AWS Cloud Connectivity options for the Campus and Data Center Jay Ratford BlueChipTek 3/31/16 Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 1
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 1
AWS Cloud Connectivityoptions for the Campus
and Data CenterJay RatfordBlueChipTek
3/31/16
2
• Introduction to BlueChipTek• VPC Overview: Why do I need VPC Connectivity• Connectivity VPN vs Direct Connect• Cast Studies:
– Connecting Branch and Campus Networks to Cloud– Connecting Data Centers to the Cloud– Hybrid Data Center connectivity options
• Why Juniper SRX for AWS Connectivity• Other Juniper Cloud-Solutions (vSRX, vMX)• Lab: Setup VPN to Amazon VPN on SRX
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute
Agenda
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 4
Campus or Data Center Resources
Connectivity to AWSFrom Campus, Branch and Data Center
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 5
VPN OverviewWhy do I need VPN Connectivity?
• Local IPSec-VPN Connectivity to VPC Subnets (back-ends)
• Allows secure and authenticated connectivity from AWS back to your internal Network(s) over Internet
Bi-Directional Data Flows
VGW CPE
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 6
Direct Connect Overview
• Direct IP Connectivity to AWS and your VPC(s)
• Provisioned as a P2P Circuit between AWS Cage and your Cage
• 1 Gig and 10 Gig Ports available
• VLAN mapping to VPCs Virtual Interfaces
P2P
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 7
Direct Connect ProcessAvailable at limited locations see FAQ for latest info http://aws.amazon.com/directconnect/faqs/
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 8
VPC vs DirectConnectCompare and Contrast
• VPC IPSec VPNs:+ Easy to setup and provision new connections+ Easy to re-IP or re-configure VPN endpoints= 10 VPNs per VPC with 4 Gbps maximum theoretical- Performance is dependent on available bandwidth on ISP
• VPC Direct-Connect:– Connectivity provided only from an AWS Supported DC (Equinix) – More complex to provision like a P2P Circuit+ Dedicated Bandwidth to your AWS backend+ 1Gig and 10Gig Ports available+ Supports multiple VLANs (virtual Interfaces) for multi-VPCs
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 9
VPC vs DirectConnectCompare and Contrast
Latency Sensiti
ve
Packet Lo
ss Sensiti
ve
10Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute
VPN Case StudiesConnecting Offices to the Cloud
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 11
VPN Case StudiesConnecting Multiple Offices to the Cloud
• Connect up to 10 locations directly to AWS VPC over the Internet using IPSec VPNs
• Dual tunnels and BGP Routing facilitate failover and/or traffic load balancing
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 12
Case StudiesMixing VPNs and Direct Connect for best
availability• Hybrid Cloud = Private Cloud + Public Cloud
– Facilitates migrations by supporting legacy private DC Services with Public Cloud due to investment in current infrastructure
– Requires high 9s availability and failover– Requires Security enforcement between clouds
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 14
Juniper SRX OverviewCost-effective security for AWS Connectivity
• Low cost, High performance Security platform provides an efficient entry-point to VPC
• Advanced routing features including BGP and Policy-based routing allow for flexible designs
• High availability features that enable high-9s availability for production grade connectivity
• Wide range of Hardware models with vSRX Virtual Firewall also supported all run JunOS
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 15
Juniper SRX OverviewNew SRX Models
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 16
Juniper SRX OverviewNew SRX Models
17 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
BRANCH SRX DELIVERS…CONSOLIDATED SECURITY AND NETWORKING
SRX Platform
Single device for routing, switching, and security
Comprehensive security
Easy to activate new layers of security
Firewall
VPN
IPS
Anti-Virus
Anti-Spam
Web filtering
Routing / WAN
UTM
LAN, Switching
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 18
Juniper SRXDetailed Architecture View
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 19
Juniper SRXDual ISP Architecture
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 20
• Other Juniper AWS/Cloud Solutions
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 21
Juniper vSRX OverviewCost-effective virtual security in the cloud
http://www.slideshare.net/AmazonWebServices/net208-enable-secure-your-business-app-via-the-hybrid-cloud-on-aws
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 22
Juniper vMX OverviewCost-effective virtual routing in the cloud
http://www.slideshare.net/AmazonWebServices/net208-enable-secure-your-business-app-via-the-hybrid-cloud-on-aws
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 23
• Break before Lab
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 24
Lab: Setup VPN to AWSOn Juniper SRX
• Requirements • Review VPC setup on AWS Test Instance• Load Configuration on Juniper vSRX• Testing and Troubleshooting connectivity• Failover Scenario's• Real-world Performance Considerations
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 25
Lab: Create GatewayEnter your SRX Public IP address
If your Public IP is BGP advertised select Dynamic
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 26
Lab: Create VPNChoose Existing Gateway or create new
Select Dynamic (BGP Routing)
Lab: Setup VPN to AWSBGP – not so scary…
• BGP – Ideal method for load balancing and VPN Failover supported by Juniper and AWS
• BGP License not required!• BGP Configuration and Filters provided by AWS
– Once setup configuration remains static– No “BGP Traffic Engineering” (or engineer) required
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 28
Lab: Associate RoutesChoose Existing Route Tables
Create Static Routes to Target VPN Gateway
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 30
Lab: Download ConfigCreates a text file for your SRX.
