"What if weather or any other major event prevents a large number of your users from coming into the office? Does your VPN or remote connectivity solution scale?
Deploying solutions in AWS gives you access to agility, cost savings, elasticity, breadth of functionality, and the ability to deploy globally in minutes. With access to these benefits through the AWS platform, administrators can launch global, scalable and resilient VPN solutions to support your business at a moments notice.
In this session, learn how to build a flexible, elastic, highly secure VPN infrastructure by using Amazon Route 53, Amazon EC2, Auto Scaling, and 3rd party solutions to allow hundreds or thousands of users to work remotely as soon as the first snowflakes begin to fall.
To attend this session it is suggested that attendees have a working knowledge of VPC, EC2, general networking and an understanding of routing protocols."
2. What to Expect from the Session
1. Overview on traditional remote access VPN solutions
2. What if ? – The disaster scenario
3. How to build an enterprise VPN solution in AWS
4. Let’s do the same – open source this time
5. Summation
4. Overview of existing VPN solutions
Corporate
HQ Things
Small Site
Other Sites,
Users, and
Whatnots
Service Provider
MPLS IP VPN
Data Center Stuff
VPN Devices
Encrypted VPN
Time
VPN Users
Capacity
Time
Bandwidth
Capacity
Physical Infrastructure
6. Time
VPN Users
Capacity
Time
Bandwidth
Capacity
Overview of existing VPN Solutions
Corporate
HQ Things
Small Site
Other Sites,
Users, and
Whatnots
Service Provider
MPLS IP VPN
Data Center Stuff
VPN Devices
Encrypted VPN
Physical Infrastructure
Capacity Shortfall
8. You’ve hit the red button…
Now let’s watch our enterprise VPN solution build out.
9. How do you build a VPN solution in AWS?
Requirements:
1. One click deployment – AWS CloudFormation templates
2. Take advantage of AWS:
Agility
Cost savings
Breadth of functionality
The ability to deploy globally in minutes
Elasticity
3. Complete infrastructure automation
Horizontal scaling
Fault tolerance
10. Time
Bandwidth
Capacity
Time
VPN Users
Capacity
How do you build a VPN solution in AWS?
Corporate
HQ Things
Other Sites,
Users, and
Whatnots
Service Provider
MPLS IP VPN
Small Site
Data Center Stuff
Other Servers
Encrypted VPN
AWS Direct Connect or VPN
Auto Scaling Infrastructure
Capacity Grows with Demand
11. Time
Bandwidth
Capacity
Time
VPN Users
Capacity
How do you build a VPN solution in AWS?
Corporate
HQ Things
Other Sites,
Users, and
Whatnots
Service Provider
MPLS IP VPN
Small Site
Encrypted VPN
AWS Direct Connect or VPN
Auto Scaling Infrastructure
Capacity Grows with Demand
Depending on Direct
Connect Architecture
12. Amazon
Route 53
VPC Architecture
AWS Region - eg: US-WEST1
VPC CIDR - eg: 10.0.0.0/16
Availability Zone A Availability Zone B
Customer DC
Data Center Stuff
Other Servers
Internet Gateway
Internet Gateway
(Same as above, just shown
again due to traffic flow)
On premises Data Center
VPN Users
For DNS Load Balancing
Amazon Region
Amazon VPC
Availability ZoneAvailability Zone
Worker Node SubnetWorker Node Subnet
VPN Instance Subnet VPN Instance Subnet
13. VPN Instance(s)
VPC Architecture
AWS Region - eg: US-WEST1
VPC CIDR - eg: 10.0.0.0/16
Availability Zone A Availability Zone B
W W
Customer DC
Data Center Stuff
Other Servers
VPN VPN VPNVPN
Auto Scaling Group
Downstream VPNs
Worker NodeWorker Node
ASG
Amazon
Route 53
14. VPC Architecture
AWS Region - eg: US-WEST1
VPC CIDR - eg: 10.0.0.0/16
Availability Zone A Availability Zone B
W W
Customer DC
Data Center Stuff
Other Servers
VPN VPN VPNVPN
ASG
DNS Request
vpn.example.com
DNS Response
eg 54.10.52.230
Amazon
Route 53
15. VPC Architecture
AWS Region - eg: US-WEST1
VPC CIDR - eg: 10.0.0.0/16
Availability Zone A Availability Zone B
W W
Customer DC
Data Center Stuff
Other Servers
VPN VPN VPNVPN
ASG
VPN INSTANCE HOST SUBNET
i-093c3601 100.64.0.0/20
i-58303a50 100.64.16.0/20
i-89497b86 100.64.32.0/20
i-c8a771c7 100.64.48.0/20
Each VPN Instance assigns
hosts from unique subnet
Client-to-site
VPN connection
Amazon
Route 53
16. Auto Scaling
Group
Auto Scaling Integration
CloudWatch
Custom Metrics
can trigger alarms
Time
VPN Users
Capacity
Time
Bandwidth
Capacity
Launch More
Instances
Amazon
CloudWatch
19. Sample Worker Node VPN Configuration
# Get IP address of instance
ip = ec2.Instance(instance_id).public_ip_address
# Create a CGW for the new instance
client.create_customer_gateway(
PublicIp=ip,
Type='ipsec.1',
BgpAsn=65501)
# Create VPN connection between the instance and VGW
client.create_vpn_connection(
CustomerGatewayId=cgw_id,
VpnGatewayId=vgw_id,
Type="ipsec.1")
# Configure VPN appliance via REST API
http.post(ip, "/restore", vpn_config)
20. Sample VPN Instance Configuration
set as ${BGPASN}
set router-id ${RouterID}
config neighbor
edit "${RemoteTunnel2BGPPeerIP}"
set remote-as ${RemoteTunnel2ASN}
next
edit "${RemoteTunnel1BGPPeerIP}"
set remote-as ${RemoteTunnel1ASN}
set send-community6 disable
next
end
config network
edit 1
set prefix 100.64.0.0 255.255.240.0
next
edit 2
set prefix ${LocalVPCSubnet} ${LocalVPCSubnetMask}
next
end
21. VPC Architecture
AWS Region - eg: US-WEST1
VPC CIDR - eg: 10.0.0.0/16
Availability Zone A Availability Zone B
W W
Route 53
Customer DC
Data Center Stuff
Other Servers
VPN VPN VPNVPN
ASG
Instance numbers can
now scale as needed
based on users and
bandwidth
Users can grow and shrink
with no infrastructure
shortfalls or capacity waste
22. How do you build a VPN solution in AWS?
Requirements:
1. One click deployment
2. Take advantage of AWS
23. What if I want to save more $$$
Lets go Open Source!
24. Agenda
• Design Overview
– Network Design
– IP Assignments
– Amazon DynamoDB
• DNS Load Balancing
– Amazon Route 53 Latency-based routing
– Amazon Route 53 Geo Routing
• Routing Deployment
– Amazon Direct Connect
– Configuring route instance
– OpenVPN P2P
– GRE/IPSec
• VPN Deployment
– Image creation
– VPN image configuration scripts
Amazon CloudWatch Metrics
Recording Metrics
Amazon CloudWatch Alarms
Auto Scaling
Adding Machines
Use of Amazon CloudWatch Metrics
Review of Overall Design
Expanding to the Future
26. US-WEST (Oregon)
EU (Ireland)
ASIA PACIFIC
(Tokyo)
US-WEST (N. California)
SOUTH
AMERICA (Sao
Paulo)
US-EAST (N. Virginia)
AWS GOVCLOUD (US)
ASIA PACIFIC
(Sydney)
ASIA PACIFIC
(Singapore)
CHINA (Beijing)
Availability Zones
EU (Frankfurt)
11 Regions
30 Availability Zones
Continuous Expansion
27. Amazon
Route 53
User
Amazon
CloudWatch
Availability Zone
Private Subnet Public Subnet
Routing Subnet
Routing
Instance
VPN
Instances
Amazon
DynamoDB
VPN
Instance
ENI-Priv
VPN
Instance
ENI-Pub
Router
Instance
ENI-P2P
OpenSwan
/GRE/Ope
nVPN
NAT Traffic
Corporate Traffic
Design Overview – Single AZ
30. Amazon
Route 53
User
Private Subnet Public Subnet
Routing
Instance
VPN
Instances
VPN
Instance
ENI-Priv
Router
Instance
ENI-P2P
Design Overview – IP Reservations
US-WEST-2
VPN
Instance
ENI-Pub
Routing
Instance
VPN
Instances
VPN
Instance
ENI-Priv
Router
Instance
ENI-P2P
US-EAST-1
VPN
Instance
ENI-Pub
Private Subnet Public Subnet
corporate data center
10.101.4.0/2410.101.2.0/24
10.101.7.0/24
10.102.4.0/2410.102.1.0/24
10.102.7.0/24
10.255.255.1/30
OpenVPN 10.255.255.2/30
OpenVPN
10.255.255.5/30
GRE
10.255.255.6/30
GRE
31. Amazon
Route 53
User
Private Subnet Public Subnet
Routing
Instance
VPN
Instances
VPN
Instance
ENI-Priv
Router
Instance
ENI-P2P
OpenSwan
/OpenVPN
Amazon DynamoDB Configuration Storage
What is stored?
US-WEST-2
VPN
Instance
ENI-Pub
10.101.4.0/2410.101.2.0/24
10.101.7.0/24
10.255.255.1/30
NetworkID – Unique Network ID
NetworkAddr – Subnet used for VPN clients
InstanceID – Instance ID assigned to NetworkAddr
Region – Region instance is running in
Description: Description of network
32. Agenda
• Design Overview
– Network Design
– IP Assignments
– Amazon DynamoDB
• DNS Load Balancing
– Amazon Route 53 Latency-based routing
– Amazon Route 53 Geo Routing
• Routing Deployment
– Amazon Direct Connect
– Configuring route instance
– OpenVPN P2P
– GRE/IPSec
• VPN Deployment
– Image creation
– VPN image configuration scripts
Amazon CloudWatch Metrics
Recording Metrics
Amazon CloudWatch Alarms
Auto Scaling
Adding Machines
Use of Amazon CloudWatch Metrics
Review of Overall Design
Expanding to the Future
40. Routing
Instance
Router
Instance
ENI-P2P
OpenSwan
Point to Point Connections
US-WEST-2
Routing
Instance
Router
Instance
ENI-P2P
GRE
US-EAST-1
corporate data center
10.101.7.0/24 10.100.7.0/24
10.255.255.1/30
OpenVPN 10.255.255.2/30
OpenVPN
10.255.255.5/30
GRE
10.255.255.6/30
GRE
Configuration (Left Side)
/usr/sbin/openvpn –daemon --config aws-p2p-left.conf
route –n add –net 10.102.0.0/16 gw 10.255.255.2 Configuration (Right Side)
/usr/sbin/openvpn –daemon --config aws-p2p-right.conf
route –n add –net 10.100.0.0/16 gw 10.255.255.1
41. Local VPC CIDR listed first
Auto-created routes to VPN servers listed on right
Left points towards the /18 of the VPN pool
Four VPN VPCs utilize their own slice of /18
AWS VPC Route Table
42. Agenda
• Design Overview
– Network Design
– IP Assignments
– Amazon DynamoDB
• DNS Load Balancing
– Amazon Route 53 Latency-based routing
– Amazon Route 53 Geo Routing
• Routing Deployment
– Amazon Direct Connect
– Configuring route instance
– OpenVPN P2P
– GRE/IPSec
• VPN Deployment
– Image creation
– VPN image configuration scripts
Amazon CloudWatch Metrics
Recording Metrics
Amazon CloudWatch Alarms
Auto Scaling
Adding Machines
Use of Amazon CloudWatch Metrics
Review of Overall Design
Expanding to the Future
43. VPN
Instance
VPN Image Creation
Amazon Linux
AMI
• Install first instance to get baseline system
• Install OpenVPN
• Download scripts
• Configure scripts
• Create image
• Create AWS Launch Configuration
• Create Auto Scaling Group
44. Example Deployment Scripts
• vpn-config.sh
• Pulls metadata for Instance ID and AZ information
• Calls assign-address.php to receive assigned subnet
• Updates OpenVPN config with subnet information
• assign-address.php
• Pass in Instance ID and Region
• Returns per-instance VPN Subnet CIDR
• check-vpn-routes.sh
• Gathers meta-data VPC ID, MAC Address, IP Address, and Subnet ID
• Checks for existing route entry associated with Subnet CIDR
• If none exist, creates a route entry for Subnet CIDR to Instance ID
• add-to-dns.sh
• Pulls in Public Hostname, AZ, and Instance ID, and Route 53 Zone ID
• Creates health check for Route 53 resource record
• Creates Route 53 CNAME for latency-based routing
• send-to-cw.sh
• Gathers current number of connected VPN clients
• Sends number to custom CloudWatch Metric
VPN
Instance
Amazon Linux
AMI
45. Amazon
Route 53
User
Availability Zone
Private Subnet Public Subnet
Routing Subnet
Routing
Instance
VPN
Instances
VPN
Instance
Eth1
VPN
Instance
Eth0
NAT Traffic
Corporate Traffic
VPN Traffic Routing
Instance Route entry:
0.0.0.0 -> default gateway
VPN traffic route entry
ip route add default via 10.102.2.11 dev eth1 table ovpn
ip rule add from 10.33.4.0/24 table ovpn
46. Agenda
• Design Overview
– Network Design
– IP Assignments
– Amazon DynamoDB
• DNS Load Balancing
– Amazon Route 53 Latency-based routing
– Amazon Route 53 Geo Routing
• Routing Deployment
– Amazon Direct Connect
– Configuring route instance
– OpenVPN P2P
– GRE/IPSec
• VPN Deployment
– Image creation
– VPN image configuration scripts
Amazon CloudWatch Metrics
Recording Metrics
Amazon CloudWatch Alarms
Auto Scaling
Adding Machines
Use of Amazon CloudWatch Metrics
Review of Overall Design
Expanding to the Future
50. Agenda
• Design Overview
– Network Design
– IP Assignments
– Amazon DynamoDB
• DNS Load Balancing
– Amazon Route 53 Latency-based routing
– Amazon Route 53 Geo Routing
• Routing Deployment
– Amazon Direct Connect
– Configuring route instance
– OpenVPN P2P
– GRE/IPSec
• VPN Deployment
– Image creation
– VPN image configuration scripts
Amazon CloudWatch Metrics
Recording Metrics
Amazon CloudWatch Alarms
Auto Scaling
Adding Machines
Use of Amazon CloudWatch Metrics
Review of Overall Design
Expanding to the Future
51. VPN
Instance
Auto Scaling
Auto Scaling group
VPN
Instance
VPN
Instance
VPN
Instance
VPN
Instance
VPN
Instance
As demand increases, so do resources.
Scale based upon:
Average users
Sum of users
Per-instance rules
Minimum across time period
Maximum across time period
Additional custom metrics
52. Agenda
• Design Overview
– Network Design
– IP Assignments
– Amazon DynamoDB
• DNS Load Balancing
– Amazon Route 53 Latency-based routing
– Amazon Route 53 Geo Routing
• Routing Deployment
– Amazon Direct Connect
– Configuring route instance
– OpenVPN P2P
– GRE/IPSec
• VPN Deployment
– Image creation
– VPN image configuration scripts
Amazon CloudWatch Metrics
Recording Metrics
Amazon CloudWatch Alarms
Auto Scaling
Adding Machines
Use of Amazon CloudWatch Metrics
Review of Overall Design
Expanding to the Future