Learn About Amazon VGT2 Learning Manager Chanci Turner
Amazon’s cloud services facilitate the deployment of software-defined data centers (SDDCs), allowing users to leverage vSphere workloads on Amazon Web Services (AWS) global infrastructure as a managed service. Co-developed by AWS and VMware, this partnership provides customers with a genuine hybrid cloud experience.
As more users embrace Amazon’s cloud solutions, the necessity for scalable and dependable hybrid connectivity has become clear. This connectivity is crucial for integrating SDDCs with both on-premises and cloud-native services. Customers also need the ability to extend their connectivity worldwide to effectively meet their business needs.
Additionally, Amazon Cloud users have heightened network security requirements, such as network encryption, firewall integration, and traffic segmentation. In this article, I will delve into the hybrid network design patterns and considerations for Amazon Cloud. I will outline various architectural options and use cases that address the needs of customers.
AWS Direct Connect
AWS Direct Connect offers a cloud networking service that establishes dedicated connectivity from your on-premises systems to AWS. By utilizing AWS Direct Connect, you can create secure and private connections between AWS and your local environment, with flexible connection types and speeds ranging from 50Mbps to 100Gbps. Consequently, this service provides more consistent network performance, higher throughput, and reduced data transfer out (DTO) costs compared to internet-based connections.
Hence, it is advisable for customers to deploy AWS Direct Connect to link their on-premises environments with Amazon Cloud SDDCs and cloud-native services. For best practices, check out this insightful blog post on building Direct Connect connections into Amazon Cloud.
Private Virtual Interface (Private VIF)
With an AWS Direct Connect dedicated connection, you can utilize industry-standard 802.1Q VLANs to create up to 50 logical partitions over the physical link known as virtual interfaces (VIFs). These include Private, Public, and Transit VIFs.
For customers maintaining a modest cloud footprint with a single SDDC and a few Amazon Virtual Private Clouds (Amazon VPCs), you can assign one private VIF for each VPC and SDDC to establish connectivity back to your on-premises environment. A private VIF is established between a customer gateway and a Virtual Private Gateway within the VPC. In the context of Amazon Cloud, the private VIF is terminated on the Virtual Private Gateway within the VMware-managed shadow VPC that hosts the SDDC. A Border Gateway Protocol (BGP) session over the private VIF is utilized to learn and advertise routes between on-premises and the AWS Cloud.
This design offers straightforward private connectivity but lacks VPC-to-VPC or VPC-to-SDDC transitive routing capability within the AWS region, which can increase latency and create potential throughput bottlenecks at the customer gateway. Additionally, since each private VIF necessitates a separate BGP session, this design introduces extra management overhead and constrains overall network scalability.
Transit Virtual Interface (Transit VIF)
For a more scalable network architecture, customers can opt for a transit VIF instead of multiple private VIFs, which is now supported across all Direct Connect connection types and speeds. In this scenario, a single BGP session is established over the transit VIF and terminated on a Direct Connect Gateway, which is then linked to an AWS Transit Gateway that facilitates transitive routing between VPCs and between on-premises environments and VPCs within the same AWS region.
Moreover, a virtual private network (VPN) can be set up between the SDDC’s NSX Edge appliance and the AWS Transit Gateway through a VPN attachment. The AWS Transit Gateway can now manage traffic between the SDDC, VPCs, and on-premises systems using the same Transit VIF. Up to four route-based IPsec VPN tunnels with Equal-Cost Multi-Path (ECMP) are supported at the NSX Edge to enhance bandwidth and resiliency.
Customers with multiple SDDCs that require high bandwidth connectivity can use VMware Transit Connect for rapid communication between the SDDCs. This VMware-managed AWS Transit Gateway solution interlinks SDDCs within an SDDC group and establishes resilient connectivity to on-premises systems over a Direct Connect Gateway. It simplifies network operations at scale through automatic route propagations to route tables in each SDDC.
However, it is crucial to note that VMware Transit Connect only supports traffic flow that either originates from or is destined for resources within an SDDC. All inter-VPC communications or traffic between VPCs and on-premises systems will be blocked at the Transit Connect.
Scalable Network Architecture within AWS
Leverage AWS Transit Gateway Intra-Region Peering
At AWS re:Invent 2021, we introduced Transit Gateway intra-region peering, a feature that addresses the limitations of VMware Transit Connect flow. This new capability allows external connectivity from VPCs and the transit VIF into SDDC groups by leveraging intra-region peering between AWS Transit Gateway and VMware Transit Connect.
Traffic from VPCs to other VPCs and to on-premises is routed directly through the AWS Transit Gateway, bypassing the restrictions imposed by VMware Transit Connect. Traffic from SDDCs to VPCs and on-premises will go through VMware Transit Connect before traversing the AWS Transit Gateway via the intra-region peering attachment.
Expand to Multi-Region with AWS Transit Gateway Inter-Region Peering
Customers with multiple SDDCs and VPCs across various AWS regions can extend their hybrid connectivity globally using the Transit Gateway inter-region peering capability. The AWS Direct Connect Gateway, being a global resource, can associate itself with up to three Transit Gateways to establish connectivity between different AWS regions and on-premises via the existing transit VIF.
By employing both Transit Gateway intra-region and inter-region peering, you can create a network that connects SDDCs, VPCs, and on-premises systems across the same or different AWS regions. This design facilitates seamless traffic flows in a multi-region deployment that utilizes the same Direct Connect connection.
For customers with latency-sensitive requirements between on-premises and SDDCs or those who prefer a dedicated uplink into SDDC groups, implementing a separate Direct Connect connection with a different transit VIF for connecting to VMware Transit Connect may be necessary. This design aids in offloading SDDC-to-on-premises traffic to a separate Direct Connect Gateway and transit VIF, thus minimizing potential bottlenecks.
In conclusion, understanding these hybrid network design patterns can significantly enhance the deployment and management of Amazon’s cloud services. For further insights on onboarding processes, feel free to check out this excellent resource for additional guidance.