"What if weather or any other major event prevents a large number of your users from coming into the office? Does your VPN or remote connectivity solution scale?   Deploying solutions in AWS gives you access to agility, cost savings, elasticity, breadth of functionality, and the ability to deploy globally in minutes. With access to these benefits through the AWS platform, administrators can launch global, scalable and resilient VPN solutions to support your business at a moments notice. In this session, learn how to build a flexible, elastic, highly secure VPN infrastructure by using Amazon Route 53, Amazon EC2, Auto Scaling, and 3rd party solutions to allow hundreds or thousands of users to work remotely as soon as the first snowflakes begin to fall.  To attend this session it is suggested that attendees have a working knowledge of VPC, EC2, general networking and an understanding of routing protocols."

1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Darryl Osborne, Matt Lehwess, Joe Fontes, AWS Solution Architects
October, 2015
NET405
Snowstorm Got You Trapped at Home?
Build a Remote Access VPN Solution on AWS

2. What to Expect from the Session
1. Overview on traditional remote access VPN solutions
2. What if ? – The disaster scenario
3. How to build an enterprise VPN solution in AWS
4. Let’s do the same – open source this time
5. Summation

3. The now…
What does a traditional VPN solution look like?

4. Overview of existing VPN solutions
Corporate
HQ Things
Small Site
Other Sites,
Users, and
Whatnots
Service Provider
MPLS IP VPN
Data Center Stuff
VPN Devices
Encrypted VPN
Time
VPN Users
Capacity
Time
Bandwidth
Capacity
Physical Infrastructure

5. What if ?

6. Time
VPN Users
Capacity
Time
Bandwidth
Capacity
Overview of existing VPN Solutions
Corporate
HQ Things
Small Site
Other Sites,
Users, and
Whatnots
Service Provider
MPLS IP VPN
Data Center Stuff
VPN Devices
Encrypted VPN
Physical Infrastructure
Capacity Shortfall

7. What do you do?

8. You’ve hit the red button…
Now let’s watch our enterprise VPN solution build out.

9. How do you build a VPN solution in AWS?
Requirements:
1. One click deployment – AWS CloudFormation templates
2. Take advantage of AWS:
 Agility
 Cost savings
 Breadth of functionality
 The ability to deploy globally in minutes
 Elasticity
3. Complete infrastructure automation
 Horizontal scaling
 Fault tolerance

10. Time
Bandwidth
Capacity
Time
VPN Users
Capacity
How do you build a VPN solution in AWS?
Corporate
HQ Things
Other Sites,
Users, and
Whatnots
Service Provider
MPLS IP VPN
Small Site
Data Center Stuff
Other Servers
Encrypted VPN
AWS Direct Connect or VPN
Auto Scaling Infrastructure
Capacity Grows with Demand

11. Time
Bandwidth
Capacity
Time
VPN Users
Capacity
How do you build a VPN solution in AWS?
Corporate
HQ Things
Other Sites,
Users, and
Whatnots
Service Provider
MPLS IP VPN
Small Site
Encrypted VPN
AWS Direct Connect or VPN
Auto Scaling Infrastructure
Capacity Grows with Demand
Depending on Direct
Connect Architecture

12. Amazon
Route 53
VPC Architecture
AWS Region - eg: US-WEST1
VPC CIDR - eg: 10.0.0.0/16
Availability Zone A Availability Zone B
Customer DC
Data Center Stuff
Other Servers
Internet Gateway
Internet Gateway
(Same as above, just shown
again due to traffic flow)
On premises Data Center
VPN Users
For DNS Load Balancing
Amazon Region
Amazon VPC
Availability ZoneAvailability Zone
Worker Node SubnetWorker Node Subnet
VPN Instance Subnet VPN Instance Subnet

13. VPN Instance(s)
VPC Architecture
AWS Region - eg: US-WEST1
VPC CIDR - eg: 10.0.0.0/16
Availability Zone A Availability Zone B
W W
Customer DC
Data Center Stuff
Other Servers
VPN VPN VPNVPN
Auto Scaling Group
Downstream VPNs
Worker NodeWorker Node
ASG
Amazon
Route 53

