AWS TGW Reference Architectures for Multi-VPC - 5/5 - Backhaul to On-Premises Traffic
To get traffic from on-premises resources to AWS EC2, we can use VPN connections or AWS Direct Connect.
For VPN connections from on-premises gateways connect to the TGW as a VPN attachment.
Multiple tunnels and ECMP provide resiliency.
The architecture will share 5 topics:
1. AWS TGW Reference Architectures for Multi-VPC - 1/5 - Brief
2. AWS TGW Reference Architectures for Multi-VPC - 2/5 - Inbound Traffic
3. AWS TGW Reference Architectures for Multi-VPC - 3/5 - Outbound Traffic
4. AWS TGW Reference Architectures for Multi-VPC - 4/5 - East-West Traffic
5. AWS TGW Reference Architectures for Multi-VPC - 5/5 - Backhaul to On-Premises Traffic
All Topology_v20211003(Need to wait for 30 sec to open the 5 web pages)
DOCUMENT CONVENTIONS:
Acronym:
Source IP: SIP
Source Port: SP
Destination IP: DIP
Destination Port: DP
AWS Elastic IP: EIP
GW: Gateway
==========Backhaul to On-Premises Traffic Flow==========
1. In the On-Premises, the DC_Server (172.16.1.x/24) will send traffic to a service on the WEB VPC.
This request is sent to a On-Premises DNS and then DNS returns an IP address for each of the load balancer’s enabled availability zones (10.2.10.0/28 or 10.2.10.16/28).
The DC_Server OS picks an IP address and sends the traffic. Packet will send to default GW.
In the default GW routing table shows 10.0.0.0/8 next hop is the VPN tunnel. This VPN is attached to TGW (ATT_VPN_DC).
(SIP: DC_Server 172.16.1.x/24, DIP: WEB_ALB DNS(10.2.10.0/28 or 10.2.10.16/28), DP: 8443)
2. This TGW attachment (ATT_VPN_DC) associates with a TGW route table (RT_TGW_Spoke).
So RT_TGW_Spoke will check the next hop of traffic.
(SIP: DC_Server 172.16.1.x/24, DIP: WEB_ALB DNS(10.2.10.0/28 or 10.2.10.16/28), DP: 8443)
3. In this RT_TGW_Spoke route table, it uses the static route (0.0.0.0/0) in the that route table to forward the traffic to the VPC_SEC.
So traffic will know the next hop is the ATT_VPC_SEC.
(SIP: DC_Server 172.16.1.x/24, DIP: WEB_ALB DNS(10.2.10.0/28 or 10.2.10.16/28), DP: 8443)
4. When traffic reach the ATT_VPC_SEC, this attachment uses VPC attachment connect to VPC_SEC.
There are two subnets associate with this ATT_VPC_SEC. SEC_Landing-1a (10.1.255.0/28) and SEC_Landing-1b (10.1.255.16/28)
Due to the traffic is coming from AZ-1a, so traffic will go to SEC_Landing-1a (10.1.255.0/28) subnet.
(SIP: DC_Server 172.16.1.x/24, DIP: WEB_ALB DNS(10.2.10.0/28 or 10.2.10.16/28), DP: 8443)
5. When traffic reach subnet (SEC_Landing-1a (10.1.255.0/28)), the route table (RT_SEC_Landing-1a) will check next hop.
The destination is use 0.0.0.0/0, next hop is the eni-NGFW-1-Eth1/2. So traffic will send to NGFW-1 Eth1/2 interface.
(SIP: DC_Server 172.16.1.x/24, DIP: WEB_ALB DNS(10.2.10.0/28 or 10.2.10.16/28), DP: 8443)
6. When NGFW-1 get the traffic from interface Eth1/2, FW will do security profile filtering.
After filtering, NGFW-1 will do Source NAT (SNAT).
Without no SNAT, it is possible to have asymmetric traffic flowing through different NGFWs, which the NGFWs drop.
Source IP will be translate to NGFW-1 Trust interface IP address (Eth1/2: 10.1.3.x/24)
In the NGFW-1 routing table (RT_NGFW-1), the DIP (WEB_ALB DNS(10.2.10.0/28 or 10.2.10.16/28)) match the route 10.0.0.0/8 and next hop is the GW IP (10.1.3.1/24) of Trust subnet (SEC_NGFW-1_Trust-1a).
So, traffic will send to the GW of the subnet (SEC_NGFW-1_Trust-1a) which is 10.1.3.1.
(SIP: NGFW-1_Eth1/2 10.1.3.x/24, DIP: WEB_ALB DNS(10.2.10.0/28 or 10.2.10.16/28), DP: 8443)
7. When traffic into subnet (SEC_NGFW-1_Trust-1a (10.1.3.0/24)), the route table (RT_SEC_NGFW-1_Trust-1a) will check next hop.
