AWS and OSPF
-
So I've been going through the AWS architect training and have been trying to wrap my head around how our organization might integrate with Amazon EC2 from a networking perspective. I still don't fully grasp the idea of the VPC, but thus far I have been able to figure out that a VPC is married to an EC2 instance when it is created and cannot be changed.
I also notice that you have to specify an IP range when the VPC is first created. However when actually creating Elastic Network Interfaces (ENI) you have to have pre-staged subnets out of the originally specified VPC range.
Then I discovered that AWS doesn't support OSPF. Dang. Our environment won't support BGP today and I would really like to start using dynamic routing while testing AWS. So then I start browsing around the AWS market place and discover the SonicWALL and pfSense firewalls. I am sure there are products from other vendors as well. Both of these do OSPF...
Now for the question, is it a viable design option to deploy one of these virtual firewalls as an EC2 instance and simply use it for NAT/VPN services rather than relying on the native AWS networking stack? Based on my observations of how VPCs work so far it seems like a virtual firewall appliance with multiple NICs in zones like WAN/LAN/LAN2 would all have to be in the same VPC. That just seems wrong to me, but perhaps it can be secured with security groups or network acls in AWS?
Regards,
Adam Tyler -
Hi Adam,
the AWS whitepaper "Building a Scalable and Secure Multi-VPC AWS Network Infrastructure" should be useful to you. Refer to the section on Hybrid Connectivity.
-
Hi Adam!
Just a note on your EC2 and VPC observation. When you create an EC2 instance, you are marrying it to the VPC. You can create an AMI out of your shiny new instance, and then spin another instance up in another VPC based on your AMI. So in effect, you can change the VPC that way. Remember this, with AWS there is a way to do just about anything!
It is critical that you understand VPCs in AWS. Please post what other questions you have about these structures. One question per post would be awesome.
Now on to your question - for NAT and PAT, it is almost always preferable to use the NAT Gateway service of AWS. This is a fully managed service meaning that Amazon takes care of everything for us. This is also the main method we use because of the low cost.
You can do your NAT/PAT with an AWS NAT EC2 instance - or as you bring up - a virtual appliance that you spin up as an EC2 instance, but this requires your management of the instance and also you incur the costs.
What is a more frequent option is using a virtual security appliance to do all of the cool security features the appliance brings that would enhance what is available in AWS and give you more control. For example, you might spin up a Cisco Firepower NGFW in your VPC in order to use the advanced security features of this device to control your AWS traffic.
When you do this, you are typically placing interfaces of the virtual appliance into different subnets that you created in your VPC. For example, a Management Subnet, and two or more Data Subnets.
Perhaps a detail about the VPC that you were missing is that you are creating different subnets within the VPC. So your VPC might be 10.0.0.0/16 and then you create subnets of 10.0.1.0/24, 10.0.2.0/24, and 10.0.3.0/24.
Keep up the awesome work in your studies!
Anthony Sequeira
ITProTV Edutainer -
@Adam-Tyler said in AWS and OSPF:
I still don't fully grasp the idea of the VPC, but thus far I have been able to figure out that a VPC is married to an EC2 instance when it is created and cannot be changed.
VPC is actually a pretty simple concept. It's a virtual network. This AWS re:Invent 2018 video on YouTube explains it quite clearly.
If you're interested, I have created a very long, not yet sorted AWS Certified Solutions Architect – Associate playlist on YouTube to complement my ITProTV studies. It consists of lots of AWS re:Invent and re:Inforce presentations, with most videos coming from the 2019 re:Invent conference that just occurred three weeks ago.
