Versions Compared

Old Version 15

changes.mady.by.user Paul Allen

Saved on

compared with

New Version 16

changes.mady.by.user Paul Allen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

In this configuration, the Cornell campus network will route network traffic to the VPC's private address space over the Direct Connect. The DCGW+TGW infrastructure connected to the AWS VPC will route Cornell Private Network traffic and Cornell Public Network traffic back to the Cornell campus network via Direct Connect. As in the Private Network Extension configuration discussed earlier, local VPC traffic (i.e. destined for the VPC itself), or any configured VPC peering connections will remain traffic to peered AWS VPCs, or traffic to other Cornell VPCs using Direct Connect in AWS remains within AWS and is not sent back to campus over the Direct Connect.

...

When using the Hybrid Routing model:

  • You will require a routing one route table for Private subnets and another for Public subnets.
    • Subnets can share common routing tables, so multiple "private" or "public" subnets can reference the same routing configuration.
  • AWS Private Subnets that use the VGW should incorporate propagated routes from the Direct Connect.This brings in advertised should use a route table with static routes to both Cornell's Private and Cornell Public networks via Direct Connect(10.0.0.0/8) and Public address (e.g., 128.84.0.0/16) space. These routes would designate the TGW as the "next hop".
  • AWS Public Subnets that should use the VGW should incorporate a route table that only sends Cornell Private Network addresses back through Direct Connect.This configuration involves manually disabling Route Propagation in the Public Subnet route table and adding an entry for with one static route designating the TGW as the next hop for Cornell's Private address space (i.e. 10.0.0.0/8 to the VGW).
    • Allowing AWS Public Subnets to send Cornell Public Network traffic over Direct Connect can create asymmetric routing conditions.
  • AWS Public subnets will be unable to address services or clients in Cornell Public Space directly over Direct Connect
    • AWS Public Subnets may still be able to reach Cornell Public Network services over the Internet via the IGW.
      • Cornell network ACL or Managed Firewall policy updates may be required.
      • Consideration should be taken when transferring sensitive data over the public Internet. Use of transport encryption is strongly suggested and may be required by policy.
  • Services deployed in the VPC should be configured to use AWS public addresses (e.g., EIP, ELB, etcpublic load balancer).
    • Exposing production services to clients over Direct Connect is not advised.

...