Hybrid Environments & Migration

Question 1

What is BGP? What is BGP made up of?

Answer 1

Exterior GW Routing Protocol

Made up of self-managing systems called “Autonomous Systems” which are just a collection of routers owned by an SP which connect/share information with each other on how to traverse the internet .

Question 2

What is an ASN?

Answer 2

Autonomous System; uniquely identifies entities/peers within a BGP network(s).

Question 3

What is the AS Path?

Answer 3

Routing info exchanged between two BGP peers when a relationship is set up.

Only the BEST PATH to the destination is shared between peers.

Question 4

What is the AS Path Prepending?

Answer 4

Mechanism how you influence paths to destinations IF the shortest path is actually not the best path.

Adds weight to a specified path to make it not as desirable.

Question 5

What is an AWS Site to Site VPN?

Answer 5

The best/easiest way to link an AWS environment to something that’s not AWS; logical connection between a VPC and a private, non-AWS network.

Question 6

What are some benefits of a S2S VPN?

Answer 6

• easy/fast to setup
• offers encryption in transit
• runs over public internet
• offers HA if designed accordingly

Question 7

What are the 2 gateways that terminate a S2S VPN?

Answer 7

Customer side: CGW

AWS side: VGW

Question 8

How many VGWs can a VPC be connected to?

Answer 8

ONE

A VPC can be attached to ONE Virtual Private GW (VGW), and ONE VGW can be attached to any VPC. The VGW sits in the public zone.

Question 9

REVIEW:

Static VPN v Dynamic VPN aka BGP

Answer 9

Dynamic:

• Dynamic VPN uses BGP, so the CGW would have to support BGP for it to work
• Can communicate the state of links and failover between links between VGW and CGW
• You can still add static routes with “Route Propagation” enabled – you create a static route that is then propagated and be dynamically learned on the other route tables

Static:

• create static routes going to static networks
• uses IPSEC (no BGP)
• no failover or load-balancing

Question 10

VPN Considerations

Answer 10

→ Speed maximum for AWS VPN is ~ 1.25GB; if you need more than this, you have to use something else (like direct connect)
○ All VPN connections connecting the to VGW is 1.25GB

→ Latency is inconsistent because it traverses the public internet; more hops = variability

→ Cost - hourly cost, GB of data going out of AWS cost

→ Very quick and easy to set up because VPN’s are all SW-defined

→ Dynamic VPNs require BGP support on the CE router (much less common)

→ VPNs can be used as a backup for Direct Connect (DX)

→ You can start with a VPN but then add/change to a DX later on

Question 11

What is a DX?

Answer 11

Direct Connect

Similar to a SW/logical VPN, but it’s an actual physical connection into the AWS environment from on-premise/customer environment.

DX is a physical 1G or 10G port that a customer plugs into.

Question 12

How is the DX and CE router connected?

Answer 12

a Single, SMF cable is cross connected from Port on DX to Port on CE router.

Question 13

DX Considerations

Answer 13

→ Takes MUCH longer to provision than a SW VPN
○ DX port provisioning is quick, but the cross connect takes much longer because the customer is responsible for setting up/managing the rest of the way to their campus network, usually through a Telco provider

→ You can get a SW VPN up and running first as you work out/setting up the physical DX connection
○ You can then use the VPN as a backup

→ Much faster than a VPN - uses 1/10G ports and can be aggregated for up to 40GB of bwd

→ Provides consistent low latency because it’s not going over the public internet; does not consume your regular internet bwd/connections

→ CAVEAT: DX provides no built-in/native encryption like a VPN

*** any data going over a private VIF to a DX is then put into plain text because most applications will see the DX as private networking hidden from outside world

*** workaround:
○ Create a VPN
○ Instead of using the public internet as the transit network, use the public VIF running over DX instead
○ This allows you to use IPSEC VPN over the public VIF
○ Get’s you all the benefits of the DX but also the encryption of IPSEC

Question 14

What is a VIF as it relates to DX?

Answer 14

Virtual Interface

These can run on top of the physical cross-connect link. Each VIF is a VLAN and a BGP connection between the CE router and the AWS DX router which data can pass over going in/out of AWS.

Question 15

Is HA native to DX?

Answer 15

HA is only on the AWS side i.e a Region will have multiple connections going to a DX location(s) over high-speed backbone links.

There is no native HA on the cross-connect side for the customer i.e single SMF fiber link going to a CE router port.

→→→ DX is a PHYSICAL ARCH, which is not HA/resilient be default.. The only way to add HA is to add PHYSICAL connections/locations/HW

Question 16

REVIEW:

How to implement HA in a DX scenario.

