...
| Term | Definition |
|---|---|
| Asymmetric Routing | Condition that presents itself when network traffic between a client and its destinationfollows different paths inbound and outbound. This results in the client sending packets to one IP address but receiving responses from a potentially different IP address, preventing client and server from properly establishing two-way communication. |
| AWS Private Subnet | Subnet in an AWS VPC that has no direct access to the Internet. |
| AWS Public Subnet | Subnet in an AWS VPC that has direct Internet access by way of a configured Internet gateway (IGW). |
| Cornell Private Network | Private IPv4 address range 10.0.0.0/8, defined in RFC 1918 for use on private/internal networks. Addresses in this range are not allowed to leave the Cornell network and route directly over the Internet. |
| Cornell Public Network | Cornell's publicly routable IPv4 address ranges. |
| Direct Connect | Dedicated network connection between Cornell and Amazon Web Services via AWS peering partners. Direct Connect should be treated as if it were a campus network, including leveraging transport encryption for sensitive data. See also Cornell AWS Direct Connect. |
| Internet Gateway (IGW) | AWS-managed VPC routing device that provides inbound and outbound access from a subnet to the Internet. Allows use of public IP addresses (Elastic IP) on EC2 Instances. |
| Transit Gateway (TGW) | AWS-managed routing device that can cross-connect VPCs and Direct Connect resources. Transit Gateways are an integral component in the Cornell AWS Direct Connect Architecture. |
| Direct Connect Gateway (DCGW) | AWS-managed routing device that can connect VPCs and Transit Gateways in multple regions to Direct Connect connections. Direct Connect Gateways are an integral component in the Cornell AWS Direct Connect Architecture. |
| TCGW-DCGW infrastructure | The infrastructure components in the Cornell AWS Direct Connect Architecture that lie between an the campus network and an AWS VPC using Direct Connect. |
Exclusions
The discussion and examples below focus on traffic between private and public network segments in AWS, and private and public network segments on campus. The Cornell AWS Direct Connect Architecture also links AWS VPCs using Direct Connect to Cornell's private network segments in Azure. Traffic between campus or AWS and Azure is not covered in this article.
Direct Connect Routing Options
Private Network Extension
...
In this configuration, the Cornell campus network will route network traffic to the VPC's private address space over the Direct Connect. The DCGW+TGW infrastructure connected to the AWS VPC will route any Cornell Private Network traffic not destined for Cornell VPCs in AWS back to the Cornell campus network via Direct Connect. This effectively leverages the Direct Connect as an extension of the Cornell Private Network.Traffic to or from Cornell's private network in Azure handled similarly as private campus traffic.
Design Decisions
When using the Private Network Extension model:
- All VPC subnets that use the DCGW+TGW infrastructure will need to have a static route for 10.0.0.0/8 defined to send traffic bound for other Cornell private network segments through the DCGW+TGW infrastructure.
- Neither Private and Public subnets in the AWS VPC will be able unable to address services or clients in Cornell Public Space directly over Direct Connect.
- AWS Public Subnets may still be able to reach Cornell Public Network services over the Internet via the IGW.
- Cornell network ACL or Managed Firewall policy updates may be required.
- Consideration should be taken when transferring sensitive data over the public Internet. Use of transport encryption is strongly suggested and may be required by policy.
- AWS Public Subnets may still be able to reach Cornell Public Network services over the Internet via the IGW.
- Services deployed in the VPC should be configured to use AWS public addresses (e.g., EIP, ELB, etcpublic load balancer).
- Exposing production services to clients over Direct Connect is not advised and will not work for clients in Cornell Public Network space.
...