Select Vendor: JuniperSelect Platform: J-Series
(same configuration applies to SRX)
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 31
Lab: Open Text ConfigletLets examine and replace some values
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 32
Lab: Open Text ConfigletValidate external-interface name
External Interface
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 33
Lab: Open Text ConfigletTunnel interface and Security Zones
Tunnel Interface Zone Configuration
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 34
Lab: Open Text ConfigletTCP-MSS Values (Global)
TCP-MSS Values (to avoid fragmentation)
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 35
Lab: Open Text ConfigletBGP Export Policies
BGP Export Policy
BGP Neighbors
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 36
Lab: Download from SRXSFTP Files from your SRX for the Lab
jratford$ sftp [email protected] Your vSRX Internal IPPassword: BCTLab64
## Download SSH Key for AWS Host Connectivitysftp> mget *.pem
## Alternative Download AWS Config for your Virtual SRX
sftp> mget studentX.txt
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 37
Lab: Copy AWS Config setjratford-mbp:~ jratford$ ssh -l root 192.168.10.X Your SRXPassword:--- JUNOS 15.1X49-D15.4 built 2015-07-31 02:20:21 UTC…
root@SRX-Student-01% vi aws.cfgIf pasting a new configuration from Copy/Paste Method <press a><paste text file><press :wq>
root@SRX-Student-01% more aws.cfg………
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 38
Lab: Load Config setroot@SRX-Student-01> cli
root@SRX-Student-01> edit Entering configuration mode
[edit]root@SRX-Student-01# load set studentX.txtaws.cfg:3:(0) unknown command: #aws.cfg:4:(0) unknown command: #…. (Ignore Comments) load complete [edit]root@SRX-Student-01# show | compare……[edit]root@SRX-Student-01# commit commit complete
[edit]root@SRX-Student-01# exit Exiting configuration mode
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 39
Lab: Validating VPNroot@SRX-Student-01> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 2035194 UP 5aa1515cd4221384 fa53c54fcbe7ca01 Main 52.34.241.19 2035195 UP b1716906e762473c 5622cc5ade054f97 Main 52.36.241.28
root@SRX-Student-01> show security ipsec security-associations Total active tunnels: 2 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:aes-cbc-128/sha1 fd294c37 3564/ unlim - root 4500 52.34.241.19 >131073 ESP:aes-cbc-128/sha1 45ddf9 3564/ unlim - root 4500 52.34.241.19 <131074 ESP:aes-cbc-128/sha1 bd7b76db 3568/ unlim - root 4500 52.36.241.28 >131074 ESP:aes-cbc-128/sha1 11ec056d 3568/ unlim - root 4500 52.36.241.28
root@SRX-Student-01> show interfaces terse | match st0 st0 up upst0.1 up up inet 169.254.12.218/30st0.2 up up inet 169.254.13.150/30
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 40
Lab: Validating VPNroot@SRX-Student-01> show bgp summary Groups: 1 Peers: 2 Down peers: 0Table Tot Paths Act Paths Suppressed History Damp State Pendinginet.0 2 1 0 0 0 0Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...169.254.12.217 7224 33 36 0 0 4:52 0/1/1/0 0/0/0/0169.254.13.149 7224 31 35 0 0 4:48 1/1/1/0 0/0/0/0
root@SRX-Student-01> show route advertising-protocol bgp 169.254.12.217
inet.0: 11 destinations, 12 routes (11 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path* 0.0.0.0/0 Self I
root@SRX-Student-01> show route receive-protocol bgp 169.254.12.217
