...
Table of Contents |
---|
...
Glossary
Term | Definition |
---|---|
Asymmetric Routing | Condition that presents itself when network traffic between a client and its destinationfollows different paths inbound and outbound. This results in the client sending packets to one IP address but receiving responses from a potentially different IP address, preventing client and server from properly establishing two-way communication. |
AWS Private Subnet | Subnet in an AWS VPC that has no direct access to the Internet. |
AWS Public Subnet | Subnet in an AWS VPC that has direct Internet access by way of a configured Internet gateway (IGW). |
Cornell Private Network | Private IPv4 address range 10.0.0.0/8, defined in RFC 1918 for use on private/internal networks. Addresses in this range are not allowed to leave the Cornell network and route directly over the Internet. |
Cornell Public Network | Cornell's publicly routable IPv4 address ranges. |
Direct Connect | Dedicated network connection between Cornell and Amazon Web Services via AWS peering partners. Direct Connect should be treated as if it were a campus network, including leveraging transport encryption for sensitive data. See also AWS Direct Connect for Cornell. |
Internet Gateway (IGW) | AWS-managed VPC routing device that provides inbound and outbound access from a subnet to the Internet. Allows use of public IP addresses (Elastic IP) on EC2 Instances. |
Virtual Gateway (VGW) | AWS-managed VPC routing device that allows attachment to Direct Connect or VPN. |
Direct Connect Routing Options
...
Design Decisions
When using the Hybrid "All Campus" Routing model:
- AWS Public and Private Subnets that use the VGW incorporate propagated routes from the Direct Connect.
- This brings in advertised routes to both Cornell Private and Cornell Public networks via Direct Connect.
- AWS Public Subnets that use the VGW risk introducing asymmetric routing when presenting services to clients on Cornell Public Networks.
- Leveraging Elastic Load Balancers, since they essentially act as a proxy, as a level of indirection on the network may be an acceptable work-around.
- AWS Public subnets will be able to address services or clients in Cornell Public Space directly over Direct Connect.
- Exposing production services to clients over Direct Connect is not advised.
...