The DIP (WEB_ALB DNS(10.2.10.0/28 or 10.2.10.16/28)) match 0.0.0.0/0. So next hop is the TGW.
The VPC_SEC has an VPC attachment (ATT_VPC_SEC). Traffic will use this ATT_VPC_SEC into TGW.
The traffic will direct send to ATT_VPC_SEC.
(SIP: NGFW-1_Eth1/2 10.1.3.x/24, DIP: WEB_ALB DNS(10.2.10.0/28 or 10.2.10.16/28), DP: 8443)
8. This TGW VPC attachment (ATT_VPC_SEC) associates with a TGW route table (RT_TGW_SEC).
So traffic next hop will check the RT_TGW_SEC.
(SIP: NGFW-1_Eth1/2 10.1.3.x/24, DIP: WEB_ALB DNS(10.2.10.0/28 or 10.2.10.16/28), DP: 8443)
9. In this RT_TGW_SEC route table, there are three routes redistribute(propagation) into this route table.
The VPC_WEB, VPC_WEB and On-Premise use propagate redistribute 10.2.0.0/16, 10.2.0.0/61 and 172.16.0.0/16 into the RT_TGW_SEC.
The DIP match the route 10.2.0.0/16, so traffic will know the next hop is the ATT_VPC_WEB.
(SIP: NGFW-1_Eth1/2 10.1.3.x/24, DIP: WEB_ALB DNS(10.2.10.0/28 or 10.2.10.16/28), DP: 8443)
10. When traffic reach the ATT_VPC_WEB, this attachment uses VPC attachment connect to VPC_WEB.
There are two subnets associate with this ATT_VPC_WEB. WEB_Landing-1a (10.2.255.0/28) and WEB_Landing-1b (10.2.255.16/28)
Due to the traffic is coming from AZ-1a, so traffic will go to WEB_Landing-1a (10.2.255.0/28) subnet.
(SIP: NGFW-1_Eth1/2 10.1.3.x/24, DIP: WEB_ALB DNS(10.2.10.0/28 or 10.2.10.16/28), DP: 8443)
11. When traffic into WEB_Landing-1a (10.2.255.0/28) subnet, the route table (RT_WEB_Landing-1a) will check next hop.
The DIP match the route 10.2.0.0/16, next hop is the local. So traffic will send to WEB_ALB directly.
(SIP: NGFW-1_Eth1/2 10.1.3.x/24, DIP: WEB_ALB DNS(10.2.10.0/28 or 10.2.10.16/28), DP: 8443)
12. When traffic into WEB_ALB, WEB_ALB will do health check. WEB_EC2-1 is healthy, traffic will send to WEB_EC2-1.
When ALB setup the Target Groups by IP address with TCP or TLS:
The ALB will change the SIP to ALB network interface IP.
The ALB will use the Target Groups IP to rewrite the DIP.
The ALB will use the Target Groups port to rewrite the DP
WEB_ALB will translates the DIP to Target group instance (WEB_EC2-1: 10.2.1.x/24).
(SIP: WEB_ALB network interface 10.2.10.x/28, DIP: WEB_EC2-1 10.2.1.x/24, DP: 443)
13. After WEB_ALB change the SIP and DIP. Next step will check the route table(RT_WEB_ALB-1a)
Next hop is 10.2.0.0/16 local. so traffic will direct send to WEB_EC2-1
(SIP: WEB_ALB network interface 10.2.10.x/28, DIP: WEB_EC2-1 10.221.x/24, DP: 443)
==========Return Traffic Flow==========
1. In the WEB VPC, the instance (WEB_EC2-1) sends return traffic back to the WEB_ALB.
In the route table (RT_WEB_EC2-1a), use 10.2.0.0/16 next hop is Local.
Traffic will sent to WEB_ALB.
(SIP: WEB_EC2-1 10.2.1.x/24, SP: 443, DIP: WEB_ALB network interface 10.2.10.x/28)
2. When WEB_ALB receives the return traffic, WEB_ALB will change back the source IP, source port and destination IP.
The source IP will change back to WEB_ALB network interface 10.2.10.0/28
The destination IP will change back to NGFW-1_Eth1/2 10.1.3.x/24
The route table will use 0.0.0.0/0, next hop is TGW. So traffic will send to TGW attachment (ATT_VPC_WEB).
(SIP: WEB_ALB network interface 10.2.10.x/28, SP: 8443, DIP: NGFW-1_Eth1/2 10.1.3.x/24)
3. This TGW attachment (ATT_VPC_WEB) associates with a TGW route table (RT_TGW_Spoke).
So traffic next hop will check the RT_TGW_Spoke.
