...
| Term | Definition |
|---|---|
| Asymmetric Routing | Condition that presents itself when network traffic between a client and its destinationfollows different paths inbound and outbound. This results in the client sending packets to one IP address but receiving responses from a potentially different IP address, preventing client and server from properly establishing two-way communication. |
| AWS Private Subnet | Subnet in an AWS VPC that has no direct access to the Internet. |
| AWS Public Subnet | Subnet in an AWS VPC that has direct Internet access by way of a configured Internet gateway (IGW). |
Cornell Private Network | Private IPv4 address range 10.0.0.0/8, defined in RFC 1918 for use on private/internal networks. Addresses in this range are not allowed to leave the Cornell network and route directly over the Internet. |
| Cornell Public Network | Cornell's publicly routable IPv4 address ranges. |
| Direct Connect | Dedicated network connection between Cornell and Amazon Web Services via AWS peering partners. Direct Connect should be treated as if it were a campus network, including leveraging transport encryption for sensitive data. See also Cornell AWS Direct Connect. |
| Internet Gateway (IGW) | AWS-managed VPC routing device that provides inbound and outbound access from a subnet to the Internet. Allows use of public IP addresses (Elastic IP) on EC2 Instances. |
| Transit Gateway (TGW) | AWS-managed routing device that can cross-connect VPCs and Direct Connect resources. Transit Gateways are an integral component in the Cornell AWS Direct Connect Architecture. |
| Direct Connect Gateway (DCGW) | AWS-managed routing device that can connect VPCs and Transit Gateways in multple regions to Direct Connect connections. Direct Connect Gateways are an integral component in the Cornell AWS Direct Connect Architecture. |
| TCGW-DCGW infrastructure | The infrastructure components in the Cornell AWS Direct Connect Architecture that lie between an the campus network and an AWS VPC using Direct Connect. |
...
In this configuration, the Cornell campus network will route network traffic to the VPC's private address space over the Direct Connect. The DCGW+TGW infrastructure connected to the AWS VPC will route traffic from both Private and Public AWS subnets to both Private and Public Cornell network segments back to campus via Direct Connect.
As in the Private Network Extension and Hybrid Routing configurations discussed earlier, local VPC traffic (i.e. destined for the VPC itself), traffic to peered AWS VPCs, and traffic to other Cornell VPCs using Direct Connect in AWS remains within AWS and is not sent back to campus over the Direct Connect.
...
- Both Private and Public AWS Subnets use a route table tables with static routes to both Cornell's Private (10.0.0.0/8) and Public address (e.g., 128.84.0.0/16) space. These routes would designate the TGW as the "next hop".
- AWS Public Subnets that use the DCGW+TGW infrastructure risk introducing asymmetric routing when presenting services to clients on Cornell Public Networks.
- Leveraging AWS Load Balancers essentially acting as a proxy may be an acceptable work-around to avoid asymmetric routing.
- AWS Public subnets Subnets will be able to address services or clients in Cornell Public Space directly over Direct Connect.
- Exposing production services to clients over Direct Connect is not advised.
...
draw.io source: all-campus-routing.v2.drawio
Route Table Examples
The examples below shows the VPC using Direct Connect, having 10.92.104.0/23 as primary CIDR and 10.95.32.0/26 as secondary CIDR (used for utility subnets).
Private Network Extension
Private Subnet Route Table
| Destination | Target | |
|---|---|---|
| 0.0.0.0/0 | NAT Gateway | public internet |
| 10.92.104.0/23 | local | primary VPC CIDR |
| 10.95.32.0/26 | local | secondary VPC CIDR |
| 10.0.0.0/8 | TGW | Cornell private CIDR |
Public Subnet Route Table
| Destination | Target | |
|---|---|---|
| 0.0.0.0/0 | IGW | public internet |
| 10.92.104.0/23 | local | primary VPC CIDR |
| 10.95.32.0/26 | local | secondary VPC CIDR |
| 10.0.0.0/8 | TGW | Cornell private CIDR |
Hybrid Routing
Private Subnet Route Table
| Destination | Target | Notes |
|---|---|---|
| 0.0.0.0/0 | NAT Gateway | public internet |
| 10.92.104.0/23 | local | primary VPC CIDR |
| 10.95.32.0/26 | local | secondary VPC CIDR |
| 10.0.0.0/8 | TGW | Cornell private CIDR |
| 128.84.0.0/16 | TGW | Cornell public CIDR |
| 128.253.0.0/16 | TGW | Cornell public CIDR |
| 132.236.0.0/16 | TGW | Cornell public CIDR |
| 192.35.82.0/24 | TGW | Cornell public CIDR |
| 192.122.235.0/24 | TGW | Cornell public CIDR |
| 192.122.236.0/24 | TGW | Cornell public CIDR |
Public Subnet Route Table
| Destination | Target | |
|---|---|---|
| 0.0.0.0/0 | IGW | public internet |
| 10.92.104.0/23 | local | primary VPC CIDR |
| 10.95.32.0/26 | local | secondary VPC CIDR |
| 10.0.0.0/8 | TGW | Cornell private CIDR |
"All Campus" Routing
Private Subnet Route Table
| Destination | Target | Notes |
|---|---|---|
| 0.0.0.0/0 | NAT Gateway | public internet |
| 10.92.104.0/23 | local | primary VPC CIDR |
| 10.95.32.0/26 | local | secondar VPC CIDR |
| 10.0.0.0/8 | TGW | Cornell private CIDR |
| 128.84.0.0/16 | TGW | Cornell public CIDR |
| 128.253.0.0/16 | TGW | Cornell public CIDR |
| 132.236.0.0/16 | TGW | Cornell public CIDR |
| 192.35.82.0/24 | TGW | Cornell public CIDR |
| 192.122.235.0/24 | TGW | Cornell public CIDR |
| 192.122.236.0/24 | TGW | Cornell public CIDR |
Public Subnet Route Table
| Destination | Target | Notes |
|---|---|---|
| 0.0.0.0/0 | IGW | public internet |
| 10.92.104.0/23 | local | primary VPC CIDR |
| 10.95.32.0/26 | local | secondary VPC CIDR |
| 10.0.0.0/8 | TGW | Cornell private CIDR |
| 128.84.0.0/16 | TGW | Cornell public CIDR |
| 128.253.0.0/16 | TGW | Cornell public CIDR |
| 132.236.0.0/16 | TGW | Cornell public CIDR |
| 192.35.82.0/24 | TGW | Cornell public CIDR |
| 192.122.235.0/24 | TGW | Cornell public CIDR |
| 192.122.236.0/24 | TGW | Cornell public CIDR |