VyOS Platform Blog

Hybrid Cloud Network Success Story: AWS Cloud WAN integration with VyOS

Written by Fernando Maidana | June 3, 2024 8:32:07 PM Z

Hello, Community!

I'm Fernando from the network engineering team at VyOS Networks, and I'd like to introduce an insightful customer success story in our series on cloud networking use cases. I will only refer to the customer as "The Company" to preserve their confidentiality. Still, I'd like to tell you how they vastly improved their hybrid infrastructure using our VyOS routers integrated with the AWS Cloud WAN Tunnel-less Connect feature.

Background

The Company needed to streamline its operations across various global sites without the complexities of traditional VPN tunnels. The introduction of AWS Cloud WAN Tunnel-less Connect on VyOS looked like an optimal solution—connecting VyOS routers directly to AWS Cloud WAN. This integration not only simplified network setups but could also greatly improve the site-to-cloud connection speed since it could use AWS's global high-speed network directly.

The Challenge

"The Company" needed seamless connectivity across multiple data centers and regional offices and wanted to avoid the overhead of tunneling protocols because encapsulation can easily become a bottleneck in high-speed networks. They also wanted a solution to support on-demand operations. At the same time, connection security wasn't an immediate concern since it was implemented at the application protocol level and through site firewall policies.

The VyOS and AWS Solution

With VyOS's native support for AWS Cloud WAN Tunnel-less Connect, "The Company'' achieved a simplified, high-performance network architecture. Here’s how VyOS tailored solutions for their needs:

  1. High-performance on AWS Cloud: VyOS avoided traditional tunnel overhead, enabling The Company to use the high-speed, high-throughput AWS network.

  2. Global Network Architecture Optimization: The AWS global network backbone helped The Company establish a more cost-effective and redundant network infrastructure, crucial for their hybrid cloud workloads.

  3. Flexible Consumption and Automation: The solution supported an on-demand model, which was vital for The Company to deploy network services as needed, optimizing resource use and operational costs.

Integration in Action

This implementation focused on connecting two major regions with multiple AWS Availability Zones using native BGP sessions on AWS with VyOS instances. This setup was critical for managing The Company's distributed resources efficiently, ensuring high availability and disaster recovery. Below is a diagram where we illustrate the implementation case : 

Network Setup and Configuration:

 

  • AWS Cloud WAN Integration: We started by creating a global network and a core network policy through the AWS Network Manager, which we adjusted to The Company's specific needs, such as ASN ranges and CIDR blocks.
  • VyOS Configuration: On the VyOS side, we configured BGP sessions to ensure that inter-site traffic was routed through the AWS network without a need for traditional tunnels.

Deployment and Operation:

The following high-level steps create the above architecture. As we mentioned before, this post focuses on tunnel-less connections.  

To get started with AWS Cloud WAN global and core network.

  • Open the Console and navigate to Network Manager.
  • Access the Network Manager console at https://console.aws.amazon.com/networkmanager/home/.
  • Create a global network: The first step in setting up AWS Cloud WAN is to create a global network. In our case, it’s called VyOS-CNE. 
  • Create a core network and core network policy: After creating a global network, consider creating a core network within the global network. After creating the core network, it will also be possible to create the core network policy that deploys the network structure. 

The figure below shows the expected topology within the AWS account:

 

  To illustrate, the following Network Policy configurations will be used:

-    ASN Ranges: 64512 – 65534.

   -  Inside CIDR blocks: 192.168.0.0/16.

The Classless Inter-Domain Routing (CIDR) block range creates tunnels for AWS Transit Gateway Connect and tunnel-less BGP peering with the VyOS instance.

- Edge Locations: US East (Ohio), US West (Oregon).

Zones where we locate our CNE to connect with our VyOS routers.

- Segments: Development, Production

We can create a policy to attach our VPC attachments with all this data.

Create the VPC attachments

Create a VPC attachment at each end between the Cloud WAN and the VyOS instance. The GRE tunnel attachment can span multiple segments, but the tunnel-less attachment is per segment. Thus, you need one VyOS instance and one VPC per segment when using the tunnel-less attachment.

 

 

Create a route pointing to the CNE in the Connect VPC route table.

 

 

Create Tunnel-less connection

 

Create the Tunnel-less connection with VyOS-Routers:

Next, configure the BGP peer between Core Network and VyOS(vyos-sdwan-east) in the HUB-VPC-EAST, as shown in the figure below.

 

 

The configuration applied to our vyos-sdwan-east should allow us to establish a connection with our AWS CNE.

 

# interfaces deploy on VyOS:

vyos@vyos-sdwan-east:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             10.10.1.192/24                    u/u  To WAN
eth1             10.10.0.178/24                    u/u  To AWS_CNE
lo               127.0.0.1/8                       u/u
                 ::1/128

# BGP configuration to establish BGP peer with CNE:

set protocols bgp 64530 address-family ipv4-unicast redistribute connected
set protocols bgp 64530 neighbor 192.168.0.14 ebgp-multihop '2'
set protocols bgp 64530 neighbor 192.168.0.14 remote-as '64512'
set protocols bgp 64530 neighbor 192.168.0.49 ebgp-multihop '2'
set protocols bgp 64530 neighbor 192.168.0.49 remote-as '64512'
set protocols bgp 64530 parameters router-id '10.10.0.178'

# static route created to reach our CNE in the tunnes-less Connect:

set protocols static route 192.168.0.0/16 next-hop 10.10.0.2

We can see above that the Connect peer for tunnel-less includes the peer BGP IP, peer ASN and subnet ARN.

Outcomes and Benefits

The integration drastically enhanced "The Company" network efficiency and operational agility. It simplified complex network setups, reducing costs by eliminating unnecessary overhead, and provided a scalable solution that adapted to their dynamic needs.

Looking Forward

The Company's successful deployment shows the potential for integrating VyOS with AWS Cloud WAN to create advanced network architectures. This story demonstrates our solution's capability and sets a precedent for future deployments in similar high-demand scenarios.

 

For more detailed technical insights and a step-by-step configuration guide, please visit our AWS Cloud WAN Whitepaper available in the following link VyOS-AWS Cloud WAN
View full post