Friday, 19 November 2021

AWS Networking Fundamentals book: Table of Contents

Here is the Table of Contents of my AWS Networking Fundamentals book. I have added the figures which illustrate the example scenarios in each chapter. The book is available at Leanpub.com. It is still in progress, and there will be additional chapters soon.



 


Chapter 1: Virtual Private Cloud - VPC 1

VPC 1

VPC Introduction 1

The Structure of Availability Zone 2

Create VPC - AWS Console 4

Select Region 4

Create VPC 7

DHCP Options Set 9

Main Route Table 10

VPC Verification Using AWS CLI 12

Create VPC - AWS CloudFormation 16

Create Template 17

Upload Template 17

Verification Using AWS Console 18

VPC Verification using AWS CLI 21

Create Subnets - AWS Console 23

Create Subnets 24

Route Tables 29

Create Subnets – AWS Console 30

Create Subnets - AWS CloudFormation 37

Create Network ACL 40

 


Chapter 2: VPC Control-Plane 43

VPC Control-Plane – Mapping Service 43

Introduction 43

Mapping Register 43

Mapping Request - Reply 44

Data-Plane Operation 45

References 46

 


Chapter 3: VPC Internet Gateway 47

Introduction 47

Allow Internet Access from Subnet 48

Create Internet Gateway 49

Update Subnet Route Table 54

Network Access Control List 57

Associate SG and Elastic-IP with EC2 59

Create Security Group 59

Launch an EC2 Instance 65

Allocate Elastic IP address from Amazon Ipv4 Pool 71

Reachability Analyzer 81

Billing 85

 


 

Chapter 4: VPC NAT Gateway 87

Introduction 87

Create NAT Gateway and Allocate Elastic IP 89

Add Route to NGW on Private Subnet Route Table 94

Test Connections 97

Billing 101


 

Chapter 5: Virtual Private Gateway - VGW 103

Introduction 103

Customer Gateway (CGW) 105

Create CGW 106

Virtual Gateway (VGW) 109

Create CGW 109

Attach CGW to VPC 110

Route Table Propagation 113

Edit Route Table Route Propagation 113

VPN Connection 115

Edit Route Table Route Propagation 115

CGW Configuration 119

Download CFG File 119

Configure CGW Device 126

Tunnel Verification 128

Control-Plane Verification 132

Data-Plane Verification 134

Billing 135

 


Chapter 6: Transit Gateway 137

Introduction 137

Create Transit Gateway 139

Launch TGW 140

Create Transit Gateway Attachment 144

Update Subnet Route Tables 150

Data-Plane Testing 152

Create VPN Connection 153

Configure VPN on TGW 154

Configure VPN on CGW 159

Control-Plane and Data-Plane Verification 160

Transit Gateway Pricing 165

 


Chapter 7: VPC Segmentation with Transit Gateway 167

Introduction 167

Create Route Table for Attachments 173

Create TGW Route Table 174

Detach Attachments from the Default RT 176

Associate Attachments with RT 178

Route Table Propagation 180

Create Propagation 181

Summary 192


 

Chapter 8: Transit Gateway Peering 193

Introduction 193

Create TGW Peering 195

TGW Peering Connection Request (Stockholm-TGW) 195

TGW Attachment - London: Accept 199

RT of Stockholm-TGW 201

RT of London-TGW 203

RT of TGW-London-VPC-RT 205

RT of TGW-London-VPN-RT 205

RT of Stockholm-EC2-RT 206

RT of NWKT-Prod-Public 207

Verify IP Connection 207

TGW Peering Pricing 208

Summary 209

 


Chapter 9: VPC Peering 210

Introduction 210

Configure VPC Peering 212

Update Route Tables 217

Test Connectivity 222

 


Chapter 10: AWS PrivateLink 225

Introduction 225

Create Network Load Balancer 226

Create Endpoint Service 237

Create Endpoint 241

Connection Verification 249

Billing 253

 


Chapter 11: Dedicated Direct Connect & Transit VIF 255

  Introduction 255

  Dedicated Direct Connect Connection 255

    Direct Connect Ordering Process 256

    Create Direct Connect Gateway 264

    Create Transit Virtual Interface 267

    Configure BGP Peering Between Routers 272

    Associate TGW with Direct Connect GW 273

Direct Connect Gateway – Traffic Flow 276

Figure 11-1: AWS Dedicated Direct Connect Connection & Transit Virtual Interface.


Chapter 12: Hosted Direct Connect 277

Introduction 277

   Network Edge 278

   BGP EVPN Control Plane Operation 278

   VXLAN Data Plane 282


Figure 12-1: AWS Hosted Direct Connect Connection – EVPN Control Plane.


Chapter 13: Direct Connect BGP Policy 285

 Introduction 285
 BGP Route Selection Process 285
  DXGW Egress Policy - BGP Summary Route 287
  DXGW Egress Policy – BGP AS-Path Prepend 288
  DXGW Egress Policy - BGP Communities 290
  On-Prem DC Egress Policy 292

 

Figure 13-1: DXGW’s BGP Egress Policy – Default BGP Process.


Friday, 22 October 2021

AWS Networking Fundamentals: A Practical Guide to Understand How to Build a Virtual Datacenter into the AWS Cloud

 Table of Content


Table of Contents


Chapter 1: Virtual Private Cloud - VPC 1

VPC 1

VPC Introduction 1

The Structure of Availability Zone 2

Create VPC - AWS Console 4

Select Region 4

Create VPC 7

DHCP Options Set 9

Main Route Table 10

VPC Verification Using AWS CLI 12

Create VPC - AWS CloudFormation 16

Create Template 17

Uppload Template 17

Verification Using AWS Console 18

VPC Verification using AWS CLI 21

Create Subnets - AWS Console 23

Create Subnets 24

Route Tables 29

Create Subnets – AWS Console 30

Create Subnets - AWS CloudFormation 37

Create Network ACL 40


Chapter 2: VPC Control-Plane 43

VPC Control-Plane – Mapping Service 43

Introduction 43

Mapping Register 43

Mapping Request - Reply 44

Data-Plane Operation 45

References 46


Chapter 3: VPC Internet Gateway Service 47

Introduction 47

Allow Internet Access from Subnet 48

Create Internet Gateway 49

Update Subnet Route Table 54

Network Access Control List 57

Associate SG and Elastic-IP with EC2 59

Create Security Group 59

Launch an EC2 Instance 65

Allocate Elastic IP address from Amazon Ipv4 Pool 71

Reachability Analyzer 81

Billing 85



Chapter 4: VPC NAT Gateway 87

Introduction 87

Create NAT Gateway and Allocate Elastic IP 89

Add Route to NGW on Private Subnet Route Table 94

Test Connections 97

Billing 101


Chapter 5: Virtual Private Gateway - VGW 103

Introduction 103

Customer Gateway (CGW) 105

Create CGW 106

Virtual Gateway (VGW) 109

Create CGW 109

Attach CGW to VPC 110

Route Table Propagation 113

Edit Route Table Route Propagation 113

VPN Connection 115

Edit Route Table Route Propagation 115

CGW Configuration 119

Download CFG File 119

Configure CGW Device 126

Tunnel Verification 128

Control-Plane Verification 132

Data-Plane Verification 134

Billing 135


Chapter 6: Transit Gateway 136

TBD

Chapter 7: Direct Connect 137

TBD

Chapter 8: VPC Peering 138

TBD

Chapter 9: Private Link 139

TBD

Chapter 10: Network Firewall 140

TBD

Chapter 11: Design Consideration 141

TBD


Wednesday, 11 August 2021

LISP - OMP - BGP EVPN Interoperability - Part VIII: LISP, OMP, and BGP EVPN Comparison

 

IP reachability

 

Every Overlay Network solution requires IP reachability between edge devices via Underlay Network. This section explains the basic routing solution in Underlay Network from Campus Fabric, SD-WAN, and Datacenter Fabric perspectives. Figure 7-1 illustrates the IP reachability requirements for Campus Fabric, SD-WAN, and Datacenter Fabric.


Figure 7-1: IP Reachability Requirements.

 

Sunday, 8 August 2021

LISP - OMP - BGP EVPN Interoperability - Part VII: End-to-End Data-Plane Operation

 

Introduction

 

This chapter introduces Data-Plane operation and explains how the data packets from EP3 (IP 172.16.30.3) in Datacenter Fabric are forwarded via SD-WAN to EP1 (IP 172.16.100.10) in Campus Fabric. (1) EndPoint3 sends the ICMP Request packet to its gateway switch Leaf-11. Leaf-11 makes routing decisions based on the VRF NWKT routing table. Before forwarding the packet, Leaf-11 adds a VXLAN header where it uses L3VNI 10077. It also sets the outer IP header where it uses the Border-Leaf-13 tunnel interface’s IP address 192.168.50.13 as a destination. Spine-1 routes the packet to Border-Leaf-13 based on the outer IP address. Border-Leaf-13 notices that the destination IP address of the received IP packet belongs to its’s NVE1 tunnel interface. It removes the outer IP header and based UDP destination port it notices that this is VXLAN encapsulated packet. It knows that L3VNI 10077 belongs to VRF NWKT. It strips off the VXLAN header and routes the packet to vEdge-2. The ingress interface towards DC in vEdge-2 belongs to VPN 10. vEdge-2 consults its routing table. Based on it, vEdge-2 constructs tunnel headers and sends ICMP Request to vEdge-1 via Public-Internet using MPLS Label 1003 as a VPN identifier. Routers in Internet routes packet based on the outer destination IP address. When vEdge-1 receives the packet, it notices that the destination IP address is its’ Public IP address. It first removes the outer IP header. Then it checks the tunnel header. Based on the Label value 1003, it knows that packet belongs to VPN 10. It consults the VPN 10 RIB and routes the packet to Border-PxTR-13. The ingress interface on Border-PxTR-13 belongs to VRF 100_NWKT that belongs to LISP Instance 100. It checks the Instance 100 specific LISP mapping in order to know how it should route the packet. The LISP mapping Database does not contain the information because this is the first packet to destination 172.16.100.10. Border-PxTR-13 sends a LISP Map-Request message to MapSrv-22, which replies with a LISP Map-Reply message, where it describes the RLOC of Edge-xTR-11 that has registered the IP address 172.16.100.10. I have excluded the Map-Request/Reply processes from figure 6-1 to keep the figure simple. Border-Leaf-13 encapsulates the ICMP Request packet with a tunnel header. It sets the Instance-Id 100 on the VXLAN header and adds the outer IP header where it uses the Edge-xTR-11’s IP address 192.168.0.13 as a destination address. Core-1 routes the packet to Edge-xTR-11 based on the outer IP header destination address. Edge-xTR-11 processes the ingress IP packet because the destination IP address belongs to it. Based on the destination UDP port 4789, it knows that the following header is a VXLAN header. Edge-xTR-11 knows that the LISP Instance-Id 100 is bind to BD 100. Because Edge-xTR-11 has an L3 interface in BD 100, it resolves the MAC address for the IP address 172.16.100.10 from the ARP table and the egress interface for the MAC from the MAC address table. EP1 processes the ICMP Request packet and sends the ICMP Reply to EP3.


Figure 6-1: End-to-End Data-Plane Operation.

 

Friday, 6 August 2021

LISP - OMP - BGP EVPN Interoperability - Part VI: LISP Control-Plane - Registering External IP Prefixes

 

Introduction

 

This chapter introduces how Border-PxTR-13 registers the external IP prefix 172.16.30.0/24 received as a BGP update from vEdge-1 to MapSrv-22 using LISP Map-register messages. Chapter 2 explains the LISP RLOC-to-EID mapping process in detail so this chapter just briefly recaps the operation. Figure 5-1 illustrates the overall process. vEdge-1 sends a BGP Update message where it describes the NLRI for prefix 172.16.30.0/24. Border-PxTR-13 first imports the information into the LISP processes. Next, it sends a LISP Map-Register message to MapSrv-22. In addition to IP prefix information, the Map-Register message carries Locator Record information that describes the destination IP address used in the outer IP header (tunnel header) when devices route IP packets towards the advertised subnet.  



Figure 5-1: Overall Control-Plane Operation: OMP to LISP

Wednesday, 4 August 2021

LISP - OMP - BGP EVPN Interoperability - Part V: BGP EVPN MAC Advertisement Route (Type 2).

 

Introduction

 

We have seen in previous chapters how the IP address 172.16.100.10 assigned to EP1 is advertised within the LISP domain and advertised as an aggregate route all the way down to Leaf-11 in the BGP EVPN domain. This chapter first explains how the EP3 ‘s IP address 172.16.30.3 is first advertised by Leaf-11 as BGP EVPN MAC Advertisement Route (Route-Type 2) via Spine-1 to Border-Leaf-13. Next, you will learn how Border-Leaf-13 advertises the aggregate route 172.16.30.0/24 to SD-WAN edge device vEdge-2. The last section briefly shows how the routing information is propagated over the SD-WAN. The BGP EVPN NLRI MAC Advertisement Route carries to MPLS Labels which identifies L2VN (10000) and L3VN (10077). In our example, VLAN 10 is part of the VRF NWKT and it is attached to L2VN 10000. L3VNI for VRF NWKT is 10077. 





Figure 4-1: Overall Control-Plane Operation: BGP EVPN to OMP to LISP.