It critical that you ensure your VPCs subnets will not collide or overlap with any other VPCs or your local-OnPrem-Corporate networks.
Take this simple multiple region layout and with VPCs executed on /20 boundaries.
These 3 containers ( VPC ) are reachable back to Corp via DirectConnections. Alternatively they could be VPN-ipsec tunnels. The direct-connect would eliminate any IPSEC configuration, mtu issues, and complexity.
At the HQ these terminations could easily be terminate at a security edge device or a gatekeeper for the appearance into AWS and the respective VPC.
Traffic between regions could be carried via AWS backbone or a internet-IPSEC connection. Traffic could indeed travel to a customer VPCs held in another AWS account.
Network layout and subnet allocations needs to be carefully craft and thought out. Bad design upfront could lead into duplication networks and complexity and | or poor network routing in or out of the AWS instances.
Key CheckPoints;
- have a plan
- have a ip management solution like ipplan http://iptrack.sourceforge.net/ or similar
- try to ensure growth for the now and future
- maintain ipv4 address boundaries and contiguous networks from a routing concept
- be aware of the max numbers and sizes of CIDRs
- don't over look any local on-Prem networks and what might need access both locally or remotely
KenFelix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment