REL02-BP02 Provision redundant connectivity between private networks in the cloud and on-premises environments
Implement redundancy in your connections between private networks in the cloud and on-premises environments to achieve connectivity resilience. This can be accomplished by deploying two or more links and traffic paths, preserving connectivity in the event of network failures.
Common anti-patterns:
-
You depend on just one network connection, which creates a single point of failure.
-
You use only one VPN tunnel or multiple tunnels that end in the same Availability Zone.
-
You rely on one ISP for VPN connectivity, which can lead to complete failures during ISP outages.
-
Not implementing dynamic routing protocols like BGP, which are crucial for rerouting traffic during network disruptions.
-
You ignore the bandwidth limitations of VPN tunnels and overestimate their backup capabilities.
Benefits of establishing this best practice: By implementing redundant connectivity between your cloud environment and your corporate or on-premises environment, the dependent services between the two environments can communicate reliably.
Level of risk exposed if this best practice is not established: High
Implementation guidance
When using AWS Direct Connect to connect your on-premises network to AWS, you can achieve maximum network resiliency (SLA of 99.99%) by using separate connections that end on distinct devices in more than one on-premises location and more than one AWS Direct Connect location. This topology offers resilience against device failures, connectivity issues, and complete location outages. Alternatively, you can achieve high resiliency (SLA of 99.9%) by using two individual connections to multiple locations (each on-premises location connected to a single Direct Connect location). This approach protects against connectivity disruptions caused by fiber cuts or device failures and helps mitigate complete location failures. The AWS Direct Connect Resiliency Toolkit can assist in designing your AWS Direct Connect topology.
You can also consider AWS Site-to-Site VPN ending on an AWS Transit Gateway as a cost-effective backup to your primary AWS Direct Connect connection. This setup enables equal-cost multipath (ECMP) routing across multiple VPN tunnels, allowing for throughput of up to 50Gbps, even though each VPN tunnel is capped at 1.25 Gbps. It's important to note, however, that AWS Direct Connect is still the most effective choice for minimizing network disruptions and providing stable connectivity.
When using VPNs over the internet to connect your cloud environment to your on-premises data center, configure two VPN tunnels as part of a single site-to-site VPN connection. Each tunnel should end in a different Availability Zone for high availability and use redundant hardware to prevent on-premises device failure. Additionally, consider multiple internet connections from various internet service providers (ISPs) at your on-premises location to avoid complete VPN connectivity disruption due to a single ISP outage. Selecting ISPs with diverse routing and infrastructure, especially those with separate physical paths to AWS endpoints, provides high connectivity availability.
In addition to physical redundancy with multiple AWS Direct Connect connections and multiple VPN tunnels (or a combination of both), implementing Border Gateway Protocol (BGP) dynamic routing is also crucial. Dynamic BGP provides automatic rerouting of traffic from one path to another based on real-time network conditions and configured policies. This dynamic behavior is especially beneficial in maintaining network availability and service continuity in the event of link or network failures. It quickly selects alternative paths, enhancing the network's resilience and reliability.
Implementation steps
-
Acquisition highly-available connectivity between AWS and your on-premises environment.
-
Use multiple AWS Direct Connect connections or VPN tunnels between separately deployed private networks.
-
Use multiple AWS Direct Connect locations for high availability.
-
If using multiple AWS Regions, create redundancy in at least two of them.
-
-
Use AWS Transit Gateway, when possible, to end your VPN connection.
-
Evaluate AWS Marketplace appliances to end VPNs or extend your SD-WAN to AWS. If you use AWS Marketplace appliances, deploy redundant instances for high availability in different Availability Zones.
-
Provide a redundant connection to your on-premises environment.
-
You may need redundant connections to multiple AWS Regions to achieve your availability needs.
-
Use the AWS Direct Connect Resiliency Toolkit to get started.
-
Resources
Related documents:
-
Using Redundant Site-to-Site VPN Connections to Provide Failover
-
Active/Active and Active/Passive Configurations in AWS Direct Connect
-
Amazon Virtual Private Cloud Connectivity Options Whitepaper
-
Building a Scalable and Secure Multi-VPC AWS Network Infrastructure
-
Using redundant Site-to-Site VPN connections to provide failover
-
Using the AWS Direct Connect Resiliency Toolkit to get started
Related videos: