Following the pace of innovation at Amazon Web Services is a tough task. Because of the glut of innovation that regularly occurs at Amazon, really great ideas are sometimes overlooked due to the influx of new developments that transpire. Even though I am probably guilty of doing this myself, there is one solution (of these recent innovations) that stands out for me particularly well: the Transit Network VPC. It’s a networking solution that leverages a combination of AWS and Cisco technologies to bridge gaps between networks of many different types. I see this solution playing a very important part where organizations need a bit of networking glue to stitch these different types of networks together.
The Transit Network VPC
This solution leverages some great features from Amazon to include automated discovery and configuration of Virtual Private Networks within the AWS cloud itself. Think of it as a centralized networking hub that provides dynamic routing capabilities to multiple connected networks. The transit VPC—the central construct of the design—leverages a pair of Cisco CSR 1000v appliances deployed to separate Availability Zones (AZs) to ensure high availability of dynamically-routed VPN connections within your Amazon network. What does this mean for the business? Simply put, it allows users to take advantage of all of the great features of a comparable on-premises network and merges them with all of the great features of SDN-based Amazon network constructs that have been battle-tested over hundreds of thousands of hours to provide a cloudy network glue where needed.
The transit VPC design leverages a typical Amazon Virtual Private Cloud (VPC). A VPC allows you to have complete control over your virtual networking environment including creation of subnets, route tables, and network gateways, all while providing logical isolation and security from the rest of Amazon’s cloud network.
Coupled with the VPC is another key Amazon component called the Amazon Availability Zone. An Availability Zone can be thought of as a separate data center designed to be redundant within the same larger Amazon region (us-east, us-west, etc.). In each of the two Availability Zones required for this design, a Cisco CSR (Cloud Services Router) 1000v is deployed ensuring high availability of networking services connected to the transit VPC. The pair of redundant Cisco CSRs then act as an endpoint for VPN connectivity. By connecting locations to these centralized CSRs, dynamic routing services can be enabled to direct traffic appropriately between the networks. In this setup, we can see the transit VPC as the “hub” and the routing brain and the other networks as “spokes”.
Leveraging the Cloud Networking Glue in Your Organization
AWS Network Connectivity
Because the transit network configuration works by leveraging VPN connectivity, options for connecting networks in AWS cloud that are not natively possible are now possible. A great example includes connecting VPCs across regions.
Remote Network Connectivity
If you need to federate your platform across multiple sites, data centers, or even multiple clouds, this solution can be modified to work with any supported hardware or software Cisco VPN device. Additionally, the Cisco CSRs are available in multiple cloud platforms making sharing data across major cloud providers a bit easier. Consider this option as a good place to get started if you need to connect Azure networks with AWS for a project.
Further extending AWS connectivity options is the capability to connect VPCs from different AWS accounts by use of the transit VPC. This can actually become a perfect configuration for organizations that need to share larger datasets that are already in the cloud for research purposes, or companies that need to temporarily share networking services.
Company expansion through organic growth or acquisition may unearth a scenario where existing networks overlap. In this configuration, the transit VPC can be leveraged to provide (NAT) between these overlapping network ranges. The transit VPC can also be leveraged to connect multiple remote sites if needed to extend your on-premesis network across the cloud.
Getting Started with a Basic Configuration
Amazon makes getting started with any of their services quite easy. In this case, to get started with a POC configuration, a CloudFormation Template (CFT) can be leveraged to programmatically spin up the components needed for this design. The CFT configures each of the following services:
- VPC – The VPC is the underlying networking container for the transit VPC.
- Amazon S3 Bucket – An AWS bucket is used to store an auto-generated configuration file needed to dynamically update the Cisco CSRs.
- AWS KMS – Amazon Key Management Server assists in providing encryption of the S3 bucket’s contents: the CSR configuration file.
- AWS Lambda – Two services from AWS Lambda are configured to assist with the configuration of the VPN tunnels in the environment.
- Cisco Cloud Service Routers – The cloud service routers are provisioned and can be configured to either use an existing customer license directly from Cisco or they can be configured to use pay as you go licensing from Amazon.
Cost of the Transit Network VPC
Like all features of AWS, cost becomes a function of the amount and type of use of AWS resources that your organization consumes. For this configuration, costs for software licensing and amount of throughput that the transit network is designed to allow for are added as well. Using current Amazon pricing, the breakdown of the solution cost for bringing your own licenses versus including your own licenses for the primary hub deployment breaks down as follows:
|Transit VPC Deployment Size||BYOL cost/hour||License Included cost/hour|
|2 x 500 Mb/s||$0.21||$4.35|
|2 x 1 Gb/s||$0.84||$6.22|
|2 x 2 Gb/s||$1.68||$8.40|
For each “spoke” VPC you connect to, you’ll need to add $0.10 plus your network transit costs.
We’ve just scratched the surface on the choices and design constructs that go into using AWS and the Cisco CSR to deploy Amazon’s Transit Network VPC. To fully operationalize this design in your organization, there are often multiple different design considerations ranging from connectivity options to networking decisions. Being able to assist on both the networking side and the cloud provider side positions AHEAD uniquely in your corner from assisting your organization in this transition to leveraging multiple cloud resources and your data center resources on one secure network. If you’d like to learn more about leveraging cloud networking services in your organization today, contact us today to meet our experts in the AHEAD Lab and Briefing Center.