2. VOYAGER INNOVATIONS, INC.
• Established in 2013
• Wholly subsidiary of Smart Communications
• Drives exploration and creation of disruptive digital
services
• We focus on digital innovations
• We are hiring. CACua@smart.com.ph
4. WHY VPC
• Logical isolation of AWS assets (think of VLAN)
• Control over IP addressing, subnets, routing, gateways
• VPN Connectivity to datacenter or 3rd party networks
• VPC Peering
• S3 Security
• NACL apart from Sec Groups
• Assign private static IP to EC2 instance
• New features / services are VPC-only
5. USES CASES
• Public facing sites
• Multi-tier web applications
• Host scalable applications that are connected to on-prem
resources
• Extend on-prem network into the cloud
• Disaster recovery
10. VPC IPSEC
• Cheapest, easiest and the quickest to implement
• Static or Dynamic Routing (no public AS required)
• Secure tunnel through public internet
• Supports dual tunnel for redundancy
• Supports the most common hardware VPN
• Cisco, Fortinet, Juniper, Microsoft, Palo Alto,
Yamaha, IIJ
• Checkpoint, H3C, etc
• … and software
• Racoon
• StrongSWAN
• OpenSWAN
13. DIRECT CONNECT
• Consistent network performance
• PH – SG ~40ms through PLDT
• Private access to AWS services such as EC2, S3, VPC, etc
• 1Gbps to 10Gbps, but depends on the capability of your
Direct Connect Provider
• Needs APN partner
• SG – Equinix, Tata, Verizon, Level 3, NTT, Pacnet
• Philippines – PLDT
• Implementation from weeks to months
14.
15. COMBINATION
DIRECT CONNECT WITH IPSEC FAIL-OVER
• IPSec is cost-effective redundancy for Direct Connect
• IP Routing through APN Partner
• Static
• AWS – force Direct Connect by propagating specific routes
through BGP (10.10.10.10/32 – BGP, 10.10.10.0/24 IPSec)
• IPSec – use static routing
• Customer – IPSLA
• Need the Direct Connect Provider to propagate for you
• Dynamic
• AWS – Automatic
• Customer - BGP AS-PATH Prepending
• You propagate your own routes
16.
17. ROLL YOUR OWN
• IPSec, PPTP, L2TP, SSL
• OpenVPN is the easiest to implement
• Sites-to-Site connectivity
• Can be used Road-Warrior Style
• Force routes to remote peer
• Integrates with LDAP and TOTP
• Requires client software
• Free
18. VPC PEERING
• Inter-VPC communication as if they are on the same VPC
• Your own or 3rd Party VPC
• Think of VLAN trunking
• Apply routing policies on both sides
• Maybe peer w another VPC in another region (future)
• NACL and Sec Groups still apply
• Peered VPC to IPSec/Direct Connect not supported
• But can use a proxy