14. VPC Architecture
AWS Region - eg: US-WEST1
VPC CIDR - eg: 10.0.0.0/16
Availability Zone A Availability Zone B
W W
Customer DC
Data Center Stuff
Other Servers
VPN VPN VPNVPN
ASG
DNS Request
vpn.example.com
DNS Response
eg 54.10.52.230
Amazon
Route 53

15. VPC Architecture
AWS Region - eg: US-WEST1
VPC CIDR - eg: 10.0.0.0/16
Availability Zone A Availability Zone B
W W
Customer DC
Data Center Stuff
Other Servers
VPN VPN VPNVPN
ASG
VPN INSTANCE HOST SUBNET
i-093c3601 100.64.0.0/20
i-58303a50 100.64.16.0/20
i-89497b86 100.64.32.0/20
i-c8a771c7 100.64.48.0/20
Each VPN Instance assigns
hosts from unique subnet
Client-to-site
VPN connection
Amazon
Route 53

16. Auto Scaling
Group
Auto Scaling Integration
CloudWatch
Custom Metrics
can trigger alarms
Time
VPN Users
Capacity
Time
Bandwidth
Capacity
Launch More
Instances
Amazon
CloudWatch

17. Time
Bandwidth
Capacity
Time
VPN Users
Capacity
Auto Scaling Integration
CloudWatch
Custom Metrics
can trigger alarms
Launch More
Instances
Auto Scaling
Group
Amazon
CloudWatch

18. Configuration of VPN Instances
Autoscale
Group
Simple Queue
Service
Route 53

19. Sample Worker Node VPN Configuration
# Get IP address of instance
ip = ec2.Instance(instance_id).public_ip_address
# Create a CGW for the new instance
client.create_customer_gateway(
PublicIp=ip,
Type='ipsec.1',
BgpAsn=65501)
# Create VPN connection between the instance and VGW
client.create_vpn_connection(
CustomerGatewayId=cgw_id,
VpnGatewayId=vgw_id,
Type="ipsec.1")
# Configure VPN appliance via REST API
http.post(ip, "/restore", vpn_config)

20. Sample VPN Instance Configuration
set as ${BGPASN}
set router-id ${RouterID}
config neighbor
edit "${RemoteTunnel2BGPPeerIP}"
set remote-as ${RemoteTunnel2ASN}
next
edit "${RemoteTunnel1BGPPeerIP}"
set remote-as ${RemoteTunnel1ASN}
set send-community6 disable
next
end
config network
edit 1
set prefix 100.64.0.0 255.255.240.0
next
edit 2
set prefix ${LocalVPCSubnet} ${LocalVPCSubnetMask}
next
end

21. VPC Architecture
AWS Region - eg: US-WEST1
VPC CIDR - eg: 10.0.0.0/16
Availability Zone A Availability Zone B
W W
Route 53
Customer DC
Data Center Stuff
Other Servers
VPN VPN VPNVPN
ASG
Instance numbers can
now scale as needed
based on users and
bandwidth
Users can grow and shrink
with no infrastructure
shortfalls or capacity waste

22. How do you build a VPN solution in AWS?
Requirements:
1. One click deployment
2. Take advantage of AWS

23. What if I want to save more $$$
Lets go Open Source!

24. Agenda
• Design Overview
– Network Design
– IP Assignments
– Amazon DynamoDB
• DNS Load Balancing
– Amazon Route 53 Latency-based routing
– Amazon Route 53 Geo Routing
• Routing Deployment
– Amazon Direct Connect
– Configuring route instance
– OpenVPN P2P
– GRE/IPSec
• VPN Deployment
– Image creation
– VPN image configuration scripts
Amazon CloudWatch Metrics
Recording Metrics
Amazon CloudWatch Alarms
Auto Scaling
Adding Machines
Use of Amazon CloudWatch Metrics
Review of Overall Design
Expanding to the Future

25. Time
Bandwidth
Capacity
Time
VPN Users
Capacity
Let’s Review
Corporate
HQ Things
Other Sites,
Users, and
Whatnots
Service Provider
MPLS IP VPN
Small Site
Encrypted VPN
AWS Direct Connect or VPN
Auto Scaling Infrastructure
Capacity Grows with Demand
Depending on Direct
Connect Architecture

26. US-WEST (Oregon)
EU (Ireland)
ASIA PACIFIC
(Tokyo)
US-WEST (N. California)
SOUTH
AMERICA (Sao
Paulo)
US-EAST (N. Virginia)
AWS GOVCLOUD (US)
ASIA PACIFIC
(Sydney)
ASIA PACIFIC
(Singapore)
CHINA (Beijing)
Availability Zones
EU (Frankfurt)
11 Regions
30 Availability Zones
Continuous Expansion

27. Amazon
Route 53
User
Amazon
CloudWatch
Availability Zone
Private Subnet Public Subnet
Routing Subnet
Routing
Instance
VPN
Instances
Amazon
DynamoDB
VPN
Instance
ENI-Priv
VPN
Instance
ENI-Pub
Router
Instance
ENI-P2P
OpenSwan
/GRE/Ope
nVPN
NAT Traffic
Corporate Traffic
Design Overview – Single AZ

28. Amazon
Route 53
User
VPN
PUBLICSUBNET
US-WEST-1 (Oregon) Virtual Private Cloud
VPN
Routing
Instance
VPN VPN
Routing
Instance
Routing
Instance
VPN VPN
Routing
Instance
VPN VPN
Routing
Instance
PRIVATESUBNETROUTINGSUBNET
Routing
Instance
VPN
PUBLICSUBNET
EU-WEST-1 (Ireland) Virtual Private Cloud
VPN
Routing
Instance
VPN VPN
Routing
Instance
Routing
Instance
VPN VPN
Routing
Instance
VPN VPN
Routing
Instance
PRIVATESUBNETROUTINGSUBNET
Routing
Instance
PUBLICSUBNETPRIVATESUBNETROUTINGSUBNET
ROUTINGSUBNETPRIVATESUBNETPUBLICSUBNET
Design Overview – Multi-AZ, Multi-VPC

29. Amazon
Route 53
User
PUBLICSUBNET
US-WEST-1 (Oregon) Virtual Private Cloud
PRIVATESUBNETROUTINGSUBNET
EU-WEST-1 (Ireland) VPC
PUBLICSUBNETPRIVATESUBNETROUTINGSUBNET
ROUTINGSUBNETPRIVATESUBNETPUBLICSUBNET
Design Overview – IP Reservations
Network Reserved Ranges
VPN Address Pool
10.33.0.0/16
Private Subnets
10.X.1-3.0/24
Public Subnets
10.X.4-6.0/24
Routing Subnets
10.X.7-9.0/24
P2P IPSec Ranges
10.255.255.0/24
10.101.4.0/24 10.101.5.0/24 10.102.4.0/24
10.101.2.0/24
10.101.7.0/24
10.101.2.0/24
10.101.8.0/24
10.102.1.0/24
10.102.7.0/24

30. Amazon
Route 53
User
Private Subnet Public Subnet
Routing
Instance
VPN
Instances
VPN
Instance
ENI-Priv
Router
Instance
ENI-P2P
Design Overview – IP Reservations
US-WEST-2
VPN
Instance
ENI-Pub
Routing
Instance
VPN
Instances
VPN
Instance
ENI-Priv
Router
Instance
ENI-P2P
US-EAST-1
VPN
Instance
ENI-Pub
Private Subnet Public Subnet
corporate data center
10.101.4.0/2410.101.2.0/24
10.101.7.0/24
10.102.4.0/2410.102.1.0/24
10.102.7.0/24
10.255.255.1/30
OpenVPN 10.255.255.2/30
OpenVPN
10.255.255.5/30
GRE
10.255.255.6/30
GRE

31. Amazon
Route 53
User
Private Subnet Public Subnet
Routing
Instance
VPN
Instances
VPN
Instance
ENI-Priv
Router
Instance
ENI-P2P
OpenSwan
/OpenVPN
Amazon DynamoDB Configuration Storage
What is stored?
US-WEST-2
VPN
Instance
ENI-Pub
10.101.4.0/2410.101.2.0/24
10.101.7.0/24
10.255.255.1/30
NetworkID – Unique Network ID
NetworkAddr – Subnet used for VPN clients
InstanceID – Instance ID assigned to NetworkAddr
Region – Region instance is running in
Description: Description of network

32. Agenda
• Design Overview
– Network Design
– IP Assignments
– Amazon DynamoDB
• DNS Load Balancing
– Amazon Route 53 Latency-based routing
– Amazon Route 53 Geo Routing
• Routing Deployment
– Amazon Direct Connect
– Configuring route instance
– OpenVPN P2P
– GRE/IPSec
• VPN Deployment
– Image creation
– VPN image configuration scripts
Amazon CloudWatch Metrics
Recording Metrics
Amazon CloudWatch Alarms
Auto Scaling
Adding Machines
Use of Amazon CloudWatch Metrics
Review of Overall Design
Expanding to the Future

33. Amazon
Route 53
User
VPN
PUBLICSUBNET
US-WEST-1 (Oregon) Virtual Private Cloud
VPN
Routing
Instance
VPN VPN
Routing
Instance
PUBLICSUBNET
VPN
PUBLICSUBNET
US-WEST-1 (Oregon) Virtual Private Cloud
VPN
Routing
Instance
VPN VPN
Routing
Instance
PUBLICSUBNET
US-EAST-1 (N. Virgnia) VPC
VPN
VPN
VPN
VPN
Routing
Instance
Routing
Instance

34. VPN
PUBLICSUBNET
US-WEST-1 (Oregon) Virtual Private Cloud
VPN
Routing
Instance
VPN VPN
Routing
Instance
PUBLICSUBNET
VPN
PUBLICSUBNET
US-WEST-1 (Oregon) Virtual Private Cloud
VPN
Routing
Instance
VPN VPN
Routing
Instance
PUBLICSUBNET
US-EAST-1 (N. Virgnia) VPC
VPN
VPN
VPN
VPN
Routing
Instance
Routing
Instance
Amazon
Route 53

35. Amazon
Route 53
User
VPN
PUBLICSUBNET
US-WEST-1 (Oregon) Virtual Private Cloud
VPN
Routing
Instance
VPN VPN
Routing
Instance
PUBLICSUBNET
VPN
PUBLICSUBNET
US-WEST-1 (Oregon) Virtual Private Cloud
VPN
Routing
Instance
VPN VPN
Routing
Instance
PUBLICSUBNET
US-EAST-1 (N. Virgnia) VPC
VPN
VPN
VPN
VPN
Routing
Instance
Routing
Instance
Where are you physically?
Within the closest region, what VPN
instance has the lowest latency to you?

36. Amazon
Route 53
User
VPN
PUBLICSUBNET
US-WEST-1 (Oregon) Virtual Private Cloud
VPN
Routing
Instance
VPN VPN
Routing
Instance
PUBLICSUBNET
$searchName = "vpn.".$regionID.".unicorn.rentals";
$R53Data = array('HostedZoneId' => $zoneId,
//'StartRecordName' => $recordName,
'StartRecordName' => $searchName,
'StartRecordType' => 'CNAME',
);
$R53Res = $R53Client->listResourceRecordSets($R53Data);
'HealthCheckConfig' => array('Port' => 34992,
'Type' => 'TCP',
'FullyQualifiedDomainName' => $publicHost,
'RequestInterval' => 10,
'FailureThreshold' => 2,
),
);
$R53ResHC = $R53Client->createHealthCheck($R53DataHC);
$updateInfo = array('HostedZoneId' => $zoneId,
'ChangeBatch' => array('Comment' => $commentU,
'Changes' => array(
array('Action' => 'CREATE',
'ResourceRecordSet' =>
array('Name' => $searchName,
'Type' => 'CNAME',
'SetIdentifier' => $instID
'Weight' => 10,
'TTL' => 60,
'ResourceRecords' => array(array('Value' => $publicHost)),
'HealthCheckId' => $hcheckId,
),
),
),
),
$R53ResU = $R53Client->changeResourceRecordSets($updateInfo);
What do we
push to the API?