Answer 16

○ provisioning multiple DX routers, and cross-connects into multiple customer DX routers going over multiple connections to the on-premise network

○ Use a different cable route (physical route) for each connection going to the on-premise network, or multiple Telco providers running a line from the DX routers to the customer network

○ You can use 2 different DX locations with different customer DX routers AND run those into different customer premises locations

** ultimate HA ** – 2 x DX locations each with 2 x DX routers in each going into 2 x customer DX routers… then each is extended to dual CE routers @ the customer locations

Question 17

What is an AWS Transit GW?

Answer 17

A network gateway/Hub which can be used to significantly simplify networking between VPC’s, VPNs, and Direct Connects.

→ A TGW is just a Transitive Routing point that connects to other TGW’s, VPC’s, and on-premise DC’s.

Question 18

Benefits of a TGW:

Answer 18

→ TGW’s significantly reduce network complexity and facilitates HA; without TGW, you would have to have a full-mesh between the different VPCs and then each of those would have 2 connections to each customer GW (CGW)

→ TGW’s also helps a lot with scale.. Without TGW’s – complexity increases directly with scale

→ Supports “Transitive Routing” – this means you don’t need a full-mesh topology between VPC’s and the on-premise network
○ Single TGW with multiple attachments can route traffic between any of the Attachments
○ Attachment options can be a VPC, S2S and DX attachments

→ Can be used to create global networks by creating “Peer Connections + Attachments” between multiple TGW’s in different Regions

→ Less complexity and much higher scale for network architectures versus not using TGW’s

Question 19

What is a TGW Attachment?

Answer 19

Attachments are how the Transit GW connects to other network objects within AWS.

There are VPC attachments, S2S VPN attachments, and DX GW attachments.

Question 20

What is a Storage Gateway?

Answer 20

AWS Storage Gatewayis a hybrid cloudstorageservice that gives you on-premises access to virtually unlimited cloudstorage.

Storage Gatewayprovides a standard set ofstorageprotocols such as iSCSI, SMB, and NFS, which allow you to useAWS storagewithout rewriting your existing applications.

Question 21

Main use cases for using a Storage GW:

Answer 21

○ Extend your on-premise File/Volume storage into AWS (hybrid environments); Volume Storage = block storage running over iSCSI (NAS & SAN environments)

○ Volume storage hosted locally but replicated into AWS

○ Migrate TAPE backup solutions in AWS

Question 22

What are the (3) modes that the Storage GW can run in?

Answer 22

Tape GW Mode (VTL) - storage GW stores virtual tapes on S3; backup SW just thinks it’s interacting with normal physical tape infra.
– § Ideal when you have an existing backup system that already uses Tape and you want to migrate the backup data to AWS and/or retire the tape drives

File Mode - create file shares and offers them up using SMB or NFS; storage GW maps files onto S3 objects.
– § The File GW is basically a super large file server that, instead of storing files on local storage, instead stores them as objects in S3

Volume Mode - storage GW presents block storage; basically presents storage Volumes over iSCSI
– § Primary copy is on the server/on-prem and the backups are stored in AWS as EBS snapshots

Question 23

What are the AWS Snowball services

Answer 23

Physical AWS service that’s used to move LARGE amounts of data either IN or OUT of AWS.

Question 24

What is Snowball?

Answer 24

50TB or 80TB storage units/devices delivered to customer. Customer connects with either 1G or 10G cables.

Question 25

What is Snowball Edge?

Answer 25

Same as Snowball but comes with COMPUTE capability on top of the storage; used when you need to also do data processing as it’s being ingested at a remote site for example

○ Larger capacity versus snowball and is also faster – 10G, 25G, or 45/50/100GB

Question 26

What is Snowmobile?

Answer 26

Portable DC in a shipping container that rides on the back of a truck for huge amounts of data (over 10PBs)

Question 27

What is a Directory?

What are some examples of things held in a Directory?

What are multiple Directories grouped together called?

Answer 27

A Directory stores objects in a structure that’s hierarchical; it’s basically an inverted tree structure that holds identity-related objects.

Examples: users, groups of users, computers, servers, files, etc.

Multiple Directories grouped together are called “Forests”

Question 28

What is AWS Directory Services (AWS DS)?

Answer 28

Amazon’s instance of a managed Directory Service - basically MSFT AD (most common DS) but for AWS

Question 29

What environment does an AWS DS run in?

Answer 29

It runs in a VPC; it is PRIVATE due to this nature.

Question 30

What are the 3 modes that AWS DS can run in as options?

Answer 30

Simple AD mode

AWS Managed MSFT AD Mode

AD Connector Mode

Question 31

What is AWS “DS Simple AD” Mode?

