chanciturnervgt2

Amazon VGT2 Las Vegas: Designing Seamless On-Premises Connectivity with AWS Outposts Servers

by

VGT2 Las Vegas
in

Amazon VGT2 Las Vegas: Designing Seamless On-Premises Connectivity with AWS Outposts ServersMore Info

This article is authored by John Smith, Lead Architect at AWS, and Lisa Doe, Senior Solutions Architect at AWS. AWS Outposts extends core AWS services, infrastructure, and operational models to nearly any data center, co-location facility, or on-premises setting. When deploying Outposts servers within your environment, it is crucial to consider local network connectivity alongside Amazon Elastic Compute Cloud (Amazon EC2) instance networking. This article illustrates the scalability of Outposts servers via automation and the deployment of Amazon EC2 network interfaces, significantly minimizing the number of manual steps required for Outposts server configuration.

We will detail the physical connections necessary for linking your servers to your Local Area Network (LAN) and explore the networking options available for EC2 instances operating on Outposts. Topics covered include physical cabling choices, virtual networking elements like VPCs and subnets, and an example setup for an EC2 instance featuring a user-data script to manage local traffic over your on-premises network. If you require a refresher on Outposts servers, consider visiting this blog post. For additional guidance on provisioning your Outposts server, refer to Installing an AWS Outposts server.

Amazon EC2 Networking Basics with a Single Interface

When you launch an EC2 instance on an Outposts server, a single interface is established for network connectivity. This default setting, illustrated in the diagram below, represents the most straightforward method for your instance to communicate externally.

Figure 1: Basic Network Connectivity on an Outposts Server

Deploying an EC2 instance on an Outposts server entails certain distinctions when using the default Elastic Network Interface (ENI) versus deployment within an AWS Region. Recognizing these differences is essential before modifying network configurations during the next phase.

Key ENI Differences between Outposts Servers and the Region:

  1. Primary Interface: The primary interface is an ENI linked to a subnet within a VPC that extends from the Region to the Outposts server.
  2. IP Address Configuration: The guest operating system (OS) of the EC2 instance’s primary network interface must be set to obtain an IP address via DHCP, with the assigned address coming from the IP address range of the VPC subnet associated with the Outposts server.
  3. Security Group: An ENI is associated with a security group that exists within the VPC extended from the Region. Users must apply suitable access control rules to allow access to the EC2 instance. Reusing existing security groups within the VPC is permissible.
  4. Outbound Traffic: By default, an EC2 instance uses its ENI to channel outbound traffic toward the VPC subnet, following the routing table linked to the Outposts server’s VPC subnet.
  5. Inbound Traffic: If only the ENI is utilized, inbound traffic aimed at EC2 instances on Outposts servers must navigate through the service link. In the previous diagram, communication with the EC2 instance occurs over the internet. Incoming traffic passes through the Internet Gateway of the VPC, reaching the appropriate subnet of the Outposts server via the service link before arriving at the EC2 instance. Necessary VPC components (Internet Gateway and related routing table entries) must be configured for internet access.
  6. Local Network Connectivity: Using the ENI does not provide local network connectivity. Further information on achieving this connectivity can be found in the subsequent section on the Outposts server Local Network Interface (LNI).

Local Network Connectivity for EC2 Instances

Outposts servers enable communication through the Local Network Interface (LNI) alongside the ENI. The LNI serves as a logical networking component that connects Amazon EC2 instances in your Outposts subnet to your on-premises network.

Local Communication Characteristics of EC2 Instances on Outposts:

  • Local network traffic requires the implementation of an LNI.
  • Subnets on Outposts servers must be enabled for LNIs. This can be accomplished with the following command:
aws ec2 modify-subnet-attribute  
--subnet-id subnet-1a2b3c4d  
--enable-lni-at-device-index 1
  • IP address assignment for the LNI can be either DHCP or static.
  • VPC security groups cannot be applied to the LNI. To regulate traffic on the LNI, consider utilizing OS-based firewalls, external on-premises firewalls, or other security devices.
  • Amazon CloudWatch metrics are available for each LNI.
  • Outposts servers do not tag VLAN traffic; if VLAN tags are necessary, they must be applied to network interface settings within the guest OS. Multiple VLAN interfaces can exist within a single LNI, using the LNI as a VLAN trunk.
  • The performance of local traffic bandwidth is dependent on the instance type; larger instance types yield better throughput, with a maximum of 10 Gbps.
  • EC2 instances that facilitate local communication will always have at least two interfaces: one ENI and one or more LNIs. Therefore, the instance OS’s routing table must be configured according to desired traffic behavior.

Example Configuration: Local Traffic for EC2 Instance on Outposts Server

Figure 2: Example Scenario Topology

In this example, we aim to launch an Amazon Linux 2023 instance and route all default traffic through the local network. Eth0 serves as the primary interface (ENI) for traffic directed toward the Region, while Eth1 operates as the LNI for all other traffic. A user-data script facilitates the necessary routing modifications at launch.

Here’s a sample user-data script. These commands execute as root, eliminating the need to prepend each command with sudo.

User Data Script (my_userdata.txt):

#!/bin/bash 
route add -net 172.31.0.0/16 gw 172.31.239.1 
route del default gw 172.31.239.1 
cp -RL /run/systemd/network/* /etc/systemd/network/ 
echo -e 'n[Route]nDestination=172.31.0.0/16nGateway=172.31.239.1nGatewayOnLink=yes' >> /etc/systemd/network/70-ens5.network 
sed -i -e 's/UseGateway=true/UseGateway=false/g' /etc/systemd/network/70-ens5.network.d/eni.conf

Breaking down this script reveals the intent behind each command:

  • route add -net 172.31.0.0/16 gw 172.31.239.1
  • route del default gw 172.31.239.1

When an instance is initiated on an Outposts server, it inherently possesses a default route directing traffic toward the VPC through the ENI. In our example scenario, the goal is to route all default traffic through the LNI toward our on-premises LAN, rather than via the ENI. To achieve this routing behavior, we first add a route toward the VPC and subsequently eliminate the default route. The first command adds a route through the VPC (172.31.0.0/16), utilizing 172.31.239.1 as the gateway, while the second command removes the default route using 172.31.239.1 (via the ENI) as the gateway.

Traffic not destined for the VPC will route through the LNI, encompassing all local and internet-bound traffic. The local network’s DHCP server designates a default-gateway in its DHCP lease, resulting in an automatically assigned default route for the LNI. This configuration redirects any traffic lacking a more specific route, including internet traffic, toward the LNI.

The user-data script further ensures that the network settings persist after a reboot. The procedure varies based on your OS; for Amazon Linux 2023, systemd-networkd is employed. For a more comprehensive understanding of this topic, check out this excellent resource and refer to this authoritative source.

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *