Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 1

AWS Cloud Connectivityoptions for the Campus

and Data CenterJay RatfordBlueChipTek

3/31/16

2

• Introduction to BlueChipTek• VPC Overview: Why do I need VPC Connectivity• Connectivity VPN vs Direct Connect• Cast Studies:

– Connecting Branch and Campus Networks to Cloud– Connecting Data Centers to the Cloud– Hybrid Data Center connectivity options

• Why Juniper SRX for AWS Connectivity• Other Juniper Cloud-Solutions (vSRX, vMX)• Lab: Setup VPN to Amazon VPN on SRX

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute

Agenda

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 4

Campus or Data Center Resources

Connectivity to AWSFrom Campus, Branch and Data Center

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 5

VPN OverviewWhy do I need VPN Connectivity?

• Local IPSec-VPN Connectivity to VPC Subnets (back-ends)

• Allows secure and authenticated connectivity from AWS back to your internal Network(s) over Internet

Bi-Directional Data Flows

VGW CPE

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 6

Direct Connect Overview

• Direct IP Connectivity to AWS and your VPC(s)

• Provisioned as a P2P Circuit between AWS Cage and your Cage

• 1 Gig and 10 Gig Ports available

• VLAN mapping to VPCs Virtual Interfaces

P2P

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 7

Direct Connect ProcessAvailable at limited locations see FAQ for latest info http://aws.amazon.com/directconnect/faqs/

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 8

VPC vs DirectConnectCompare and Contrast

• VPC IPSec VPNs:+ Easy to setup and provision new connections+ Easy to re-IP or re-configure VPN endpoints= 10 VPNs per VPC with 4 Gbps maximum theoretical- Performance is dependent on available bandwidth on ISP

• VPC Direct-Connect:– Connectivity provided only from an AWS Supported DC (Equinix) – More complex to provision like a P2P Circuit+ Dedicated Bandwidth to your AWS backend+ 1Gig and 10Gig Ports available+ Supports multiple VLANs (virtual Interfaces) for multi-VPCs

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 9

VPC vs DirectConnectCompare and Contrast

Latency Sensiti

ve

Packet Lo

ss Sensiti

ve

10Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute

VPN Case StudiesConnecting Offices to the Cloud

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 11

VPN Case StudiesConnecting Multiple Offices to the Cloud

• Connect up to 10 locations directly to AWS VPC over the Internet using IPSec VPNs

• Dual tunnels and BGP Routing facilitate failover and/or traffic load balancing

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 12

Case StudiesMixing VPNs and Direct Connect for best

availability• Hybrid Cloud = Private Cloud + Public Cloud

– Facilitates migrations by supporting legacy private DC Services with Public Cloud due to investment in current infrastructure

– Requires high 9s availability and failover– Requires Security enforcement between clouds

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 14

Juniper SRX OverviewCost-effective security for AWS Connectivity

• Low cost, High performance Security platform provides an efficient entry-point to VPC

• Advanced routing features including BGP and Policy-based routing allow for flexible designs

• High availability features that enable high-9s availability for production grade connectivity

• Wide range of Hardware models with vSRX Virtual Firewall also supported all run JunOS

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 15

Juniper SRX OverviewNew SRX Models

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 16

Juniper SRX OverviewNew SRX Models

17 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

BRANCH SRX DELIVERS…CONSOLIDATED SECURITY AND NETWORKING

SRX Platform

Single device for routing, switching, and security

Comprehensive security

Easy to activate new layers of security

Firewall

VPN

IPS

Anti-Virus

Anti-Spam

Web filtering

Routing / WAN

UTM

LAN, Switching

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 18

Juniper SRXDetailed Architecture View

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 19

Juniper SRXDual ISP Architecture

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 20

• Other Juniper AWS/Cloud Solutions

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 21

Juniper vSRX OverviewCost-effective virtual security in the cloud

http://www.slideshare.net/AmazonWebServices/net208-enable-secure-your-business-app-via-the-hybrid-cloud-on-aws

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 22

Juniper vMX OverviewCost-effective virtual routing in the cloud

http://www.slideshare.net/AmazonWebServices/net208-enable-secure-your-business-app-via-the-hybrid-cloud-on-aws

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 23

• Break before Lab

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 24

Lab: Setup VPN to AWSOn Juniper SRX

• Requirements • Review VPC setup on AWS Test Instance• Load Configuration on Juniper vSRX• Testing and Troubleshooting connectivity• Failover Scenario's• Real-world Performance Considerations

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 25

Lab: Create GatewayEnter your SRX Public IP address

If your Public IP is BGP advertised select Dynamic

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 26

Lab: Create VPNChoose Existing Gateway or create new

Select Dynamic (BGP Routing)

Lab: Setup VPN to AWSBGP – not so scary…

• BGP – Ideal method for load balancing and VPN Failover supported by Juniper and AWS

• BGP License not required!• BGP Configuration and Filters provided by AWS

– Once setup configuration remains static– No “BGP Traffic Engineering” (or engineer) required

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 28

Lab: Associate RoutesChoose Existing Route Tables

Create Static Routes to Target VPN Gateway

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 30

Lab: Download ConfigCreates a text file for your SRX.

Select Vendor: JuniperSelect Platform: J-Series

(same configuration applies to SRX)

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 31

Lab: Open Text ConfigletLets examine and replace some values

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 32

Lab: Open Text ConfigletValidate external-interface name

External Interface

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 33

Lab: Open Text ConfigletTunnel interface and Security Zones

Tunnel Interface Zone Configuration

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 34

Lab: Open Text ConfigletTCP-MSS Values (Global)

TCP-MSS Values (to avoid fragmentation)

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 35

Lab: Open Text ConfigletBGP Export Policies

BGP Export Policy

BGP Neighbors

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 36

Lab: Download from SRXSFTP Files from your SRX for the Lab

jratford$ sftp root@192.168.110.X Your vSRX Internal IPPassword: BCTLab64

## Download SSH Key for AWS Host Connectivitysftp> mget *.pem

## Alternative Download AWS Config for your Virtual SRX

sftp> mget studentX.txt

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 37

Lab: Copy AWS Config setjratford-mbp:~ jratford$ ssh -l root 192.168.10.X Your SRXPassword:--- JUNOS 15.1X49-D15.4 built 2015-07-31 02:20:21 UTC…

root@SRX-Student-01% vi aws.cfgIf pasting a new configuration from Copy/Paste Method <press a><paste text file><press :wq>

root@SRX-Student-01% more aws.cfg………

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 38

Lab: Load Config setroot@SRX-Student-01> cli

root@SRX-Student-01> edit Entering configuration mode

[edit]root@SRX-Student-01# load set studentX.txtaws.cfg:3:(0) unknown command: #aws.cfg:4:(0) unknown command: #…. (Ignore Comments) load complete [edit]root@SRX-Student-01# show | compare……[edit]root@SRX-Student-01# commit commit complete

[edit]root@SRX-Student-01# exit Exiting configuration mode

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 39

Lab: Validating VPNroot@SRX-Student-01> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 2035194 UP 5aa1515cd4221384 fa53c54fcbe7ca01 Main 52.34.241.19 2035195 UP b1716906e762473c 5622cc5ade054f97 Main 52.36.241.28

root@SRX-Student-01> show security ipsec security-associations Total active tunnels: 2 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:aes-cbc-128/sha1 fd294c37 3564/ unlim - root 4500 52.34.241.19 >131073 ESP:aes-cbc-128/sha1 45ddf9 3564/ unlim - root 4500 52.34.241.19 <131074 ESP:aes-cbc-128/sha1 bd7b76db 3568/ unlim - root 4500 52.36.241.28 >131074 ESP:aes-cbc-128/sha1 11ec056d 3568/ unlim - root 4500 52.36.241.28

root@SRX-Student-01> show interfaces terse | match st0 st0 up upst0.1 up up inet 169.254.12.218/30st0.2 up up inet 169.254.13.150/30