37. Agenda
• Design Overview
– Network Design
– IP Assignments
– Amazon DynamoDB
• DNS Load Balancing
– Amazon Route 53 Latency-based routing
– Amazon Route 53 Geo Routing
• Routing Deployment
– Amazon Direct Connect
– Configuring route instance
– OpenVPN P2P
– GRE/IPSec
• VPN Deployment
– Image creation
– VPN image configuration scripts
Amazon CloudWatch Metrics
Recording Metrics
Amazon CloudWatch Alarms
Auto Scaling
Adding Machines
Use of Amazon CloudWatch Metrics
Review of Overall Design
Expanding to the Future

38. Routing Subnet
Routing
Instance
Corporate Traffic
Corporate Connections
Routing Subnet
Routing
Instance
Corporate Traffic
AWS Direct Connect VPN Connections

39. Routing
Instance
Router
Instance
ENI-P2P
OpenVPN P2P Connections
US-WEST-2
Routing
Instance
Router
Instance
ENI-P2P
GRE
US-EAST-1
corporate data center
10.101.7.0/24 10.100.7.0/24
10.255.255.1/30
10.255.255.2/30
10.255.255.5/30
GRE
10.255.255.6/30
GRE
Traffic between sites is encrypted and compressed
OpenVPN
Left Side
OpenVPN
Right Side

40. Routing
Instance
Router
Instance
ENI-P2P
OpenSwan
Point to Point Connections
US-WEST-2
Routing
Instance
Router
Instance
ENI-P2P
GRE
US-EAST-1
corporate data center
10.101.7.0/24 10.100.7.0/24
10.255.255.1/30
OpenVPN 10.255.255.2/30
OpenVPN
10.255.255.5/30
GRE
10.255.255.6/30
GRE
Configuration (Left Side)
/usr/sbin/openvpn –daemon --config aws-p2p-left.conf
route –n add –net 10.102.0.0/16 gw 10.255.255.2 Configuration (Right Side)
/usr/sbin/openvpn –daemon --config aws-p2p-right.conf
route –n add –net 10.100.0.0/16 gw 10.255.255.1

41. Local VPC CIDR listed first
Auto-created routes to VPN servers listed on right
Left points towards the /18 of the VPN pool
Four VPN VPCs utilize their own slice of /18
AWS VPC Route Table

42. Agenda
• Design Overview
– Network Design
– IP Assignments
– Amazon DynamoDB
• DNS Load Balancing
– Amazon Route 53 Latency-based routing
– Amazon Route 53 Geo Routing
• Routing Deployment
– Amazon Direct Connect
– Configuring route instance
– OpenVPN P2P
– GRE/IPSec
• VPN Deployment
– Image creation
– VPN image configuration scripts
Amazon CloudWatch Metrics
Recording Metrics
Amazon CloudWatch Alarms
Auto Scaling
Adding Machines
Use of Amazon CloudWatch Metrics
Review of Overall Design
Expanding to the Future

43. VPN
Instance
VPN Image Creation
Amazon Linux
AMI
• Install first instance to get baseline system
• Install OpenVPN
• Download scripts
• Configure scripts
• Create image
• Create AWS Launch Configuration
• Create Auto Scaling Group

44. Example Deployment Scripts
• vpn-config.sh
• Pulls metadata for Instance ID and AZ information
• Calls assign-address.php to receive assigned subnet
• Updates OpenVPN config with subnet information
• assign-address.php
• Pass in Instance ID and Region
• Returns per-instance VPN Subnet CIDR
• check-vpn-routes.sh
• Gathers meta-data VPC ID, MAC Address, IP Address, and Subnet ID
• Checks for existing route entry associated with Subnet CIDR
• If none exist, creates a route entry for Subnet CIDR to Instance ID
• add-to-dns.sh
• Pulls in Public Hostname, AZ, and Instance ID, and Route 53 Zone ID
• Creates health check for Route 53 resource record
• Creates Route 53 CNAME for latency-based routing
• send-to-cw.sh
• Gathers current number of connected VPN clients
• Sends number to custom CloudWatch Metric
VPN
Instance
Amazon Linux
AMI

