Embed Size (px)
Citation preview
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
실전! AWS 하이브리드네트워킹(AWS Direct Connect 및 VPN Demo세션)
강동환
솔루션즈아키텍트
AWS Korea
Agenda
1. AWS Networking Connectivity Overview
2. 전용장비를이용한 VPN 구성
3. Direct Connect 구성
4. Transit Gateway + Direct Connect
5. Public VIF를활용하는시나리오
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
1. AWS Cloud Netwokring Connectivity Overview
On-Premise
Data Center
Site-to-Site IPSec VPN
10100101101000101010100101010111011001001
Direct Connect
EC2
SSH/RDP
Bastion Host
(Linux/Windows)SSL VPN Interface VPC Endpoints
(PrivateLink)
Gateway VPC Endpoints
S3 DynamoDB
EC2 RDS
46개의 PrivateLink 지원서비스
VPC Peering
(Region/Inter-Region)
1001101011010001010101001101010111011001110111001110111001
AWS Client VPN
Systems Manager
(Session Manager)
Management Console/HTTPS
On-Premise
Data Center
AWS Transit Gateway
(Regional Virtual Router)
VPC
Site-to-Site IPSec VPN(ECMP)
Direct Connect Gateway
101001011010001010101001010101110110010101101000101011001
AWS Transit Gateway
Attachments
(max. 5,000)
VPCs
Inter-Region Transit Gateway Peering
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
전용장비(라우터,방화벽)를통한 VPN 구성
• 이미네트워크인프라를보유한 On-Premise 또는 IDC와 AWS VPC를Site-to-Site VPN을통해직접연결
• Private Subnet에위치한 Amazon RDS(Database)에 MySQL Workbench등과같은 Database Client Tool로직접접근이가능
• 이중화된 IPSec Tunnel로 AWS VPN Endpoint에대한이중화및Failover
• Static Routing 또는 BGP Routing 사용
전용네트워킹장비를보유한 On-Premise 또는 IDC와 AWS를 VPN으로연결
시나리오 1아키텍처
CIDR : 10.1.0.0/16 CIDR : 172.16.1.0/24
172.16.1.10
Subnet
10.1.1.0/24
Subnet
10.1.2.0/24
10.1.1.10
VPC Route Table
EC2
RDS(Master) RDS(Standby/Read)
Virtual Private Gateway (VGW)
IPSec Tunnel
Customer Gateway
(CGW)
eth0Gi2
172.16.1.1
BGP ASN :64512 BGP ASN : 65001
BGP Peering
인터넷 Gi1
Route Table Propagation
VPC CIDR : 10.1.0.0/16
On-Prem CIDR :172.16.1.0/24
VPC내의 EC2, RDS등에대한접근을위해, Public IP(EIP)를가지는 EC2 또는 Bastion Host에접속후, 사용 (기존)
RDS(Database)에대한세밀한구성및관리를위해 Amazon RDS에 Public Access를구성하여사용 (기존)
Site-to-Site VPN 연결을통해, 내부네트워크와 AWS VPC 사설네트워크를제약없이연결
IPSec Tunnel 구간은, Pre-Shared Key, 인증(SHA-1 ~ 512 등) 및암호화(AES128~256 등)로보호
전용장비(라우터,방화벽)를통한 VPN 구성
• AWS 측의 VPN Endpoint는 2개의 Tunnel로이중화되어있지만, 고객측Router(Customer Gateway)에대한이중화고려
• 이중화된 Tunnel은 Active/Standby로동작
• 하나의 VPN Connection은최대 1.25Gbps의대역폭을제공, 다중의 VPN Connection을구성해도오직하나의 Tunnel만이 Active로동작
• 데이터전송요금(Transfer Out)과더불어 AWS VPN Endpoint가Provision되어가용한시간에대한시간당비용이추가됩니다. (서울리전의경우, 시간당 $0.05)
• Transit Gateway가제공하는 VPN ECMP(Equal Cost Multi-Pathing)기능을사용하면 VPN 대역폭의확장이가능 (1.25Gbps * n)
고려사항들
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Direct Connect 구성
• 고객 On-Premise, IDC와전용회선을통해연결
• KINX(가산), LG U+(평촌)을통해회선접속 (DX Location)
• 단일 Direct Connect 회선(Connection)을통해최대 51개의가상인터페이스(Virtual Interface, VIF)를지원(50개의 Private, Public VIF, 1개의 Transit VIF)
전용회선을통한 AWS VPC와안정적인연결구성
Direct Connect에대한자세한설명은아래의 Summit Seoul 2019 발표자료를참고해주시기바랍니다.
