Deployment and Provisioning
In this group of lectures we run a hands on deployment of the next iteration of the Pizza Time solution. The Pizza Time business has been a success. It needs to support more customers and wants to expand to meet a global market.
We define our new solution, then walk through a hands on deployment that extends our scalability, availability and fault tolerance.
Hi, and welcome to this lecture.
In this lecture, we will discuss connectivity options. We will talk about VPC peering, we will talk about Hardware VPN, Software VPN, and Direct Connect.
The first one is VPC peering. Maybe you need to connect two VPCs. Maybe you start creating two separate applications, and now you need to connect them and you don't want to migrate everything you have in these two VPCs, so you just want to kind of connect these two VPCs. So, VPC peering does exactly that.
You will create a virtual connection between two VPCs. You must notice that these VPCs must live inside the same AWS Region. You can't have VPC peerings with VPCs in other regions. And the IP address, the range of these two VPCs, can't overlap, so you need to have VPC with different CIDR blocks.
One thing that is cool about VPC peering is that the VPCs doesn't need to be in the same account, so this VPC can be in one account and this VPC can be in another account, and that will work just fine. You just need to set the proper permissions.
Now talking about Hardware VPN. Hardware VPN is when you will create a VPN Gateway in your VPC. You create the VPN Gateway, and then you attach this to your VPC. You also need to configure a Customer Gateway. You need to configure the gateway inside your business or your network or whatever, and you need to create a Customer Gateway on the VPC console. The Customer Gateway will hold the information about the IP address that you want to connect, and then you need to set your Gateway appliance to connect to AWS.
After you have a Customer Gateway and a VPN Gateway configured on both ends, you need to configure a VPN Connection. The VPN Connection will hold the information about the connection itself. So, you can have more than one VPN Connection being sent to the same VPN Gateway. So, for example, you could have another connection to other branch offices in here, but you need to have a VPN Connection to each pair of VPN Gateway and Customer Gateway that you might have, so in here you'd have another VPN Connection going to another Customer Gateway, and in here you'd have the same thing.
Talking now about Software VPN. Software VPN will also work from a VPC, but instead of configuring a VPN Gateway, Customer Gateway, and a VPN Connection, as we have for the Hardware VPN, you will configure an EC2 instance instead. And you can install something like OpenVPN in that instance, and you can configure the instance to talk with your gateway in your network, or you could also connect to another VPC. For example, in a different region, using Software VPN. So, you'd have an instance running in the VPC in the Oregon region, for example, and another instance running OpenVPN in the Frankfurt region, and you'd connect those two. Just make sure that you have the proper security grooves, the proper network ACLs, and that these two VPN instances will live inside the public subnet, unless you have Direct Connect. Direct Connect is an awesome service, because you can create a connection between your company and AWS, and what will happen is that you won't have only access to a particular VPC. You have the ability to create private endpoints for all AWS services living in that region.
And I said all services, and that's true. You have access to all services with a private connection. So, for example, if you want to launch a new EC2 instance, you don't need to go over the internet in here and access the service. You can use your private Direct Connection and do the same thing that you would do using the internet. One thing though. Direct Connect, Hardware VPN, and Software VPN, all these type of connections, they are not redundant, so things can fail in this case. So, it is a best practice to have two types of connections. So, if you are using Hardware VPN, you can create more than one connection in here, so it is a best practice to create a secondary VPN Connection to the same endpoint, just to ensure high availability. But that's kind of obvious. The VPN Connection goes through the internet, so to have a really failover VPN Connection, you need to have two internet connections in your company, and you connect one to the first VPN Connection and the second to the second VPN Connection.
And you can create hybrid solutions. You can create a Hardware VPN with a Software VPN as a backup. You can create a Direct Connection with a Hardware VPN or a Software VPN as your backup connection.
About the Author
Eric Magalhães has a strong background as a Systems Engineer for both Windows and Linux systems and, currently, work as a DevOps Consultant for Embratel. Lazy by nature, he is passionate about automation and anything that can make his job painless, thus his interest in topics like coding, configuration management, containers, CI/CD and cloud computing went from a hobby to an obsession. Currently, he holds multiple AWS certifications and, as a DevOps Consultant, helps clients to understand and implement the DevOps culture in their environments, besides that, he play a key role in the company developing pieces of automation using tools such as Ansible, Chef, Packer, Jenkins and Docker.