURE VPC ON AWS 2


Introduction
Introduction
A virtual private cloud (VPC) is your network environment in the cloud. By default,
your Amazon VPC has strong segmentation and is not connected to any other
networks. However, you may find you would like multiple VPCs for segmentation,
business isolation, blast radius reduction, and other segmentation purposes. It
can be complex to manage, operate, and configure individual connections
to each VPC. The transit VPC can simplify connectivity to multiple VPCs.

By customizing the network configuration for Amazon VPC, customers


are able to create public-facing subnets for web servers that have
access to the Internet; additionally, they can place backend systems,
such as databases and application servers, in a private-facing subnet
Internet connection while still delivering secure access.

DEPLOY A HIGHLY AVAILABLE, SCALABLE, AND SECURE VPC ON AWS 4


Introduction

However, if your organization needs to connect multiple VPCs and remote networks in
different locations, implementing a transit VPC solution should be considered. A transit
VPC connects multiple VPCs, remote networks in different Amazon Web Services (AWS)
Regions and Availability Zones (AZs), and across separate AWS accounts. In many cases,
businesses need to be able to transfer data from VPC to VPC. If they do not have a
transit VPC, this traffic often has to be run through an on-premises data center, or is
peered from VPC to VPC.

A transit VPC is a hub-and-spoke model that helps eliminate on-premises


latency and accelerates the time it takes to transfer data from point
A to point B. The transit VPC is defined for an AWS Region, with the
VPC subnets being equally divided amongst two Availability Zones per
Region. This provides redundancy and high-availability for the purposes
of maintaining that high availability. Transit VPCs are brought online
using custom AWS CloudFormation templates.

This eBook serves as an introduction to transit VPCs, and also provides


high-level details on best practices for implementations and operations.
You will also learn how AWS Partner Network (APN) Partners Aviatrix and
Juniper Networks customers benefit from their transit VPC solutions.

DEPLOY A HIGHLY AVAILABLE, SCALABLE, AND SECURE VPC ON AWS 5


Transit VPC
Transit VPC
Details on setting up a transit VPC
A transit VPC is a hub-and-spoke network topology that enables you
to seamlessly transfer data between globally dispersed VPCs while
using security functionality to protect network traffic. This can help
to simplify network management and reduce the number of overall
Virtual Private Network (VPN) connections that need to be set up and
maintained. A transit VPC can be implemented virtually and requires
no physical network gear or presence in a colocation transit hub.

DEPLOY A HIGHLY AVAILABLE, SCALABLE, AND SECURE VPC ON AWS 7


Transit VPC

Transit VPC Best Practices


When creating a transit VPC, universal network-design principles will have to
be considered; therefore, you should consider working with an APN Partner, like
Aviatrix or Juniper Networks, to help design and implement a transit VPC that
will effectively transfer data from VPC to VPC:

■■ To reduce the amount of traffic in the transit network,


consider VPC peering between resources that do not
require transitive routing to reduce transit network latency
and improve application performance

■■ Deploy network ranges that do not overlap in order to


simplify routing between remote networks

■■ Instead of statically routed connections, leverage multiple


dynamically routed connections between networks and
enable automatic failover between connections

DEPLOY A HIGHLY AVAILABLE, SCALABLE, AND SECURE VPC ON AWS 8


How it works
How it works
Spoke VPCs are connected to the transit network through dynamically routed VPN connections
between virtual private gateways (VGWs) and network appliances. This design uses VPN
connections from spoke VPCs, rather than VPC peering, to enable routing between any
connected network (including external networks or VPCs in other AWS Regions).

Spoke VPC resources can leverage VGW capabilities for routing and
failover to maintain highly available network connections to the transit
VPC network appliances. Remote networks also connect to the transit
VPN appliances using redundant, dynamically routed VPN connections.
Once connected, leverage dynamic routing protocols to automatically
route traffic around potential network failures as well as to propagate
network routes to remote networks.

This design allows the transit VPC to implement more complex routing
rules, such as network address translations between overlapping network
ranges, or to add additional network-level packet filtering or inspection.

The transit VPC supports any IP-based connectivity requirements between Amazon VPCs and
remote resources with few on-premises network changes required. It also presents an opportunity
to select products available in AWS Marketplace that integrate seamlessly with AWS-provided
VPN connections, without the need to deploy these products into existing data centers.

