REL 2: How do you plan your network topology?
Workloads often exist in multiple environments. These include multiple cloud environments (both publicly accessible and private) and possibly your existing data center infrastructure. Plans must include network considerations such as intra- and inter-system connectivity, public IP address management, private IP address management, and domain name resolution.
Resources
AWS re:Invent 2018: Advanced VPC Design and New Capabilities for Amazon VPC (NET303)
AWS re:Invent 2019: AWS Transit Gateway reference architectures for many VPCs (NET406-R1)
What is Amazon Route 53?
What is Elastic Load Balancing?
What is Amazon CloudFront?
What Is a Transit Gateway?
What Is Amazon VPC?
Working with Direct Connect Gateways
Using the Direct Connect Resiliency Toolkit to get started
Multiple data center HA network connectivity
What Is AWS Global Accelerator?
VPC Endpoints and VPC Endpoint Services (AWS PrivateLink)
Amazon Virtual Private Cloud Connectivity Options Whitepaper
AWS Marketplace for Network Infrastructure
APN Partner: partners that can help plan your networking
Best Practices:
-
Use highly available network connectivity for your workload public endpoints: These endpoints and the routing to them must be highly available. To achieve this, use highly available DNS, content delivery networks (CDNs), API Gateway, load balancing, or reverse proxies.
-
Provision redundant connectivity between private networks in the cloud and on-premises environments: Use multiple AWS Direct Connect (DX) connections or VPN tunnels between separately deployed private networks. Use multiple DX locations for high availability. If using multiple AWS Regions, ensure redundancy in at least two of them. You might want to evaluate AWS Marketplace appliances that terminate VPNs. If you use AWS Marketplace appliances, deploy redundant instances for high availability in different Availability Zones.
-
Ensure IP subnet allocation accounts for expansion and availability: Amazon VPC IP address ranges must be large enough to accommodate workload requirements, including factoring in future expansion and allocation of IP addresses to subnets across Availability Zones. This includes load balancers, EC2 instances, and container-based applications.
-
Prefer hub-and-spoke topologies over many-to-many mesh: If more than two network address spaces (for example, VPCs and on-premises networks) are connected via VPC peering, AWS Direct Connect, or VPN, then use a hub-and-spoke model, like that provided by AWS Transit Gateway.
-
Enforce non-overlapping private IP address ranges in all private address spaces where they are connected: The IP address ranges of each of your VPCs must not overlap when peered or connected via VPN. You must similarly avoid IP address conflicts between a VPC and on-premises environments or with other cloud providers that you use. You must also have a way to allocate private IP address ranges when needed.
Improvement Plan
Use highly available network connectivity for your workload public endpoints
- Ensure that you have a highly available connection to your
users
- If your users access your application via the internet, use
service API operations to confirm the correct usage of Internet Gateways. Also confirm that the
route tables entries for the subnets hosting your application
endpoints are correct.
DescribeInternetGateways
DescribeRouteTables - If your users access your application via your on-premises environment, ensure that your connectivity between AWS and your on-premises environment is highly available.
- If your users access your application via the internet, use
service API operations to confirm the correct usage of Internet Gateways. Also confirm that the
route tables entries for the subnets hosting your application
endpoints are correct.
- Ensure that you are using a highly available DNS to manage the domain names
of your application endpoints
- Use Route 53 to manage your domain names
What is Amazon Route 53? - Use a third-party DNS provider that meets your requirements
- Use Route 53 to manage your domain names
- Ensure that you are using a highly available reverse proxy or load
balancer in front of your application
- Use Elastic Load Balancing
What is Elastic Load Balancing? - Use an AWS Marketplace appliance that meets your requirements
- Use Elastic Load Balancing
Provision redundant connectivity between private networks in the cloud and on-premises
environments
- Ensure that you have a redundant connection to your on-premises
environment: You may need redundant connections to multiple AWS Regions to achieve your availability needs.
AWS Direct Connect Resiliency Recommendations
Using Redundant Site-to-Site VPN Connections to Provide Failover- Use service API operations to identify correct use of Direct Connect circuits
DescribeConnections
DescribeConnectionsOnInterconnect
DescribeDirectConnectGatewayAssociations
DescribeDirectConnectGatewayAttachments
DescribeDirectConnectGateways
DescribeHostedConnections
DescribeInterconnects - If only one Direct Connect connection exists or you have none, set up
redundant VPN tunnels to your virtual private gateways
What is AWS Site-to-Site VPN?
- Use service API operations to identify correct use of Direct Connect circuits
- Capture your current connectivity (for example, Direct Connect,
virtual private gateways, AWS Marketplace appliances)
- Use service API operations to query configuration of Direct Connect connections
DescribeConnections
DescribeConnectionsOnInterconnect
DescribeDirectConnectGatewayAssociations
DescribeDirectConnectGatewayAttachments
DescribeDirectConnectGateways
DescribeHostedConnections
DescribeInterconnects - Use service API operations to collect virtual private gateways where route tables use
them
DescribeVpnGateways
DescribeRouteTables - Use service API operations to collect AWS Marketplace applications where route tables use them
DescribeRouteTables
- Use service API operations to query configuration of Direct Connect connections
Ensure IP subnet allocation accounts for expansion and availability
- Select relevant AWS accounts and Regions based on your service requirements, latency, regulatory, and disaster recovery (DR) requirements
- Identify your needs for regional VPC deployments
- Determine if you are going to deploy multi-VPC connectivity
What Is a Transit Gateway?
Single Region Multi-VPC Connectivity - Determine if you need segregated networking for regulatory requirements
- Determine if you are going to deploy multi-VPC connectivity
- Identify the size of the VPCs
- Make VPCs as large as possible. The initial VPC CIDR block allocated to your VPC cannot be changed or deleted, but you can add additional non-overlapping CIDR blocks to the VPC. This however may fragment your address ranges
- Allow for use of Elastic Load Balancers, Auto Scaling groups, concurrent AWS Lambda invocations, and service endpoints
Prefer hub-and-spoke topologies over many-to-many mesh
- For only two such networks, you can simply connect them to each other, but as the
number of networks grows, the complexity of such meshed connections becomes untenable.
AWS Transit Gateway provides an easy to maintain hub-and-spoke model, allowing routing
of traffic across your multiple networks.
What Is a Transit Gateway?
Enforce non-overlapping private IP address ranges in all private address spaces where
they are connected
- Capture current CIDR consumption (for example, VPCs, subnets,
etc.)
- Use service API operations to collect current CIDR consumption
- Capture your current subnet usage
- Use service API operations to collect subnets per VPC in each Region
DescribeSubnets - Record the current usage
- Determine if you created any overlapping IP ranges
- Calculate the spare capacity
- Note overlapping IP ranges: You can either migrate to a new range of addresses or use Network and Port Translation (NAT) appliances from AWS Marketplace if you need to connect the overlapping ranges.
- Use service API operations to collect subnets per VPC in each Region