Extending the Cloud Edge to Partner Networks
Updated: Apr 14, 2019
If you are looking to extend connectivity from your data centre to access a business partner then look to utilise a cloud service provider network rather than traditional hardware appliance based solutions and future proof your solution. The following scenario is a solution that can be implemented quickly and cost effectively.
One of your business partners is presenting their applications and data services from AWS VPC networks and the access method to their services is internet based VPN using IPsec. To allow for dynamic fail over the provider supports eBGP from different availability zones. The provider uses a firewall platform that provides route based VPN techniques rather than policy based VPN.
AWS Edge VPC
Megaport virtual cross connects (VXC)
Megaport cloud router (MCR)
IPsec route based VPN
Tunneled eBGP routing
End to end dynamic routing for route propagation and fail over
Your co-location equipment already has a physical connection to Megaport.
Using Megaport provides a flexible and agile approach to connecting to cloud service providers such as AWS, Azure and Google. Once you have a "Megaport", a physical connection(s) from you co-location equipment to a Megaport POP. A full list of Megaport enabled locations is provided here https://www.megaport.com/megaport-enabled-locations/.
AWS will be used for our network edge and connectivity to our business partner. Megaport will be the choice for WAN and direct connect connectivity to AWS Megaport. Aviatrix gateways remove the complexity of routing in cloud service provider networks providing IPsec VPN and security controls with firewall and NAT capability.
Connecting from the co-location data centre to the AWS location is provided by the Megaport service. Megaport takes the heavy lifting out of connecting to AWS. A Megaport virtual cross connect (VXC) can be enabled as a point to point connection to AWS from your co-location facility and my preference is to also include the use of a Megaport Cloud Router (MCR) to scale out to multiple AWS VPC and other cloud providers. MCR also provides a good way of providing routing redundancy to your solution. To ensure redundancy a MCR should be configured in different AWS access locations.
Aviatrix gateways provide the link from AWS to Megaport for access to the co-location data centre and routing to our Business partner. The Aviatrix components are software defined and combine a controller and gateways to define a target solution. The controller provides a step by step work flow automatically modifying the target VPC(s) with the required AWS subnets, route tables and resources to launch the intended deployment. The edge from our AWS configuration to our business partner is provided by IPsec VPN with dynamic routing (eBGP) to our business partners firewalls. The Aviatrix gateways are configured with HA and a tunnel between the gateways serves as the "keep-alive" for the HA. The current implementation of the Aviatrix gateway is limited to peering with 1 x VGW therefore a second transit provides connectivity towards the co-locations facility. Aviatrix gateway peering "glues" the transit VPCs.
The key to this solution is the ability to propagate dynamic routing end to end and this is achieved with a "detached VGW" integrated with the MCR and Aviatrix gateway. A "detached VGW" is a VGW that hasn't been specifically attached to a VPC. Even though the VGW is "detached" it still a functional routing target. This is used in many transit VPC design and allows eBGP peering from instances in a VPC directly to the VGW rather than pointing route tables to the VGW and static routing entries on instances in the VPC.
The inherent redundancy of VGW provides HA to the business partner as well as HA to the MCRs implemented in Megaport. Not represented on the diagram above but each customer router can have eBGP peering and VXC connections to both MCRs resulting in greater redundancy and also quicker route convergence around any issues.
Associating the business partner with a AWS Customer Gateway (CGW) and linking this to the VGW provides the configuration required for setup on their instances. These configurations can be downloaded from your AWS account and supplied to your business partner for implementation.
I mention vendor products and the choices I have made are not influenced by any sponsorship but merely serve to provide some realistic context and real world workable solutions.