Comparing Internet Connection used in AWS and LISP Based Networks

Forewords

This post starts by discussing the Internet connection from the AWS VPC Control Plane operation perspective. The public AWS documentation only describes the basic components, such as an  Internet Gateway (IGW) and a subnet specific Implicit Routers. However, the public AWS documentation does not describe the Control Plane operation related to distributing the default route from IGWs to IMRs. The AWS VPC Control Plane part in this post is based on my assumptions, so be critical of what you read. The second part of this post shortly explains the Control-Plane operation of the Internet connection used in LISP based network. By comparing the AWS VPC to LISP based network I just want to point out that even though some might think that cloud-based networking is much simple than traditional on-premise networking, it is not. People tend to trust network solutions used in clouds (AWS, Azure, etc.) and there is no debate about (a) what hardware is used, (b) how the redundancy works, (c),  are solutions standard-based and so on. Now it is more like, I do not care how it works as long as it works. Good or bad, I do not know.

AWS VPC Internet Connection

Figure 1-1 illustrates the topology I am using in this post. There is a VPC named vpc-1a2b3c4d launched in the availability zone eu-north-1c in the AWS Stockholm region. There are two EC2 Instances started in VPC, EC2-A in Host-1 and EC2-B in Host-2. EC2-A is attached to subnet 172.16.10.0/24 and EC2-B is attached to subnet 172.16.11.0/24. Each subnet has its dedicated Implicit Router (ImR) which is acting as a default gateway for the subnet. At the starting point, neither subnet has an Internet connection.

Phase 1. Assign IGW to VPC.

An Internet Gateway (IGW) is needed to get Internet access. In our example, the Internet Gateway is named igw-11aa22bb33cc. After launching the IGW, it can be used as a next-hop in VPC specific Custom Route Tables.

Phase 2. Mapping the new IGW to VPC.

The public AWS documentation states that the Mapping Service distributes location information only to those who actively needed it. This is the reason that I assume that the new IGW igw-11aa22bb33cc is registered to VPC 1a2b3c4d (from IGW to Mapping Service).

Phase 3. Mapping publishing Process.

To route IP packets to subnet 172.31.10.0/24, IGW has to know the instance-to-location mapping information. Based on the mapping message sent by IGW, the Mappin Service knows that the igw-11aa22bb33cc is attached to VPC vpc-1a2b3c4d and as a reaction, it publishes the instance-to-location information to IGW.

Phase 4. Mapping publishing Process.

Also, subnet-specific Implicit Routers (ImR) need the information about the IGWs attached to VPC. The IGW is added into Custom Route Table by using its name (instead of IP address) using a drop-down menu. This means that the information has to be published to ImR. I assume that the publisher is the Mapping Service cause the IGW is registered itself as a member of VPC to it.

Phase 5. Adding the Default Route to Custom Route Table.

As a last, step the default route is added into subnet 172.31.10.0/24 Custom Route Table. When the instance EC2-A sends data towards the destination located behind the IGW, the original IP packets are sent over the backbone of Availability Zone to IGW wrapped inside VPC tunnel headers by ImR1. When IGW receives the encapsulated packet, it removes the VPC headers, translates the source IP address to public IP address if needed and forwards the packet towards the destination.

Figure 1-1: AWS VPC – Internet Conneciton.

LISP  Internet Connection

Figure 1-2 illustrates the Campus Fabric example. Host EC2-A is connected to switch Edge-1. Proxy-xTR 192.168.10.4 is configured as a PxTR in Edge-1. When Edge-1 receives the first IP packet form EC2-A, it checks the LISP Local Mapping Cache and RIB to find out the next-hop IP address where the received IP packet should be sent. Because there is no next-hop information in either database, Edge-1 sends a LISP Map-Request message to Map-Resolver. In our example, the Map-Resolver replies with Negative Map-Replay. From the Edge-1 perspective, the Negative Map-Reply means that the IP packet towards the requested destination should be sent to configured PxTR. The next IP packet from the same flow sent by EC2-A will then be encapsulated with VXLAN tunnel headers and send to Proxy-xTR.

Figure 1-2: Campus Fabric – Internet Connection.

Conclusion

Even though setting up the Internet connection for AWS VPC is easy, there is a same kind of complexity than in networks using a traditional approach if we take a look at the process from the Control Plane perspective.