In this session, explore three benefits of private, dedicated network connections to AWS. Learn how you can transport business-critical data directly from your data center, office, or colocation environment into and from AWS over dedicated network connections. Discover how to dynamically scale your bandwidth up to 300 percent, only paying for what you use, and how to use dynamic scaling to speed up backups, temporary or scheduled workloads, moving from test to live production, and new product launches. Also, learn how to use private network connectivity to help build hybrid environments in situations where security and compliance are critical. Hybrid environments let you extend your private on-premises infrastructure with the elasticity and economic benefits of AWS. Session sponsored by Level 3.
2. What to Expect from the Session
Who is Level 3 Communications?
Trends Transforming IT
Best Practices when Connecting to the Cloud
• High Performance Connectivity
• SDN Implementations for the Cloud
• Hybrid Environments
• Compliance and Security
3. Who is Level 3 Communications?
OUR COMPANY
OUR CUSTOMERS
5. Your organization has decided to move
applications, workloads, and data to the cloud…
You need a strong network strategy to build a
successful cloud architecture
7. AWS Direct Connect - high performance connectivity
• A trusted path for enterprises to migrate and optimize applications in the
cloud
• Seamless, private connectivity for private, public, and hybrid IT
environments
• The scalability, efficiency, and flexibility of the public cloud without
compromising performance, productivity, or revenue
Level 3 Cloud Connect AWS Direct Connect
8. Real-time data feeds
Level 3 Cloud Connect Solutions AWS Direct Connect
AWS
CHALLENGE
Video, voice, and collaboration applications require low latency and consistent network performance.
SOLUTION
Enable direct user access from customer premises directly to AWS. Single hop routing removes variable latencies, packet
loss, and the unpredictability of the Internet.
Enterprise Users
9. Reference architecture
Enterprise
Data Center AWS Direct
Connect
Level 3
Global
Network
WAN routing to AWS
Customer
CE Router
Customer
CE Router
Customer
CE Router
Customer
CE Router Level 3 PE
Router
CSP PE
Router
Customer
HQ
Branch
Branch
Global
WAN
Level 3
NNI
Common Use Cases:
• Amazon CloudFront Video Streaming
• Amazon WorkSpaces
• Intranet Hosting (MS SharePoint)
VDI Workspaces
Amazon
CloudFront
Streaming
Virtual
Private
Gateway
Single hop BGP peers
Sustainable IP address
and subnets
10. SDN implementations for the
cloud
scalability in
bandwidth over
private
connections to
AWS
Up to
300%
11. Dynamic capacity implementations
AD HOC CHANGES
Adjust desired bandwidth and
instantly see the costs per meg
per hour
UTILIZATION BASED
Automatically trigger a
bandwidth increase based on
your utilization thresholds
SCHEDULED
One time, daily, weekly
Set start and end times
Weekly back-ups
12. Variable workloads – Brock White case study
Level 3 Cloud Connect SolutionsAWS Direct Connect
AWS Enterprise IT Environment
CHALLENGE
Back-ups can time out with large data sets that require multiple hours to execute
SOLUTION – Scheduled Bandwidth
The Dynamic Capacity capabilities allow the firm to immediately double or triple its network capacity when network traffic
increases for weekly back-ups.
“The automatic threshold
capability made Dynamic
Capacity twice as useful for us.
You tell it what you need and it
automatically does it for you. The
important point is that with
flexible bandwidth my time is
freed up to work on other
business solutions and not
infrastructure. I don’t have to
worry about my network, or even
think about its performance.”
13. Variable workloads, need flexible bandwidth options
Key Benefits
• VLAN mapping over Ethernet provides simplicity
• eLynk Interface: physically connected to the CSP/DCO-
1G or 10G port terminates multiple EVCs
• Quality of Service (QoS) Aware
• Dynamic Capacity to increase bandwidth 3x
Level 3
Layer 2 PE
Enterprise Data Center
1G Ethernet Access
Native or 802.1Q
Level 3
Global Network
VLAN per
Customer EVC
200Mbps Customer EVC
Level 3 Ethernet AWS Direct Connect
Reference architecture
Common Use Cases
• Elastic Cloud Bursting
• Big Data Analysis
• BCDR & Storage
Flex bandwidth up to 300%
2X
3X
Level 3
Layer 2 PE
CSP -
Layer 2 PE
Customer CE
Layer 3 Router
Legend:
CE – Customer Edge Router
PE – Provider Edge Router
EVC – Ethernet Virtual Circuit
Pre-established NNI
with 1:1 relationship of
EVC to VPC
- or-
Dedicated cross
connect VLAN
Transparency for VPC
Scalability
14. Hybrid solutions
CHALLENGE
• PCI or security concerns when dealing with customers’ personal information
• Scalability of the web services tier was needed during peak periods
SOLUTION
• Distribute access into the cloud and partition security measures across the infrastructure
• Maintain sensitive data in governance-compliant environments
Level 3 Cloud Connect SolutionsAWS Direct ConnectPublic Internet
Consumers Company Data CenterAWS
15. Reference architecture
Level 3-
Layer 2 PE
Enterprise
Data Center
1G Ethernet Access
Native or 802.1Q
Level 3
Global Network
VLAN per
Customer EVC
200Mbps Customer EVC
Level 3 Ethernet AWS Direct Connect
Customers
Branch Offices
CSP -
Layer 2 PE
Public Internet
• Secure and Private MPLS network
• Quality of Service (QoS) Aware
• Each customer presented to CSP as separate
VLAN interface
• Dynamic Capacity to increase bandwidth 3x
Common Use Cases
• Elastic Cloud Bursting
• Big Data Analysis &
Storage
• eCommerce Workloads
• New Product Launches
Customer CE
Layer 3 Router
NID device Ethernet
Access Visibility Level 3 –
Layer 2 PE
Legend:
CE – Customer Edge Router
PE – Provider Edge Router
EVC – Ethernet Virtual Circuit
Hybrid environments, leveraging private and public connectivity
Key Benefits
• Multi-tier security strategy across AWS & private
infrastructure
• VLAN segmentation to logically separate compliance
sensitive data flows
• Compliant with existing data governance policies
BGP neighbor
relationship
MD5 Password
for session
security
Customer to CSP BGP
17. Level 3 Cloud Connect SolutionsAWS Direct Connect
AWS Enterprise IT Environment
CHALLENGE
• Making sure that my data is safe and secure when using the cloud
SOLUTION
• With private network connectivity, build hybrid environments where security and compliance are critical
• Hybrid environments allow you to extend your private on-premises infrastructure with the elasticity and economic benefits of AWS
• Encrypt your data and replicate your security policies in the cloud
Replicate
Security
Policies
Encrypted workloads
18. HIPAA compliance bundle
Secure and reliable,
private network
connectivity
Modular
multiservice cloud
networking router
Reference architecture designed to assist customers in highly regulated industries
to securely migrate sensitive data workloads to and from AWS
Agile, flexible virtual
application delivery
platforms
Experts at architecting
HIPAA-compliant
technology solutions
19. Reference architecture
AWS Cloud
Virtual Private Cloud (VPC)
Corporate Data Center
VPC Public Subnet
VPC Private Subnets
Virtual
Private
Gateway
CSR 1000V
Enterprise Subnets
Cisco
ISR/ASR
AWS Direct
Connect
DMVPN
High performance and security for hybrid workloads over AWS Direct Connect
Cloud Connect Solutions
21. Design principles
• Network isolation
• Use internal ELBs for traffic between
tiers
• Hub-and-spoke model for shared
services
• Account-level isolation where prudent
• Turn on and enforce AWS CloudTrail
and AWS Config
• Subnets/route tables/NACLs/SecGrps
are cheap (free)
• Only downside risk is complexity
• Architecture Best Practices
23. Encryption at rest: Amazon S3 and Amazon
Elastic Block Store (Amazon EBS)
{
"Version":"2012-10-17",
"Id":"PutObjPolicy",
"Statement":[{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect":"Deny",
"Principal":"*",
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::YourBucket/*",
"Condition":{
"StringNotEquals":{
"s3:x-amz-server-side-encryption":
"AES256"
}
}
}]
}
BEST PRACTICES:
Create encrypted Amazon EBS
volumes to store the most sensitive
data
Use Amazon S3 bucket policies to
force use of server-side encryption
Use Puppet to configure applications
to use encrypted storage for sensitive
data
Force SSL ciphers and encryption
standards across all web hosts
24. Powered By:
AWS EastAWS West
Amazon
WorkSpaces
AWS
Direct Connect
The Venetian
Amazon
EC2
Amazon
S3
Try AWS Direct Connect in the Test Drive Lab!