Amazon AWS Certified Advanced Networking Specialty – Virtual Private Networks & IPSec Tunnels Part 9

  • By
  • January 17, 2023
0 Comment

25. Pre-Requisite for CGW for AWS VPN Connectivity

Hey everyone and welcome back. In today’s video, we will be discussing about some of the important prerequisites that we need to consider before we choose AWS VPN for the site to site terminal link capabilities. Now, do remember that it is not mandatory to always make use of the AWS VPN with the help of virtual private gateways. You can even have your own EC two instance as the VPN termination endpoint. However, however, in case if you want to choose the AWS one, then there are certain prerequisites that must be available on the customer gateway site. Now, one important part to remember is that not all the customer gateway devices are supported to connect to the VGW. So you cannot make use of all the customer gateway devices to establish the tunneling capabilities. Now, the reason why not all of them are supported is because whichever customer gateway wants to associate the terminal, it needs to have certain features to be available.

And these are the features that we have listed within the slide. Now, the first one is that the customer gateway should be able to establish the Ike Security Association using the pre shared keys with the protocol version one or protocol version two. Now, the second important point is that they should be able to establish the IPsec Security Association internal mode. Now, this is important because the virtual gateway, if you want to establish the terminal with the help of AWS VPN, then it only is supported based on IPsec. There are other protocols like GRE, but they are not supported. Only IPsec is supported as of now. So whatever customer gateway that you might have, it should support the IPsec based Security Association. Now, the third important point here is that the customer gateway that you might have in your on premise should be able to utilize the AES 128 bit or 256 bit encryption function. Now, 256 bit encryption function is quite new.

Earlier it used to only support 128 bit, but 256 is again a new functionality which is quite important nowadays. The fourth important point is that the customer gateway should be able to utilize the Shaw one or Shaw two big hashing functions, all right? Now along with that, the customer gateway should be able to perform the packet fragmentation prior to encryption and they should also be able to utilize the Diffie Hellman in group two mode or one of the additional Diffi Hellman parameters. Now, among all of them, you do not really have to remember each and every small, small thing. So if you see I have colored the first four pointers. Now the reason why I have colored the first four pointers is because these are the most important for the exams. So just remember, at a high level overview on certain prerequisites that needs to be present. Now, many times in exams, you might get a question that there is a customer gateway on the on premise side.

Now, that customer gateway does not support IPsec, it supports GRE based tunneling. And the question would be whether the tunneling would be able to be established between the customer gateway and the VGW. And the answer is no. Since the VGW side supports only IPsec, GRE is not supported, so you have to answer accordingly. So similarly, in exams you might get quiz related to these pointers, so make sure you remember these. Now, one of the question that comes is what happens if your customer gateway does not really meet the requirements? How can you have an alternate mechanism? Now, do remember that in case if your customer gateway does not meet the requirements, or if you need certain additional capabilities which the AWS side VPN does not support, then you can make use of the EC two based VPN. So you can install Open, Swan, or there are various other software’s and you can use them as a VPN termination endpoint. Again, it is not really mandatory to make use of a virtual gateway. You can have your own EC two instances. And in fact, I have seen there are organizations who do not opt for the virtual gateway based approach.

26. High Availability for EC2 VPN

Hey everyone and welcome back. In today’s video, we will be discussing about some of the important pointers that you need to consider for High Availability. Specifically when you are using the EC to instance for VPN. So there are organizations who do not use the virtual private gateway. They make use of the EC to VPN specifically for certain custom capabilities that they intend which is not supported by the AWS VPN. Now, the first important consideration is that if you are using the EC Two instance as a VPN termination endpoint, so this can be an IPsec VPN with the help of services like Open Swam.

So if you’re using this EC Two instance, then the availability and the redundancy is the responsibility of the customer. So if the EC Two instance goes down due to certain reason, it is the responsibility of the customer to make sure that it is fixed. However, when it comes to the virtual private gateway, we already saw on how exactly a virtual private gateway has two endpoints located in two different Availability Zones for High Availability.

So let’s say that you have a VPN connection which is established between a Customer Gateway and your EC Two instance and there is a route of 190 to 168 ten 00:16. And the next hop is this a specific EC Two instance. So any traffic which is destined for 190 to 168, which might be the CID r of the customer site, that traffic goes to the EC Two instance. From the EC Two instance, it would be forwarded to the on premise location. Now, in order to achieve the High Availability over here, what basically we need to do is we need to have two EC Two instances. So in this case, we already discussed that there will be a route of 192, one 68100, one six, which will be pointed to the EC to instance one. So this is the EC to instance one. However, in case this EC Two instance one goes down, then the route table needs to be changed so that the next hub changes from the IP address of the EC to instance one to the IP address of the EC to instance two.

So all of your EC Two instances, instead of sending the traffic which is destined to the on premise location, instead of sending the traffic to EC to instance one, it would send the traffic to EC to instance two. So this part needs to be automated. So basically, you need to create your custom automation script which will monitor your EC Two instances. And if one of the EC Two instance is down, then it will automatically change the route table to point to the next hop of EC two instance Two.

All right? So in this type of architecture, we see that there are two terminals which are created for High Availability. So revising on certain important pointers that you should remember to achieve High Availability. Specifically, if you are using the EC two instance for the VPN termination. First point is that you need to have a monitoring script which will do the failure when one of the VPN tunnel goes down. Now this monitoring script will need to change the route table to point to the standby VPN EC two instance in case the primary one fails. Now we can also make use of the EC to auto recovery feature which basically would restart the EC to instance in case of a specific failure.

27. HA for Direct Connect

Hey everyone and welcome back. In today’s video, we’ll be discussing about the high availability aspect of direct connect. Now one important part to remember is that if you have a single direct connect connection, it can be subjected to the scenario of failure. And this is something which you might face if you have a single direct connection. Now in the case of direct connection failure, it can be a hardware failure, it can be a network failure, et cetera, your link will break completely. So let’s say that if one part of your application is in AWS and second part is in your data center and you have a direct connect between both of them, and if Direct connect breaks, then your application will break. So this is the reason why it is recommended to have a backup connection of VPN over the Internet. And this is something which a lot of the organization, they do it.

So here you see you have on premise, you have a WS, and this is a single direct connect connection. And if this breaks, essentially your link between your on premise and your AWS is broken. So as a backup, you need to have something through which your on premise servers can connect to your AWS. So this is what we were referring to as the secondary backup connection of VPN. So what happens here is that you have a single direct connect connection here and you have a backup connection of VPN over the Internet. So in this case, if this direct connect connection breaks, then the traffic can be routed over the Internet to your AWS.

However, you will not have the same level of latency, the same level of speed over the VPN when it comes to direct connect. But you will definitely have your applications up and running. So when it comes to the high availability of the direct connect connection, there are two type of architectures that you need to remember. Now we already discuss about the secondary backup connection over the Internet. So this is something that you need to remember for the exams. However, this type of a secondary backup architecture is not a direct connect architecture. So that basically means that if you switch from Direct connect to VPN, the latencies, the overall cost that you might have and the speed the bandwidth will be reduced. So you need to understand the architecture of high availability of direct connection itself without VPN and with VPN.

So with VPN is the architecture that we just discussed. Let’s discuss the without VPN architecture as well. So in this type of architecture, so this is a dual connection single location architecture. So what happens here is that you have two routers on the AWS side of the direct Connect and you have two in your customer side and both of them are connected. So you have a single location. So this entire location is in Mumbai region. However, there are two connections which are available over here. So in case if one of the router fails to respond you to certain region, then you still have the second connection which is up and running through which you will be able to route the traffic. And this is important because this type of scenario is something that you might see within your organization if you are using Direct connect. So this is the reason why it is called a dual connection, because there are dual connections over here, but the location is a single location.

All right, so although this is good, but this is not the best because everything is within the single location. So the second type of architecture here is dual connection and dual location. So this is one of the best type of architecture that you can implement, where you have two locations over here. So this is one location and this is the second location. And in both of these locations you have the Direct Connect setup. Now, same here. You have two locations within your on premise which are connected and both of them are connected to the partner rack. So this can be a customer or a partner rack and in turn they are connected to the AWS rack. So this is something that your organization can opt for if you have enough money and you really want a good resiliency within your Direct Connect architecture. So if you have something like this, then you do not really have to worry about a single Direct connect link going down and you have to switch to VPN. You don’t have to worry about that.

You can use this type of architecture and on top of this architecture, you can make use of VPN as the final option. So you have dual connection, dual location, plus the VPN as a last backup. So this type of architecture, architecture is something which is preferred.

28. Link Aggregation Groups

Hey everyone and welcome back. In today’s video we will be discussing about the Link Aggregation group. Now one important part to remember is that the term of Link Aggregation group is not just limited to direct Connect. In fact, this is a generic concept. However, the same thing is applied at the Direct Connect level also. Now in short, a Link Aggregation allows us to group the the Ethernet interface to form a single Link Clear interface which is also known as the Link Aggregation group, which is referred as Line or also a bundle. So this can be understood with a diagram here. So you have a switch and let’s say you have a server here. Now this server has multiple network interfaces. Now you can combine all of them to form a single logical interface which is referred as the Link Aggregation. Now there are a lot of advantages of this type of approach.

One of the advantages is that it can increase the network throughput beyond what a single connection could sustain. So let’s say you have a nick over here and this nick can sustain, let’s assume, ten MEPs and you have a nick too, which can sustain ten MEPs. So now if you just make use of a single nick, you can have a maximum throughput of ten MEPs. So in case of Link Aggregation you combine both of these links. So in combination you can have up to around 20 Mbps of throughput. And the second important advantage of Link Aggregation is that you can have a redundancy.