(SIP: WEB_ALB network interface 10.2.10.x/28, SP: 8443, DIP: NGFW-1_Eth1/2 10.1.3.x/24)
4. In this RT_TGW_Spoke route table, there is only one static default route (0.0.0.0/0) and point to ATT_VPC_SEC.
So traffic will know the next hop is the ATT_VPC_SEC.
(SIP: WEB_ALB network interface 10.2.10.x/28, SP: 8443, DIP: NGFW-1_Eth1/2 10.1.3.x/24)
5. When traffic reach the ATT_VPC_SEC, this attachment uses VPC attachment connect to VPC_SEC.
There are two subnets associate with this ATT_VPC_SEC. SEC_Landing-1a (10.1.255.0/28) and SEC_Landing-1b (10.1.255.16/28)
Due to the traffic is coming from AZ-1a, so traffic will go to SEC_Landing-1a (10.1.255.0/28) subnet.
(SIP: WEB_ALB network interface 10.2.10.x/28, SP: 8443, DIP: NGFW-1_Eth1/2 10.1.3.x/24)
6. When traffic into subnet (SEC_Landing-1a (10.1.255.0/28)), the route table (RT_SEC_Landing-1a) will check next hop.
The next hop is the 10.1.0.0/16 local. So traffic will send to NGFW-1 Eth1/2 interface.
(SIP: WEB_ALB network interface 10.2.10.x/28, SP: 8443, DIP: NGFW-1_Eth1/2 10.1.3.x/24)
7. When NGFW-1 receives the traffic from interface Eth1/2.
According to the session ID, NGFW will know this is a return traffic.
NGFW-1 will do Destination NAT(DNAT).
Destination IP will be translate back to DC_Server 172.16.1.x/24.
In the NGFW-1 route table (RT_NGFW-1), destination IP match the route 172.16.0.0/16, the next hop is the GW IP (10.1.3.1/24) of Trust subnet (SEC_NGFW-1_Trust-1a).
So, traffic will send to the subnet (SEC_NGFW-1_Trust-1a).
(SIP: WEB_ALB network interface 10.2.10.x/28, SP: 8443, DIP: DC_Server 172.16.1.x/24)
8. When traffic into subnet (SEC_NGFW-1_Trust-1a (10.1.3.0/24)), the route table (RT_SEC_NGFW-1_Trust-1a) will check next hop.
The DIP (DC_Server 172.16.1.x/24) match 0.0.0.0/0. So next hop is the TGW.
The VPC_SEC has an VPC attachment (ATT_VPC_SEC). Traffic will use this ATT_VPC_SEC into TGW.
The traffic will direct send to ATT_VPC_SEC.
(SIP: WEB_ALB network interface 10.2.10.x/28, SP: 8443, DIP: DC_Server 172.16.1.x/24)
9. This TGW VPC attachment (ATT_VPC_SEC) associates with a TGW route table (RT_TGW_SEC).
So traffic next hop will check the RT_TGW_SEC.
(SIP: WEB_ALB network interface 10.2.10.x/28, SP: 8443, DIP: DC_Server 172.16.1.x/24)
10. In this RT_TGW_SEC route table, there are three routes redistribute(propagation) into this route table.
The VPC_WEB, VPC_WEB and On-Premise use propagate redistribute 10.2.0.0/16, 10.2.0.0/61 and 172.16.0.0/16 into the RT_TGW_SEC.
The DIP match the route 172.16.0.0/16, so traffic will know the next hop is the ATT_VPN_DC.
(SIP: WEB_ALB network interface 10.2.10.x/28, SP: 8443, DIP: DIP: DC_Server 172.16.1.x/24)
11. When traffic reach the ATT_VPN_DC, this attachment uses VPN attachment connect to VPC_DC.
So traffic will go to VPN tunnel to the on-premises VPN device.
(SIP: WEB_ALB network interface 10.2.10.x/28, SP: 8443, DIP: DC_Server 172.16.1.x/24)
12. When traffic into On-Premise local network (172.16.0.0/16) through a VPN device, the route table (RT_DC_Server) will check next hop.
The DIP match the route 172.16.0.0/16, next hop is the local. So traffic will send to DC_Server directly.
(SIP: WEB_ALB network interface 10.2.10.x/28, SP: 8443, DIP: DC_Server 172.16.1.x/24)
Reference:
1. AWS TGW Reference Architectures for Multi-VPC - 1/5 - Brief
2. AWS TGW Reference Architectures for Multi-VPC - 2/5 - Inbound Traffic
3. AWS TGW Reference Architectures for Multi-VPC - 3/5 - Outbound Traffic
4. AWS TGW Reference Architectures for Multi-VPC - 4/5 - East-West Traffic
5. AWS TGW Reference Architectures for Multi-VPC - 5/5 - Backhaul to On-Premises Traffic
最初發表 / 最後更新: 2021.10.03 / 2021.10.03
0 comments:
張貼留言