inet.0: 11 destinations, 12 routes (11 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path 172.16.1.0/24 169.254.12.217 200 7224 I
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 41
Lab: Validating VPNroot@SRX-Student-01> show route 172.16.1.0/24
inet.0: 11 destinations, 12 routes (11 active, 0 holddown, 0 hidden)+ = Active Route, - = Last Active, * = Both
172.16.1.0/24 *[BGP/170] 00:06:03, MED 100, localpref 100 AS path: 7224 I, validation-state: unverified > to 169.254.13.149 via st0.2 [BGP/170] 00:05:37, MED 200, localpref 100 AS path: 7224 I, validation-state: unverified > to 169.254.12.217 via st0.1
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 42
Lab: VPN Failoverroot@SRX-Student-01> edit Entering configuration mode
[edit]root@SRX-Student-01# set interfaces st0.2 disable
[edit]root@SRX-Student-01# show | compare [edit interfaces st0 unit 2]+ disable;
[edit]root@SRX-Student-01# commit commit complete
root@SRX-Student-01# run show route 172.16.1.0
inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)+ = Active Route, - = Last Active, * = Both
172.16.1.0/24 *[BGP/170] 00:00:01, MED 200, localpref 100 AS path: 7224 I, validation-state: unverified > to 169.254.12.217 via st0.1
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 43
Lab: Security PoliciesSecurity Policy Enforcement
root@SRX-Student-01> show security policies Default policy: deny-allFrom zone: trust, To zone: trust Policy: default-permit, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1 Source addresses: any Destination addresses: any Applications: any Action: permit, log
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 44
Lab: Accessing VPC Hosts172.16.X.0/24 Replace Student Number
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 45
Lab: Accessing VPC HostsLogging in via SSH
jratford$ sudo route add -net 172.16.X.0/24 192.168.110.X Use your IPs## Lab - Static Route is required for your PC to access the VPC Networks
jratford$ chmod 400 student1-5.pem jratford$ ssh -i student1-5.pem [email protected] to Ubuntu 14.04.3 LTS (GNU/Linux 3.13.0-74-generic x86_64)
* Documentation: https://help.ubuntu.com/
System information as of Tue Mar 22 16:33:26 UTC 2016
System load: 0.48 Memory usage: 5% Processes: 81 Usage of /: 9.9% of 7.74GB Swap usage: 0% Users logged in: 0
Graph this data and manage this system at: https://landscape.canonical.com/
…
ubuntu@ip-172-16-1-252:~$ ping 192.168.110.X Your SRX Internal IP or your PCPING 192.168.110.102 (192.168.110.102) 56(84) bytes of data.64 bytes from 192.168.110.102: icmp_seq=1 ttl=62 time=27.4 ms64 bytes from 192.168.110.102: icmp_seq=2 ttl=62 time=49.6 ms^C
Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 46
Additional Material
• Ref; other whitepapers and app notes• https://www.cloudreach.com/gb-en/2013/01/comparing-amazon-vpc-connectivity-o
ptions/
• Amazon Guides• http://www.slideshare.net/AmazonWebServices/using-virtual-private-cloud-vpc• Juniper marketing collateral• BCT Whitepaper from Mark T.
• http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/ Juniper.html
• http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Juniper_Troubleshooting.html
• http://www.juniper.net/us/en/products-services/security/srx-series/compare/
Thank you for attending please visit out event page on our website to check out
upcoming events:http://bluechiptek.com/about/events
@bluechiptek
For any questions please contact us at 408-731-7000 or bct-