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 40

Lab: Validating VPNroot@SRX-Student-01> show bgp summary Groups: 1 Peers: 2 Down peers: 0Table Tot Paths Act Paths Suppressed History Damp State Pendinginet.0 2 1 0 0 0 0Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...169.254.12.217 7224 33 36 0 0 4:52 0/1/1/0 0/0/0/0169.254.13.149 7224 31 35 0 0 4:48 1/1/1/0 0/0/0/0

root@SRX-Student-01> show route advertising-protocol bgp 169.254.12.217

inet.0: 11 destinations, 12 routes (11 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path* 0.0.0.0/0 Self I

root@SRX-Student-01> show route receive-protocol bgp 169.254.12.217

inet.0: 11 destinations, 12 routes (11 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path 172.16.1.0/24 169.254.12.217 200 7224 I

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 41

Lab: Validating VPNroot@SRX-Student-01> show route 172.16.1.0/24

inet.0: 11 destinations, 12 routes (11 active, 0 holddown, 0 hidden)+ = Active Route, - = Last Active, * = Both

172.16.1.0/24 *[BGP/170] 00:06:03, MED 100, localpref 100 AS path: 7224 I, validation-state: unverified > to 169.254.13.149 via st0.2 [BGP/170] 00:05:37, MED 200, localpref 100 AS path: 7224 I, validation-state: unverified > to 169.254.12.217 via st0.1

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 42

Lab: VPN Failoverroot@SRX-Student-01> edit Entering configuration mode

[edit]root@SRX-Student-01# set interfaces st0.2 disable

[edit]root@SRX-Student-01# show | compare [edit interfaces st0 unit 2]+ disable;

[edit]root@SRX-Student-01# commit commit complete

root@SRX-Student-01# run show route 172.16.1.0

inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)+ = Active Route, - = Last Active, * = Both

172.16.1.0/24 *[BGP/170] 00:00:01, MED 200, localpref 100 AS path: 7224 I, validation-state: unverified > to 169.254.12.217 via st0.1

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 43

Lab: Security PoliciesSecurity Policy Enforcement

root@SRX-Student-01> show security policies Default policy: deny-allFrom zone: trust, To zone: trust Policy: default-permit, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1 Source addresses: any Destination addresses: any Applications: any Action: permit, log

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 44

Lab: Accessing VPC Hosts172.16.X.0/24 Replace Student Number

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 45

Lab: Accessing VPC HostsLogging in via SSH

jratford$ sudo route add -net 172.16.X.0/24 192.168.110.X Use your IPs## Lab - Static Route is required for your PC to access the VPC Networks

jratford$ chmod 400 student1-5.pem jratford$ ssh -i student1-5.pem ubuntu@172.16.1.252Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.13.0-74-generic x86_64)

* Documentation: https://help.ubuntu.com/

System information as of Tue Mar 22 16:33:26 UTC 2016

System load: 0.48 Memory usage: 5% Processes: 81 Usage of /: 9.9% of 7.74GB Swap usage: 0% Users logged in: 0

Graph this data and manage this system at: https://landscape.canonical.com/

…

ubuntu@ip-172-16-1-252:~$ ping 192.168.110.X Your SRX Internal IP or your PCPING 192.168.110.102 (192.168.110.102) 56(84) bytes of data.64 bytes from 192.168.110.102: icmp_seq=1 ttl=62 time=27.4 ms64 bytes from 192.168.110.102: icmp_seq=2 ttl=62 time=49.6 ms^C

Copyright: Blue Chip Tek, Inc. Confidential - Do Not Distribute 46

Additional Material

• Ref; other whitepapers and app notes• https://www.cloudreach.com/gb-en/2013/01/comparing-amazon-vpc-connectivity-o

ptions/

• Amazon Guides• http://www.slideshare.net/AmazonWebServices/using-virtual-private-cloud-vpc• Juniper marketing collateral• BCT Whitepaper from Mark T.

• http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/ Juniper.html

• http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Juniper_Troubleshooting.html

• http://www.juniper.net/us/en/products-services/security/srx-series/compare/

Thank you for attending please visit out event page on our website to check out

upcoming events:http://bluechiptek.com/about/events

@bluechiptek

For any questions please contact us at 408-731-7000 or bct-

sales@bluechiptek.com