So in case if you have a Link Aggregation over here and if one of the nick goes down, then you also have the second nick through which traffic can flow. So these are some of the advantages when you do a Link Aggregation and same advantages apply when you do a Link Aggregation with direct connect connections.

Now, in perspective of a direct connect, a Link Aggregation group basically makes use of the Link Aggregation control protocol referred as the LACP to aggregate multiple one Gbps or ten Gbps connection at a single direct connect location, allowing customers to treat them as a single managed connection. So this is important we’ll understand about this in detail as part of the important pointers at the last slide. Now, once we create a Link Aggregation group, we can associate existing connection with our live. Now let’s understand some of the important pointers that you need to remember for the exams with respect to Direct Connect and Lag.

First is that all the connections in the Link Aggregation group must use same bandwidth. Now, bandwidth of one GPS and ten GPAs are supported, you can have a maximum of four connections in a single Link Aggregation group. And the fourth point, which is quite important, is that all the connections in a Lag must terminate at a same direct connect location and on the same AWS device. So this is one important part to remember. Now there is one more important concept that you need to remember as far as the direct connect and lag is concerned. And that is that all the Lag that we create must have an attribute which determines minimum number of connection in a lag that must be operational for the lag itself to be operational. So we can understand this with an example.

Let’s say the total connections for our Lag is four. So four is the maximum connections that we can associate with a lag. Now we define that minimum number of connection is equal to two. That basically means that in order for our lag to be in this operational condition, the minimum number of connection that should be up and running is two. Now, if two connections happen to be failed, the overall status would still be up because out of four connections within that lag, if two connections are failed, then the overall status would be up. However, if the third connection failed, the overall status would be down. Now, the reason why it would be down because we have defined that a minimum number of connection should be two. So if the minimum number of running connection is only one, this is the case of our second point where if the third connection fails, then the overall connection would be down even though if a single connection is still up and running.

So you need to make sure that whatever attribute that you specify here needs to be directly linked to what you want to be associated for the operational lag. Now, this is important, some might say that you can have the minimum number of connections to be one. Now you can certainly do that, but the problem is that there is certain use case where you had created a lag with four connections. You might require certain performance, you might require certain bandwidth. And out of four connections, if only one connection is running, that means your overall performance, your overall bandwidth, the overall throughput has impacted significantly. And this is the reason why a lot of organizations they do not ah, put the minimum number of connection as one.

Comments
* The most recent comment are at the top

Interesting posts

The Growing Demand for IT Certifications in the Fintech Industry

The fintech industry is experiencing an unprecedented boom, driven by the relentless pace of technological innovation and the increasing integration of financial services with digital platforms. As the lines between finance and technology blur, the need for highly skilled professionals who can navigate both worlds is greater than ever. One of the most effective ways… Read More »

CompTIA Security+ vs. CEH: Entry-Level Cybersecurity Certifications Compared

In today’s digital world, cybersecurity is no longer just a technical concern; it’s a critical business priority. With cyber threats evolving rapidly, organizations of all sizes are seeking skilled professionals to protect their digital assets. For those looking to break into the cybersecurity field, earning a certification is a great way to validate your skills… Read More »

The Evolving Role of ITIL: What’s New in ITIL 4 Managing Professional Transition Exam?

If you’ve been in the IT service management (ITSM) world for a while, you’ve probably heard of ITIL – the framework that’s been guiding IT professionals in delivering high-quality services for decades. The Information Technology Infrastructure Library (ITIL) has evolved significantly over the years, and its latest iteration, ITIL 4, marks a substantial shift in… Read More »

SASE and Zero Trust: How New Security Architectures are Shaping Cisco’s CyberOps Certification

As cybersecurity threats become increasingly sophisticated and pervasive, traditional security models are proving inadequate for today’s complex digital environments. To address these challenges, modern security frameworks such as SASE (Secure Access Service Edge) and Zero Trust are revolutionizing how organizations protect their networks and data. Recognizing the shift towards these advanced security architectures, Cisco has… Read More »

CompTIA’s CASP+ (CAS-004) Gets Tougher: What’s New in Advanced Security Practitioner Certification?

The cybersecurity landscape is constantly evolving, and with it, the certifications that validate the expertise of security professionals must adapt to address new challenges and technologies. CompTIA’s CASP+ (CompTIA Advanced Security Practitioner) certification has long been a hallmark of advanced knowledge in cybersecurity, distinguishing those who are capable of designing, implementing, and managing enterprise-level security… Read More »

Azure DevOps Engineer Expert Certification: What’s Changed in the New AZ-400 Exam Blueprint?

The cloud landscape is evolving at a breakneck pace, and with it, the certifications that validate an IT professional’s skills. One such certification is the Microsoft Certified: DevOps Engineer Expert, which is validated through the AZ-400 exam. This exam has undergone significant changes to reflect the latest trends, tools, and methodologies in the DevOps world.… Read More »

img