Direct Connect 를통한하이브리드클라우드아키텍처설계 - 김용우솔루션즈아키텍트(AWS)
https://www.youtube.com/watch?v=aK7f3rL8wnM
시나리오 2아키텍처
CIDR : 10.2.0.0/16 CIDR : 172.16.2.0/24
172.16.2.10
Subnet
10.2.1.0/24
Subnet
10.2.2.0/24
10.2.1.10
VPC Route Table
EC2
RDS(Master) RDS(Standby/Read)
Virtual Private
Gateway (VGW)
Customer Gateway
(CGW)
Gi2
172.16.2.1
BGP ASN :64512 BGP ASN : 65002
Route Table
Propagation
Direct Connect의 Private Virtual Interface를통해단일 VPC와 On-Premise를직접연결
Direct Connect 는 BGP Routing 만을지원
BGP Peering
DX Location
AWS DX Routers
AWS Cage
Gi1.102dxvif-nnnnnn VLAN 102
VPC CIDR : 10.2.0.0/16
On-Prem CIDR :172.16.2.0/24
eth0
Direct Connect의탄력성/이중화 Level
• 비지니스요구조건에따라다양한수준의이중화구성이가능
Direct Connect 이중화구성/트래픽 Control
DX Location
(KINX, MAIN)
AWS DX
Routers
CIDR : 10.20.0.0/16 CIDR:172.16.20.0/24
VGW
eth0
172.16.20.100
Subnet
10.20.1.0/24
Subnet
10.20.2.0/24
10.20.1.100
BGP ASN : 64512(Default) BGP ASN : 65020
172.16.20.1
VPC Route Table
EC2
DX Location
(LG U+, BACKUP)
AWS DX
Routers
.2
.3
iBGP
Egress Traffic
AS-PATH
Ingress Traffic
Local Preference
10.255.255.11
10.255.255.12
HSRP/VRRP
Direct Connect와 VPN Backup 구성방식
VGW Customer
Router
DX
VPN
BGP
VGW Customer
Router
DX
VPN
BGP
VGW Customer
Router
DX
VPN
BGP
VPN
(IPSec)
iBGP
VGW Customer
Router
DX
VPN
BGP
VPN
(IPSec)
Static
Direct Connect Gateway(DXGW)
AWS Region
(Local Region)
AWS Locations
CIDR:172.16.10.0/24
VPC Prefixes
On-Premise Prefixes
eth0
BGP ASN : 65010
Gi2
CIDR : 10.11.0.0/16
VGWSubnet
10.11.1.0/24
10.11.1.100
BGP ASN : 64512
EC2
CIDR : 10.21.0.0/16
VGWSubnet
10.11.1.0/24
10.11.1.100
BGP ASN : 64512
EC2
CIDR : 10.31.0.0/16
VGWSubnet
10.11.1.0/24
10.11.1.100
BGP ASN : 64512
EC2
Se
ou
lT
ok
yo
N.
Vir
gin
ia
Gi3.200dxvif-nnnn
ASN : 64512
https://docs.aws.amazon.com/directconnect/latest/UserGuide/limits.html
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Direct Connect 와 Transit Gateway연동구성
• Virtual Regional Router
• 확장성높은연결 (최대 5,000개의 VPC/VPN 연결)
• 원격리전의 Transit Gateway와 Inter-Region Peering
• VPN 연결에대한 ECMP 지원으로 VPN 대역폭확장이가능
Direct Connect와 Transit Gateway를통해높은확장성과유연한제어
Transit Gateway(TGW)에대한자세한설명은아래의 Summit Seoul 2019 발표자료를참고해주시기바랍니다.
AWS Transit Gateway를통한 Multi-VPC 아키텍처패턴 - 강동환솔루션즈아키텍트(AWS)
https://www.youtube.com/watch?v=vEFh0BQ3iOk
시나리오 3아키텍처
AWS Region
(Local Region)
AWS Locations
CIDR:172.16.10.0/24
VPCs Prefixes
On-Premise Prefixes
eth0
BGP ASN : 65200
Gi2Gi1.200dxvif-nnnn
ASN : 65100AWS
Transit
Gateway
(TGW)CIDR : 10.13.0.0/16
Subnet
10.13.1.0/24
10.13.1.10
EC2
CIDR : 10.12.0.0/16
Subnet
10.12.1.0/24
10.12.1.10
EC2
CIDR : 10.11.0.0/16
Subnet
10.11.1.0/24
10.11.1.10
EC2
Transit VIFDX Gateway
Direct Connect Gateway와 Transit Gateway를통해리전내모든 VPC, VPN, On-Premise를하나의 Network으로운영 (VPC Peering 불필요)
인터넷VPN
(ECMP)
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Public VIF를구성하는사례
DX Location
AWS DX Routers
AWS Cage
CIDR:172.16.2.0/24
eth0
172.16.2.100
BGP ASN : 65000
Gi2
172.16.2.1
Gi3.100dxvif-fhabrn02
69.210.64.206/3169.210.64.207/31
VLAN 100
BGP Peering
AWS Public Prefixes
Public IP(NAT)
Public Peering IP
(/30, /31)
AWS Public ASN :
7224 16509 14618 8987
Outbound NAT
Direct Connect Public VIF를통해인터넷을거치지않고 AWS의모든 Global Public IP와통신 (규정및보안요구)
인터넷연결없이, Amazon S3, AWS Management Console 및모든 AWS Region의 Public IP/Elastic IP에접근
VPN Over Direct Connect (Public VIF)
DX Location
AWS DX
Routers
AWS Cage
CIDR:172.16.51.0/24
eth0
172.16.51.100
BGP ASN : 65200
Gi2
172.16.51.1
Gi3.100dxvif-fhabrn02
69.210.64.207/3169.210.64.206/31
VLAN 101
BGP Peering
10.51.0.0/16
VGW
Subnet
10.51.1.0/24
10.51.1.100
BGP ASN : 64512
EC2 Tunnel1
Tunnel2
Tunnel1
Tunnel2
IPSec Encryption
Direct Connect Public VIF를구성후, IPSec VPN을구성하는방식
규제및규정준수요건이전송구간종단간암호화가요구되는경우활용 (Direct Connect 자체는암호화를제공하지않음)
Networking 참고세션 (Summit Seoul 2019)
AWS Transit Gateway를통한 Multi-VPC 아키텍처패턴 - 강동환솔루션즈아키텍트(AWS)
https://www.youtube.com/watch?v=vEFh0BQ3iOk
AWS Direct Connect 를통한하이브리드클라우드아키텍처설계 - 김용우솔루션즈아키텍트(AWS)
https://www.youtube.com/watch?v=aK7f3rL8wnM
KINX와함께하는 AWS Direct Connect 도입 - 남시우매니저(KINX)
https://www.youtube.com/watch?v=8X1g2w-0fvM
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
감사합니다.
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
