Showing posts from 2017

AWS: DX Public VIF w/ VPN Failover

Here I'll provide a quick glimpse on how to setup a physical DirectConnect cross-connect to your AWS VPC with seamless VPN resiliency of VPN failover.

First, you'll need to provision at least one DirectConnect (DX) connection to AWS. After you've done that, use the AWS portal create a new Public VIF on that connection(s):

In reality, a VIF is really just a separate dot1q VLAN and BGP peering session within the physical link between you and AWS at the exchange facility. The difference between a Public and Private VIF is what addresses are received/announced by both ends. For instance, using a private VIF is similar to a VPN connection where you will receive private VPC subnet(s) and announce your remote network's local IP space toward it.

With a public VIF however you'll instead receive all of AWS' public service endpoint prefixes, including EC2, S3, Dynamo DB, and VPN terminators. Side note: Depending on optional BGP communities that you might've specified…

Five Reasons I Love Juniper's SRX Firewall (and am cynical of NGFW)

A fair bit of my job is spent comparing network vendor solutions, and one of those solutions is network firewalls for the cloud tenant edge. While Cisco and other incumbents seem to be busy playing a game of catch-up to market leader Palo Alto, I meanwhile still need solutions that aren't so intently focused on the enterprise.

To be clear, I totally understand the value in an organization wanting a clean way to view a spyglass of information and intelligence gathering, however some of us aren't designing for those features specifically, yet it's where the firewall market seems to be quickly heading.

It's for this reason I find Juniper's SRX to nicely blur the lines between functions by blending features of a traditional firewall and a traditional router in just a single piece of metal (or VM). Here's five [opinionated] reasons behind that stance.

1. Has the Heart of Junos OS A firewall appliance that doesn't compromise on robust routing, VPN, control-plane…

AWS Transit VPC: Don't fear the CSR!

What a difference a few years make...or have they? Since my 2013 entry on the same topic, inter-regional AWS overlay networking solutions have matured at AWS, at least ever so slightly. Since that time AWS have gracefully provided a few more-seamless ways to establish inter and intra-regional VPC transport, though not all fully native ones.

In 2014 landed VPC peering, which is a useful, natively-integrated AWS product, though only disappoints once one realizes that it's restricted to intra-regional VPC peering connectivity only. While great for linking VPC connectivity within a single region, you're out of luck still if you wanted to interconnect beyond those regional boundaries (US-East-1 <-> EU-West-1). The non-transitive nature also limits the design you can use even within that single region, since full connectivity between all of your VPCs would require a full mesh.

Then, in 2016 comes what AWS calls the Transit VPC to tackle that very real issue of inter-regional …

Up and Rawring with TRex: Cisco's Open Traffic Generator

Network performance testing is hard. Historically it's required expensive [cost-prohibitive for < $BN enterprises] equipment starting at tens of thousands of dollars for what amounts to an overly complex traffic simulation appliance, then practically requiring a professional level certification just to operate it. Sound familiar at all?

Personally I must admit that I've largely scoffed at the entire concept of simulated traffic testing, noble as it may be. I conceded that, as an engineer of a relatively budget-conscious organization, the only way to properly test something on the network was to simply put it into production, and then watch it from a safe distance whilst wearing a white lab coat and holding a pen and clipboard. Either it would perform admirably, or promptly catch fire and explode, indicating a yank-and-forget...or a step upgrade. Easy enough. That being said, it's just not everyday that a big name vendor offers a super useful tool completely free of cha…

AWS CloudFormation for NFV

Are you thinking of deploying virtual network appliances in Amazon EC2? If so, eventually you'll realize that launching instances in AWS from the wizard can become a bit cumbersome. Thinking long term you'll likely need a more automated, repeatable approach. Enter: CloudFormation.

This entry will serve mostly as an introduction to 'infrastructure as code', especially for us dense, behind the times network types but perhaps not for those already well-versed in this arena.