45. Amazon
Route 53
User
Availability Zone
Private Subnet Public Subnet
Routing Subnet
Routing
Instance
VPN
Instances
VPN
Instance
Eth1
VPN
Instance
Eth0
NAT Traffic
Corporate Traffic
VPN Traffic Routing
Instance Route entry:
0.0.0.0 -> default gateway
VPN traffic route entry
ip route add default via 10.102.2.11 dev eth1 table ovpn
ip rule add from 10.33.4.0/24 table ovpn

46. Agenda
• Design Overview
– Network Design
– IP Assignments
– Amazon DynamoDB
• DNS Load Balancing
– Amazon Route 53 Latency-based routing
– Amazon Route 53 Geo Routing
• Routing Deployment
– Amazon Direct Connect
– Configuring route instance
– OpenVPN P2P
– GRE/IPSec
• VPN Deployment
– Image creation
– VPN image configuration scripts
Amazon CloudWatch Metrics
Recording Metrics
Amazon CloudWatch Alarms
Auto Scaling
Adding Machines
Use of Amazon CloudWatch Metrics
Review of Overall Design
Expanding to the Future

47. #!/bin/bash
COUNT=`cat /etc/openvpn/logs/openvpn-client-status.log | grep ^10. | wc -l`
INSTID=`elinks -dump http://169.254.169.254/latest/meta-data/instance-id | xargs`
/usr/bin/aws cloudwatch put-metric-data --metric-name "ConnectedUsers"
--namespace "OVPN" --dimensions "InstanceId=$INSTID”
--unit "Count" --value=$COUNT
Amazon
CloudWatch
VPN
Instance
ENI-Priv
Amazon CloudWatch Metrics
Recording
• Number of connected users
• Per-instance
• Crontab running every minute
• Instance ID as CW Metric dimension
Variables
• Instance ID
• Connection Count
• NameSpace
• Dimension

48. Amazon
CloudWatch
VPN
Instance
ENI-Priv
Amazon CloudWatch Metrics

49. Amazon
CloudWatch
VPN
Instance
ENI-Priv
Amazon CloudWatch Alarms
• Create alarm
• Choose actions
• Select metric

50. Agenda
• Design Overview
– Network Design
– IP Assignments
– Amazon DynamoDB
• DNS Load Balancing
– Amazon Route 53 Latency-based routing
– Amazon Route 53 Geo Routing
• Routing Deployment
– Amazon Direct Connect
– Configuring route instance
– OpenVPN P2P
– GRE/IPSec
• VPN Deployment
– Image creation
– VPN image configuration scripts
Amazon CloudWatch Metrics
Recording Metrics
Amazon CloudWatch Alarms
Auto Scaling
Adding Machines
Use of Amazon CloudWatch Metrics
Review of Overall Design
Expanding to the Future

51. VPN
Instance
Auto Scaling
Auto Scaling group
VPN
Instance
VPN
Instance
VPN
Instance
VPN
Instance
VPN
Instance
As demand increases, so do resources.
Scale based upon:
Average users
Sum of users
Per-instance rules
Minimum across time period
Maximum across time period
Additional custom metrics

52. Agenda
• Design Overview
– Network Design
– IP Assignments
– Amazon DynamoDB
• DNS Load Balancing
– Amazon Route 53 Latency-based routing
– Amazon Route 53 Geo Routing
• Routing Deployment
– Amazon Direct Connect
– Configuring route instance
– OpenVPN P2P
– GRE/IPSec
• VPN Deployment
– Image creation
– VPN image configuration scripts
Amazon CloudWatch Metrics
Recording Metrics
Amazon CloudWatch Alarms
Auto Scaling
Adding Machines
Use of Amazon CloudWatch Metrics
Review of Overall Design
Expanding to the Future

53. Amazon
Route 53
User
Future Changes
Routing
Instance
VPN
Instances
VPN
Instance
ENI-Priv
Router
Instance
ENI-P2P
GRE
US-EAST-1
VPN
Instance
ENI-Pub
Private Subnet Public Subnet
corporate data center
10.102.4.0/2410.102.1.0/24
10.102.7.0/24
10.255.255.2/30
10.255.255.5/30
GRE 10.255.255.6/30
GRE
Future changes to implementation:
Use of Quagga for routing
Enable OSPF
Route summarization with corporate
Enable failover with OSPF

54. Thank you!

55. Remember to complete
your evaluations!