Answer 31

Cheapest and simplest way that the product runs in a VPC; this is the default mode to run DS in.

Designed to run in isolation; basically an implementation of SAMBA 4.

Question 32

What is AWS “Managed MSFT AD” Mode?

Answer 32

This is an actual, full functioning MSFT AD implementation running directly in AWS.

You can connect to an on-premise DS service via a “trust connection” by VPN or DX, but it is not required, it can run on it’s own.

Question 33

What is AWS “AD Connector” Mode?

Answer 33

This service will proxy requests back to an on-prem DS.

This works well if you want to use specific AWS services that require DS but don’t want to spin up a service in AWS and/or already have a full DS implementation on-premise.

This requires on-premise DS service… it just acts as a proxy from the cloud.

Question 34

AWS DS Review

Answer 34

→ Simple AD is the default; simple requirements for a directory that can run in AWS

→ MSFT AD mode is for when you have services running in AWS that actually need MSFT AD specifically OR if you need to set up a trust between MSFT AD on-premise with AWS
○ This is a managed deployment of a MSFT AD

→ AD Connector is used when you need AWS services that require a directory but don’t want to store any directory info in the cloud

Question 35

What is AWS DataSync?

Answer 35

Product which can orchestrate the movement of large scale data (amounts or files) from on-premises NAS/SAN into AWS or vice-versa

Question 36

REVIEW:

DataSync Use Case and Key Capabilities

Answer 36

→ Main use cases:
○ Data migration into/out of AWS
○ Putting data in AWS for processing and then back out again
○ Archive data in AWS for cost effective storage
○ DR

→ Key Capabilities:
○ Scalable – 10GB per agent and up to 100TB per day
○ BWD Limiters – helps reduce customer impact of data transfer (like if you have a low bwd site)
○ Incremental and scheduled transfer options
○ Compression and encryption
○ Automatic recovery from transit errors
○ Pay as you use service; you’re charged per GB of data that’s moved by the service

Question 37

How is DataSync deployed?

How does it talk to AWS?

How does it talk to on-premise storage?

Answer 37

As a SW agent VM running inside the on-premise environment.

Talks to AWS via TLS

Talks to on-premise storage via NFS or SMB.

Question 38

What is FSx for Windows?

Answer 38

Provides a native Windows file system as a service which can be used within AWS, or from on-premises environments via VPN or Direct Connect.

Amazon FSx for Windows File Server provides fully managed file storage that is accessible over the industry-standard Server Message Block (SMB) protocol

○ Advanced shared file system accessible over SMB, and integrates with Active Directory (either managed, or self-hosted)… there are no Servers to managed i.e it is delivered as a service like RDS.

Question 39

REVIEW:

FSx Key Points

Answer 39

FSx versus EFS
○ EFS
§ Used for shared file systems on EC2
§ Used for shared file systems on Linux servers running on-premise

○ FSx
§ Dedicated for windows environments (i.e not LINUX)
§ Can integrate completely with MSFT AD running on-premise, or a managed DS service provided by AWS

• • shares are accessible via SMB and encrypted at rest via KMS
• • FSx is very highly performing: very low latency, and has ultimate scale (up to whatever the performance requirements are)

Question 40

What is FSx for Lustre

Answer 40

Managed file system which uses the FSx product and is designed for high performance computing.

It delivers extreme performance for scenarios such as Big Data, Machine Learning and Financial Modeling.

SUMMARY:
→ If you hear “SMB” it’s FSx for Windows
→ If you hear “POSIX” or high performance, big data, or machine learning then it’s FSx for Lustre

Question 41

What are the 2 deployment types for FSx for Lustre?

Answer 41

Scratch - highly optimized for the short term, high end performance but the downside is it doesn’t provide much resilience/HA

Persistent - great for long term storage with some HA; the HA is only within a single AZ however. If the failure is within the AZ, then the FSx node will be replaced automatically by AWS.

Question 42

How is FSx accessed? (not the protocol it runs over i.e SMB)

Answer 42

FSx typically runs on Linux EC2’s running inside of a VPC (with corresponding AZ’s) and is accessible through a VPN or DX.

Question 43

Which storage gateway mode is good for data centre extension into AWS - Volume GW Cached or Volume GW Stored

Answer 43

Cached

– If you want to keep files local but asynchronously backup to AWS use “Stored Mode”

– Extend into AWS while minimizing local storage footprint, choose “Cached Mode”

Question 44

Can a private encrypted connection be created using Direct Connect? (if so how)

Answer 44

Yes - by running S2S VPN over a Public VIF