DEPLOY A HIGHLY AVAILABLE, SCALABLE, AND SECURE VPC ON AWS 10


How it works

Figure 1: AWS Transit VPC Virtual Gateway

VPC

Amazon
EC2 Transit VPC
VGW
A

VPN over
Direct
VPC Connect
AZ 1
Amazon
EC2
VGW Backup Corporate Data
B VPN Center

AZ 2

VPC

Amazon
EC2
VGW Other Provider
C Networks

DEPLOY A HIGHLY AVAILABLE, SCALABLE, AND SECURE VPC ON AWS 11


Transit VPC Use Cases
Transit VPC Use Cases

Extend corporate Shared Monitoring Private


network to AWS connectivity and visibility networking

Move your corporate Multiple VPCs can share Transit VPCs increase Build a private network
applications to the cloud, connections to data transparency and enable that spans two or more
launch additional web servers, centers, partner networks, rapid visualization of data AWS Regions
and/or add more compute and other clouds being transferred
capacity to your network by
connecting your VPC to your
corporate network

DEPLOY A HIGHLY AVAILABLE, SCALABLE, AND SECURE VPC ON AWS 13


AWS partner network solutions:
Aviatrix Controller
AWS partner network
solutions: Aviatrix Controller
There are several transit VPC offerings available from APN Partners, including the two featured
below from Aviatrix and Juniper Networks.

Aviatrix: Software-defined networking on AWS


This solution is designed for customers to set up, secure, and manage cloud and hybrid
network connectivity. It also scales with cloud resources and works seamlessly with native
AWS networking capabilities. Software-defined networking on AWS enables you to build
encrypted connectivity across AWS Regions and AZs using a highly available configuration.

One key component, the Aviatrix Gateway, is a cloud scale-out load balanced solution that
establishes secure and direct Amazon VPN access to both Amazon and on-premises resources.

Another key component is the Aviatrix Cloud Controller. This provides a centralized view
of networking systems across your AWS and on-premises environments. Drag-and-drop
management capabilities make it possible for anyone to manage the network.

DEPLOY A HIGHLY AVAILABLE, SCALABLE, AND SECURE VPC ON AWS 15


AWS partner network solutions: Aviatrix Controller

Customer success story: Epsilon


Epsilon is a global marketing company whose business is focused on transforming
customer data into personalized experiences. They needed to establish an efficient
means of securely connecting their new VPCs to on-premises resources as they
migrated an increasing amount of their IT portfolio to AWS.

With the massive amount of data Epsilon’s systems handle everyday, they needed
infrastructure that could easily scale up or down, on-demand. Epsilon decided on
Aviatrix solutions on AWS for single pane of glass management and the
breadth of automation capabilities. Moreover, Aviatrix delivered increased
visibility into the health and performance of Epsilon’s cloud networking
infrastructure, helping the company optimize their customer experiences.

Epsilon implemented a global transit hub architecture (Hub-and-Spoke


Network from Aviatrix). This design deploys VPN instances in a dedicated
VPC to perform transitive routing between spoke VPC networks through
automated deployment of Aviatrix Gateways via the Aviatrix Controller–a
centralized management console. This connectivity also allowed Epsilon to
set up an environment with a single container that’s configured to meet their
specific business and compliance requirements.

Due to the success of the initial engagement with Aviatrix, Epsilon plans to onboard
the remainder of its existing resources to Aviatrix. Full automation of the onboarding
process is saving significant personnel time and reducing exposure to risk.

DEPLOY A HIGHLY AVAILABLE, SCALABLE, AND SECURE VPC ON AWS 16


AWS partner network solutions: Aviatrix Controller

Figure 2: Aviatrix Global Transit Hub

Spoke VPC Spoke VPC Spoke VPC

Encrypted
Peering

Next-Gen
Transit Network
Transit Hub
VPC

VPC Egress
Security
Site to
Cloud VPN
Remote
User VPN

Users Corporate Data Center Internet

DEPLOY A HIGHLY AVAILABLE, SCALABLE, AND SECURE VPC ON AWS 17


AWS Partner Network
Solutions: Juniper Networks
AWS Partner Network
Solutions: Juniper Networks
Juniper Networks Transit VPC
Juniper Networks’ transit VPC is deployed using the AWS CloudFormation
template. This enables you to use the Juniper Networks vSRX Virtual
Firewall to create instances within the transit VPC.

