Skip to content

Instantly share code, notes, and snippets.

@okram999

okram999/Advance Networking.md

Last active December 11, 2019 16:45
Show Gist options
  • Save okram999/0a20a66e36ce4f9afefcbdcd91fc3d73 to your computer and use it in GitHub Desktop.
Save okram999/0a20a66e36ce4f9afefcbdcd91fc3d73 to your computer and use it in GitHub Desktop.
Download ZIP
Advance Networking
Raw
Advance Networking.md

What are the technical requirements for virtual interfaces to public AWS services such as Amazon EC2 and Amazon S3?

  • A public or private ASN. If you are using a public ASN, you must own it. If you are using a private ASN, it must be in the 64512 to 65535 range.
  • A new unused VLAN tag that you select
  • Public IPs (/30) allocated by you for the BGP session
* VLAN are in customer's DC
* VIF are in AWS VPC

Dx with Amazon VPC

  • A public or private ASN. If you are using a public ASN you must own it. If you are using a private ASN, it must be in the 64512 to 65535 range.

  • A new unused VLAN tag that you select

  • The VPC Virtual Private Gateway (VGW) ID . [ PUBLIC VIF doesn't need a VGW]

  • AWS will allocate private IPs (/30) in the 169.x.x.x range for the BGP session and will advertise the VPC CIDR block over BGP. You can advertise the default route via BGP.

BGP peers in US regions adventises the public prefixes, so that the DX Connection in a region know the routes to

  • AWS Public endpoints in another US region

BGP Community:

  • 8100 - prefix is local region
  • 200 - prefix is local continent
  • 9100 - you advertise to local AWS region
  • 9200 - you advertise to local AWS continent

Extreme Resilience Hybrid Network

Screen Shot 2019-11-14 at 11 59 34 AM

Note: Dx is prefered over the ipsec route in a route table

QinQ - 802.1ad - VLAN Stacking

image

Push and Pop - applies to the S-tag (supplier tag)

* 802.3 - ETHERNET
* 802.1Q - VLAN [Layer 2]

Use case of QinQ with AWS DX

  • The colo site is very far and so you are using a telco providers backbond network to reach the colo site.
  • Data packets are tag with the customer's VLAN id (C-tag)
  • The same packet is tagged with the service provider tag (S-tag) while traversing through the telco's shared backbone network
  • At the colo site the S-tag is stripped and data packet is left with the C-tag to target the specific VLAN

Route53 DNS

  • Private hosted zones - have to linked/associated with VPC.
  • The VPC's can be in the same or different account.
  • Use the below command to link a VPC
  create-vpc-association-authorization
  associate-vpc-with-hosted-zone

Hybrid DNS

DHCP

Reserved IP addresses in every subnet

.0 - network
.1 - router 
.2 - DNS 
.3 - reserved by AWS
last address -- broadcast address

Flow log format

image

Cost for Data Transfer

image

VPC can have both ipv4 and ipv6

IPv6 VPC CIDR: /56 and IPv6 SUBNET CIDR: /64

ECMP - Equal Cost Multipathing [gist: use all the available routes instead of routing only via the preferred route] Ref: https://www.youtube.com/watch?v=KICp-9yXOT0

AWS Site-Site VPN:

  • Each VPN connection have 2 tunnels
  • Each tunnels have 2 SA's (security assertions). Hence 4 SA's for each VPN connection.

VPN Evolutions:

VPN Site-Site VPN --> Transit VPC (deploy EC2 based client VPNs) --> Transit Gateways

Transit VPC to Transit Gateway:

image

AWS Client VPN diagram

* Must have resources to 
 1. Authenticate 
 2. Authorize

image

VPN Option in AWS

  1. Site to Site VPN
  2. OpenVPN based client VPN

image

Traffic Engineering

local route is prefered over specific route in a vpc

image

traffic from VPC and DX -- A more specific route is selected e.g: /24 as against /16 network

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment