LLD002-002 - On Premise <> AWS connectivity

Purpose

The purpose of this Low-Level Design (LLD) document is to provide a detailed plan for establishing a reliable, secure, and redundant connectivity between the onpremises data center and the Amazon Web Services (AWS) environment. This design emphasizes resilience and security by incorporating a dual-setup of AWS Direct Connect and a backup Site-to-Site VPN connection.

Changelog

Related documents

HLD002 - Combined Network Model

Architecture diagram

Explanation

The diagram represents a highly available and resilient architecture that connects an on-premises data center to a Virtual Private Cloud (VPC) within an Amazon Web Services (AWS) region using a combination of AWS Transit Gateway, Direct Connect Gateway, two Direct Connect (DX) connections, and a Site-to-Site VPN as a backup.

The key elements of the diagram include:

• VPC: The VPC, located in a specific AWS region, represents the isolated cloud resources where your application workloads run. It is securely connected to your on-premises network through a Transit Gateway.

• Transit Gateway: The Transit Gateway acts as a network transit hub that simplifies and consolidates the connectivity between the VPC and the on-premises data center. It centralizes the routing between multiple networks, including VPCs and on-premises networks.

• Direct Connect Gateway: The Direct Connect Gateway connects the Transit Gateway to the DX connections. It enables the connection from the DX connections to virtually any AWS worldwide region (not just the region where the DX connection is located), providing access to all necessary AWS services.

• DX Connections: The diagram includes two DX connections, providing a dedicated, high-bandwidth, low-latency link from the on-premises data center to AWS. These redundant connections offer increased network reliability and performance.

• Site-to-Site VPN: The Site-to-Site VPN provides a failover connection to ensure uninterrupted access to AWS services if both DX connections were to fail. It works over the public internet to create a secure, encrypted connection from your on-premises network to the AWS environment.

• Customer Gateways: The diagram includes two Customer gateways, first for DX connections and 2nd for Site-to-site VPN to diversify risk of outage from onpremise side.

Network Overview

• On-Premises Data Centers (DC): Data Center 1, Data Center 2

• AWS Direct Connect (DX) Locations: a-tmpl-prd-dx-1 and a-tmpl-prd-dx-2

• AWS Direct Connect Gateway (DXGW): a-tmpl-prd-dxgw

• AWS Transit Gateway (TGW): a-tmpl-prd-tgw

• Customer Gateways (CGW): CGW1, CGW2, CGW3, CGW4

• VPN Connections: a-tmpl-prd-vpn

IP Address Ranges

• DC1:

• DC2:

• AWS:

• DX1 and DX2 (Transit VIF):

• VPN (Tunnel Inside CIDR):

AWS Direct Connect (DX)

• Establish two Direct Connect connections at DX1 and DX2 locations(10Gbit each).

• Create DXGW1 associated with both DX1 and DX2.

• Create Transit Virtual Interfaces (Transit VIFs) on DX1 and DX2, using the corresponding router peer IP addresses and VLAN IDs, and associate them with DXGW.

• Enable Equal-Cost Multi-Path routing to balance traffic between connections.

AWS Transit Gateway (TGW)

• Attach DXGW to TGW to route the Direct Connect traffic through TGW.

• Create Route Table RTB1 in TGW, associating it with AWS VPC, and propagate the routes from DXGW.

Site-to-Site VPN

• Create CGW1 and CGW4 representing the on-premises VPN devices.

• Establish VPN, connecting CGW1 and CGW4 with TGW respectively.

• Configure dynamic routing (BGP) on VPN, using the corresponding BGP peer IP addresses.

Routing and Failover

• Configure the route propagation on RTB1 to propagate routes from VPN.

• Direct Connect is always preferred.

Security and Monitoring

• Apply necessary security groups and network ACLs on AWS VPCs.

• Enable IPsec encryption on Site-to-Site VPN.

• Use AWS CloudWatch for monitoring and VPC Flowlogs for logging network activities.