Juniper Networks’ solution not only simplifies network management,


it also adds dynamic routing, next-generation firewall capabilities, and
secure connectivity to your AWS environment. To limit downtime, Juniper
Networks’ transit VPC is always deployed in high-availability mode.

DEPLOY A HIGHLY AVAILABLE, SCALABLE, AND SECURE VPC ON AWS 19


Partner solutions: Juniper Networks

Customer success story: CBT Nuggets


CBT Nuggets provides innovative learning experiences for IT professionals globally. They
offer diverse digital content that includes on-demand training videos, quizzes, practice
certification exams, virtual labs, and an online Learner Community.

CBT Nuggets is a long-time AWS customer. To keep pace with their growth they needed to
modernize their cloud architecture, so they adopted a continuous integration/continuous
deployment (CI/CD) pipeline, but needed to use a third-party network security
appliance to route traffic between their Amazon VPCs and their on-
premises data center.

This approach required numerous manual steps for traffic to flow


properly, which made them less agile despite adopting a new
architecture. It also introduced an increased risk of error which limited
developer productivity.

Juniper Networks’ transit VPC network topology was an optimal


solution for CBT Nuggets because it acts as a hub to enable data flow
between spoke VPCs (i.e. the different developer environments) and
on-premises resources. This solution provides dynamic routing, next-generation
firewall capabilities, and secure connectivity.

As CBT Nuggets continues to grow and provide more innovative training opportunities, their
international team of developers is now able to access the resources they need in a matter
of minutes. Juniper Networks and AWS provide CBT Nuggets with the agility they need to
support their development efforts, regardless of how much their architecture grows.

DEPLOY A HIGHLY AVAILABLE, SCALABLE, AND SECURE VPC ON AWS 20


Partner solutions: Juniper Networks - Customer success story: CBT Nuggets

Figure 3: Juniper Networks

VPC

Amazon
EC2 Transit VPC
VGW
A

VPN over
VPC Direct
vSRX Connect
Amazon
EC2
Corporate Data
VGW Backup
B VPN

vSRX

VPC

Amazon
EC2
VGW Internet
C

DEPLOY A HIGHLY AVAILABLE, SCALABLE, AND SECURE VPC ON AWS 21


Conclusion and
Resources to Get Started
Conclusion
Implementing a transit VPC on AWS can help simplify network management, make
network configuration easier, and streamline the connectivity between VPCs in other
AWS Regions, AZs, and on-premises data centers. Amazon transit VPCs enable you
to more readily achieve consistent network connectivity across multiple VPCs. By
using Amazon Elastic Compute Cloud instances to provide the transit network
connectivity, this implementation does not require a central hub to route
all traffic directly to another VPC. To efficiently connect all your VPCs,
consider a transit VPC solution on AWS.

Readily achieve
consistent network
connectivity across
multiple Amazon VPCs

DEPLOY A HIGHLY AVAILABLE, SCALABLE, AND SECURE VPC ON AWS 23


Getting started

■■ Amazon VPC
Provision an isolated section of your AWS environment and use it to launch
AWS resources in a virtual network that you define, giving you complete
control of your virtual networking environment and the ability to customize
the network configuration of your Amazon VPC

■■ Amazon Transit VPC


Implement a hub-and-spoke network topology that routes all traffic
through a network transit center to connect all VPCs to each other and to
non-AWS infrastructure

■■ Aviatrix Transit VPC Network


Simplifies the way the global transit network is set up by automating the
entire deployment of the transit hub and spoke VPCs and configures the
central Aviatrix Controller for ongoing monitoring and troubleshooting of
your AWS connectivity

■■ Juniper Networks Virtual Firewall-based AWS Transit VPC


The Juniper vSRX inside the transit VPC works as the data flow hub
between the spoke VPCs to provide the typical VPC functions like private
address space, elastic public address space, and network access control
using security groups

DEPLOY A HIGHLY AVAILABLE, SCALABLE, AND SECURE VPC ON AWS 24


Copyright © 2018. Amazon Web Services or its affiliates.
All rights reserved.

Вам также может понравиться