Sunday, July 23, 2017

AWS subnet concerns

When laying out a AWS VPC  you will need to select a CIDR block for that VPC.

It critical that you  ensure  your VPCs subnets will not collide or overlap with any other VPCs or your  local-OnPrem-Corporate networks.

Take this simple multiple region layout and  with VPCs executed on /20 boundaries.



These 3 containers ( VPC ) are reachable back to Corp via  DirectConnections. Alternatively they could be VPN-ipsec tunnels. The  direct-connect would eliminate any IPSEC configuration, mtu  issues, and complexity.

At the HQ these terminations could easily be terminate at a  security edge device or a gatekeeper for the appearance into AWS and the respective VPC.

Traffic between  regions could be carried via AWS backbone or a internet-IPSEC connection. Traffic could indeed travel to a customer VPCs held in another AWS account.




Network layout and subnet allocations needs to be carefully craft and thought out.  Bad design upfront could lead into duplication networks and complexity and |  or  poor network routing in or out of the AWS instances.

Key CheckPoints;

  1. have a plan
  2. have a ip management solution like ipplan  http://iptrack.sourceforge.net/  or similar
  3. try to ensure growth  for the now and future
  4. maintain ipv4 address boundaries and contiguous networks from a routing concept
  5. be aware of the max numbers and sizes of CIDRs
  6. don't over look any  local on-Prem networks and what might need access both locally or remotely


KenFelix



NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \
 

No comments:

Post a Comment