Integrating AWS with Multiprotocol Label Switching Whitepaper (2016)
MPLS and Managed MPLS Services
MLPS:
- MPLS predetermines the routing path and uses a label swapping push, pop, and swap
method to direct the traffic to its destination
- CAn be provisioned as Layer 3 (IP-based) or Layer 2 (single broadcast domain)
- Provides a logical extension of a customer’s network
Business reasons for integration MPLS into your existing infrastructure:
- Business continuity
- Leveraging disaster recovery and elastic scalability
- User data availability
- Keeping data closer to users to improve workload performance, as well as regional compliance requirements
- Mergers & acquisitions
- Realize synergies and improvements in IT services by moving acquired workloads into AWS Cloud
- Minimize or avoid costly and service-impacting data-center expansion projects
- Migrate workloads into Amazon VPC
- Optimize availability and resiliency
AWS Networking Services and Core Technologies
- Amazon VPC
- Virtual network dedicated to your AWS account
- VPC is a security boundary within the AWS multi-tenant infrastructure
- AWS Direct Connect and VPN
- Dedicated, private network connections between your intranet and Amazon VPC
- Direct Connect leverage virtual LANs (VLANs) to provide network isolation
- Create public virtual interfaces or private virtual interfaces.
- Public virtual interfaces
- Connect to AWS services that are accessible via public endpoints
- S3, DynamoDB, CloudFront, etc …
- Private virtual interfaces
- AWS services that are accessible through private endpoints
- Amazon EC2, AWS Storage Gateway, VPC, etc …
- Internet Gateway
- Horizontally scaled, redundant, and highly available VPC component
- Customer Gateway
- Physical or software appliance that you own or manage in your on-premises network
- In MPLS Customer Gateway can be a customer edge (CE) device located at a Direct Connect location, or it
can be a provider edge (PE) device in an MPLS VPN network
- Virtual Private Gateway and Virtual Routing and Forwarding
- Anchor on the AWS side of the connection between your network and your Amazon VPC
- Enables you to connect to your Amazon VPCs over an Internet Protocol Security (IPsec) VPN connection or with a direct physical connection
- AWS recommends that you implement a VRF if you are connecting to multiple VPCs over a direct connection where IP overlapping and duplication may be a concern
- VRF is a technology that you can use to virtualize a physical routing device to support multiple virtual routing instances that are isolated and independent
- IP Addressing
- Properly addressing your Amazon VPC and internal network enables you to:
- Define an effective routing policy
- Have a consistent and predictable routing infrastructure
- Use resources effectively
- Maintain security
- Define a unique network IP address boundary in your VPC
BGP Protocol Overview
- Autonomous System (AS) is a set of devices or routers sharing a single routing policy that run under a single technical administration
- Identification number (ASN), is assigned to AS by an internet registry
- BGP routing is recommended for one or more Direct Connect connections with AWS
- AWS will assign you an AS number
- This number defines an AS in which your VPC resides
- As number will be assigned to Customer Gateway
- Customer Gateway and Virtual Private Gateway become BGP neighbors
- eBGP (External BGP) - establishing a connection between two different ASNs
- iBGP (Internal BGP) - establishing a connection between devices within the same ASN
- BGP uses TCP port 179
- AWS VGW does not support multi-hopping BGP
Path Selection Algorithm
- The most specific IP prefix is preferred
- When the prefixes are the same, statically configured VPN connections are preferred
- For matching prefixes where each VPN connection uses BGP, the algorithm compares the AS PATH prefixes and the prefix with the shortest AS PATH is preferred. Alternatively, you can prepend AS_PATH so that the path is less preferred.
- When the AS PATHs are the same length, path origins are compared. Prefixes with Interior Gateway Protocol are preferred to Exterior Gateway Protocol and EGP origins are preferred to unknown origins.
- When the origins are the same, the lowest router ID is preferred.
- When the router IDs are the same, the lowest BGP peer IP address is preferred.
AWS APN Partners - Direct Connect as a Service
- Partners will help you establish sub-1G high-speed connectivity as a service between your network and a Direct Connect location.
Colocation with AWS Direct Connect
- Placing the Customer Gateway in the same physical facility as Direct Connect location
- Circuit should be ordered between your MPLS Provider and the Direct Connect colocation facility
- Benefits
- Traffic separation and isolation
- Traffic engineering granularity
- Security and monitoring functionality
- Simplified integration of IT and data platforms in mergers and acquisitions
- Considerations
- Design requirements
- PE/CE Management (Provider Equipment / Customer Equipment)