AWS re:Inforce 2022 - Building and securing cloud-native WAN using new AWS services (NIS309)

Aug 16, 2023

AWS re:Inforce 2022 - Building and securing cloud-native WAN using new AWS services (NIS309)

A transition is underway in enterprise networking. Organizations are incorporating new, cloud-native, wide-area networking services into their infrastructure because of their ability to create and configure connectivity on the fly—with elastic capacity and consumption-based pricing. In this session, learn how to get started with cloud-native networks using the new AWS Cloud WAN and AWS Direct Connect SiteLink services. The session begins with a simple architecture and then dives into real-world use cases that include details on how these services work with your SD-WAN, AWS Direct Connect, and AWS Transit Gateway usage.

Learn more about AWS re:Inforce at https://bit.ly/3baitIT.

Subscribe:
More AWS videos http://bit.ly/2O3zS75
More AWS events videos http://bit.ly/316g9t4

ABOUT AWS
Amazon Web Services (AWS) hosts events, both online and in-person, bringing the cloud computing community together to connect, collaborate, and learn from AWS experts.

AWS is the world’s most comprehensive and broadly adopted cloud platform, offering over 200 fully featured services from data centers globally. Millions of customers—including the fastest-growing startups, largest enterprises, and leading government agencies—are using AWS to lower costs, become more agile, and innovate faster.

#reInforce2022 #CloudSecurity #AWS #AmazonWebServices #CloudComputing

Content

0.9 -> - Hey, everyone. I'm Nick Matthews.

2.46 -> I am a Principal Product Manager on the VPC team.

5.91 -> So I lead AWS Cloud WAN.

9.39 -> Which is what we'll be talking about a lot today.

13.17 -> And so, we're gonna talk about doing a wide area network.

18.03 -> This is AWS, so some people know what that is,

19.65 -> some people don't.

20.483 -> I think you guys probably all do.

22.11 -> But wide area network is just a long network.

25.59 -> So if you strung a Cat 5 cable across the country,

28.29 -> that'd technically be a wide area network.

30.787 -> And AWS has put a lot of cable,

32.4 -> a lot of fiber into the ground.

34.77 -> And how would you go about using that

36.93 -> if you were going to try to build a wide area network?

40.92 -> So we're actually gonna start here

43.65 -> with a little bit of a history lesson.

45.33 -> So I've been here for a little over six years

47.28 -> doing these types of presentations.

49.11 -> And I've actually started to see

50.91 -> some of the same patterns that happened six years ago,

53.61 -> you know, and beyond start happening again,

56.7 -> even though we've built a lot of new things

58.59 -> to solve those old problems.

60.18 -> And so, if you go back in sort of history, right?

64.89 -> Virtual private cloud, VPC, is one of our favorite things.

68.49 -> You know, we've got customers

69.33 -> with thousands of these things.

71.22 -> But there was a time where we thought

72.45 -> customers just needed one.

74.19 -> And we just called it a virtual data center.

75.99 -> And so, we said, hey, look.

77.13 -> If we have the correct IEN

79.44 -> and the correct security group type things,

81.9 -> you could put hundreds or thousands

83.46 -> of different types of customers

85.08 -> and your business units in the same VPC.

87.84 -> And we've got people that do that.

90.36 -> And we thought that was how people should build the cloud.

93.356 -> You know, and then I think what happened

95.79 -> is we did more enterprise type stuff.

98.94 -> If you're a company, you're probably more used to saying,

101.43 -> hey, you know, someone wants to build a new app.

103.29 -> So we're gonna give them a subnet off the firewall,

106.16 -> or you know, a slash 24.

108.39 -> And then that's their kind of playground

110.49 -> for them to do networking things.

114.09 -> And then, that kind of VAPs more closely

116.4 -> to like an AWS account.

117.93 -> And so we found customers wanted to

119.13 -> have lots and lots and lots of different AWS accounts,

121.47 -> 'cause they didn't want people to have to share accounts,

124.11 -> either for billing reasons or security reasons or whatnot.

126.84 -> Which also means they get lots and lots of VPCs.

128.937 -> And so, customers were doing this whole Transit VPC thing

132.96 -> where they were using our own VPN service

135.27 -> in combination with some EC2 instances running routers.

138.21 -> And as you can see here,

139.77 -> there's lots and lots of lines, you know.

142.02 -> Two VPN connections for every single VPC.

145.23 -> But you do get this kind of pretty thing at the bottom

147.45 -> where you get one set of VPNs

148.77 -> and it direct connects at the bottom,

149.88 -> which is what everyone wanted.

151.38 -> 'Cause no one wants to set up

152.73 -> a whole nother two or four VPNs

154.115 -> every time they create a new VPC.

158.31 -> And so we took that feedback, listened,

160.83 -> and you know, four years ago or so,

164.55 -> we created Transit Gateway.

165.87 -> So that was like the native version

168 -> of doing a Transit VPC.

169.23 -> And so there's a cloudy goodness in this, right?

172.68 -> So it scales horizontally.

175.2 -> You can go up to 50 gigs of bandwidth.

178.14 -> Thousands of attachments,

179.49 -> and you still get the sort of pretty VPN

181.795 -> and direct connect consolidation at the bottom.

185.73 -> And so this has been a super popular architecture.

188.46 -> It is the way that customers--

190.35 -> This reference architecture

191.28 -> that I actually built in 2018 still holds up.

194.1 -> And a lot of customers are doing this.

196.8 -> But we're seeing some things that kind of go back

198.99 -> to the problems we had with Transit VPC.

200.7 -> So I can expand on that a little bit.

203.01 -> So essentially, if we take a look,

205.026 -> we kind of start from scratch.

206.91 -> What a lot of customers have is

208.02 -> they have a data center with some dusty, crusty servers.

211.26 -> And then, you know, connect into VPN

213.42 -> or direct connect to a Transit Gateway and a couple VPCs.

217.2 -> This does all the stuff we want it to do,

218.79 -> but then there's some other things

219.87 -> we'd probably want too.

221.19 -> So for example, as we start moving these servers up,

223.89 -> going from dusty, crusty to magic EC2 instances,

228.21 -> then what happens is maybe someone sets up a control tower

230.79 -> or they want 20 or 30 more VPCs,

232.68 -> or 20 or 30 or 40 more accounts,

235.68 -> or more dev test product type environments,

238.11 -> and you have more VPCs.

239.91 -> Each of these VPCs, you need to create a route,

242.28 -> create an association,

243.75 -> propagate it to the other route tables,

245.67 -> and there's some sort of manual clicking involved.

247.59 -> So a lot of people end up looking

248.58 -> at things like network automation.

251.04 -> And so, you know,

252.12 -> how would you actually build this with automation?

253.65 -> Well, you can do some of it

254.76 -> with CloudFormation and Terraform.

257.52 -> But we just end up seeing a lot customers

258.84 -> build like for example, Lambda code,

260.43 -> to automatically accept attachments,

261.9 -> or automatically propagate as they come on.

265.11 -> So it's one of the things these customers

266.487 -> are having to do in this situation.

269.04 -> The other thing is now we get some more instances,

271.2 -> get the data sort of moved out.

272.49 -> A lot of times people end up going multi-region,

274.95 -> either for disaster recovery,

276.9 -> or because maybe they have a company

279.544 -> and some people in a different area,

281.58 -> or maybe their users are there.

283.5 -> And they have to go multi-region.

284.76 -> So they create a peering connection

286.47 -> between their Transit Gateway.

287.91 -> Again, more sort of manual inputting of routes

291.21 -> and trying to make sure that all the routes on the left

293.19 -> and all the routes on the right

294.48 -> get sort of summarized and sent to the right spots.

297.72 -> Just a lot of work, to be honest.

300.84 -> Security tends to be another one.

302.13 -> So often when we see customers start off in this model,

305.61 -> they will keep the security in their data center.

308.28 -> So they'll send all the internet traffic from AWS,

310.8 -> going through a data center,

312.51 -> back into their sort of trusted,

314.1 -> loving, warm and fuzzy security stack.

316.44 -> Because the security people know it

317.94 -> and compliance people know it,

319.29 -> and there's 300 check boxes you need.

321.63 -> You know, you can check them all on premises.

323.91 -> But you find out that like,

325.14 -> hey, I have a machine learning workload

326.7 -> sending stuff to another thing in AWS,

329.067 -> and it needs to use a public endpoint.

331.05 -> So we're sending like all this machine data

333.33 -> and user data and bulk data back down

335.94 -> through our skinny VPN or direct connect pipe,

338.07 -> out the internet, and then back up to AWS again.

340.02 -> That doesn't make any sense.

341.61 -> But security likes it.

343.26 -> So the concept is, you know,

345.3 -> hey, let's take that security stack

346.71 -> and let's move it into AWS.

347.94 -> The internet's still scary.

349.56 -> We'll still have that security stack,

351.09 -> but it will just look differently.

352.29 -> It'll be build on cloud native security constructs,

354.69 -> which hopefully you've heard a lot

356.25 -> about this week in other sessions.

359.37 -> The other one ends up becoming kind of this extensibility.

362.43 -> You're running, you're doing well on your network,

364.8 -> and someone throws a wrench at ya,

365.94 -> and now you have another company that,

367.83 -> you know, you need to worry about.

369.709 -> Or maybe it's the development group

371.351 -> that doesn't follow IT standards

373.8 -> and doesn't have full control of it.

376.56 -> And so, how do you handle that?

377.88 -> So now it's like, all right,

378.713 -> well, we need to peer their Transit Gateway into ours.

380.4 -> We need to create more VPN connections.

382.11 -> And we're starting to get a lot of lines here again, right?

384.21 -> A lot of things that we need to manage

386.37 -> and sort of click around for.

388.451 -> And then you have this other thing,

389.88 -> like all right, well, now my data center is almost empty.

393.06 -> How would I create--

394.56 -> You know, what do I do with my WAN?

396 -> I've homerunned everything to that data center.

398.85 -> But now I need to get all that into AWS as well.

400.89 -> I've got business partners, or I've got the WAN.

405.09 -> You know, there's other things that look like clouds.

407.55 -> And you know, gotta connect that somehow.

410.04 -> How would we make that work?

411.57 -> And so this is kind of the rough agenda,

414.33 -> 'cause we're gonna take this mess

416.28 -> and kind of turn it into this.

418.14 -> Which is, let's put Cloud WAN in the middle of this thing.

422.531 -> And so figure out, how would we simplify

426.24 -> these sort of more complicated

427.65 -> and more sort of intricate designs into something simple?

430.86 -> And so, you know, some of the things with Cloud WAN,

433.59 -> for example, it's global.

434.82 -> It's got built-in automation.

436.53 -> There's built-in segmentation.

438.78 -> There's interoperability with Transit Gateway.

440.973 -> It also support dynamic routing.

443.16 -> So it's gonna fix and work with a lot of those problems

444.99 -> that we're talking about.

447.36 -> So if we dive in real quick.

449.61 -> I'll sort of go piece by piece

450.96 -> and show you how this stuff works.

453.39 -> So essentially, we start off with regions.

458.01 -> Cloud WAN is a global networking service,

459.84 -> which means it will run across those regions.

463.59 -> You don't have to do each one region by region,

465.75 -> like you do with Transit Gateway.

467.4 -> So you start off with this concept of a global network.

469.47 -> The global network is an existing thing.

471.12 -> We launched that a couple years ago

472.41 -> as part of network manager.

474 -> And it's basically the container, right now at least,

476.4 -> how it was being used is for Transit Gateways.

478.65 -> So you could register your Transit Gateway

479.76 -> as part of a global network.

481.23 -> And then you could go into the network manager console

483 -> and see all your sort of pretty things.

484.92 -> Topology graphs, metrics, logs.

488.16 -> You know, it's mostly a visibility tool.

490.41 -> So with Cloud WAN, what we've done is

491.7 -> we've added a whole new portion to

493.2 -> the global network called a core network.

496.35 -> So this core network is kind of

497.183 -> the demarkation line of where AWS takes

499.59 -> more of hands-on approach to this routing concept

502.65 -> as opposed to TGWs.

504.15 -> But since it's still within

505.05 -> the same global network sort of container,

507.3 -> we can essentially look and manage

509.25 -> both of them simultaneously.

511.5 -> And so, the core network,

513.48 -> underneath the hood is running something

514.71 -> called a core network edge.

516.21 -> There's one of those per region.

517.32 -> It's essentially, you can think of it like a TGW,

519.93 -> except for you don't have API access to it.

524.04 -> From there, you create attachments,

525.9 -> much like you would with Transit Gateway.

527.58 -> So VPC, VPN, connect for SD WAN.

533.49 -> And then you attach all those things to your core network

536.7 -> and the regions you've selected.

539.1 -> From there, you know, you can also now--

542.93 -> So we went GA two weeks ago in New York.

545.85 -> You can now attach and Transit Gateway to Cloud WAN.

548.85 -> Which means if you have existing VPCs

550.5 -> or an existing direct connect,

551.94 -> any of those types of things,

553.53 -> you can attach your Transit Gateway to Cloud WAN

555.78 -> and then now all that's gonna sort of flow through.

558.66 -> And then, underneath this is a new concept

561.03 -> called core network policy.

562.74 -> So core network policy is essentially

564.045 -> a single JSON document that represents

567.15 -> the intent of your network.

568.95 -> And so, you build this JSON document out,

571.14 -> or click around the console.

572.34 -> You don't have to go with JSON.

574.744 -> And then it builds the configuration out.

576.6 -> That configuration has a few different parts.

578.7 -> One of them defines, for example, the segments.

581.31 -> So the segments tell you,

582.93 -> basically your layer three isolated routing domains.

586.29 -> And then segment actions,

588.33 -> like what should happen between these segments,

590.46 -> which is primarily routing.

592.05 -> Should we share routes?

592.883 -> Should we end the static routes?

596.34 -> And then there are attachment policies.

599.25 -> So essentially what we've done is we've automated

602.49 -> the way that attachments map to segments.

606.24 -> And the primary way to do that is through tags.

609.15 -> So essentially, as you create an attachment,

612.09 -> you give it a tag,

613.02 -> and that tag is now gonna map it to a segment.

615.75 -> So you don't have to manually take attachments

617.91 -> and push them on a segment or anything like that.

619.896 -> That's the automation we've built in.

624.45 -> Cool, so as opposed to me going through

626.79 -> and telling you all the things we can do,

628.29 -> I'm gonna turn this into a bit of a story here.

630.15 -> We'll see how this goes.

632.16 -> So how many of you are like networking people?

636.03 -> How many of you are like security people?

638.73 -> How many of you are like developer people?

641.67 -> Okay, so we have some identity crisis here.

644.55 -> I think there's a lot of overlap.

646.41 -> But that pretty much covers everyone, I think.

649.47 -> And so the idea is that you,

650.31 -> as a network cloud security type person.

653.19 -> And all the people that bug you for network stuff

654.96 -> and security stuff and what they want.

656.85 -> And sort of how this sort of builds through

658.68 -> in a semi-realistic kind of scenario.

662.76 -> So you get this.

666 -> You're sitting around doing your job.

668.88 -> Someone builds out this giant proposal.

671.04 -> Maybe it's get an official IT project

672.72 -> and code name associated with it to build a,

675.554 -> you know, a brand new sort

677.07 -> of self-service thing on the cloud.

679.68 -> The developers are running a million miles an hour,

681.63 -> which is great.

682.56 -> You want them to do that.

683.61 -> But someone's gotta sort of tame that

685.92 -> and keep control of it,

686.877 -> and sort of keep it in governance, but also move fast.

690.48 -> At Amazon, this is probably what we would get.

692.58 -> We would probably get this document.

693.87 -> The probably most unrealistic portion

695.46 -> of this presentation is the fact

696.51 -> that someone's gonna clearly give you requirements.

701.16 -> So I'm gonna show you.

702.31 -> We're gonna slowly lower that quality

704.52 -> of requirements you're getting over time

706.35 -> so it becomes more realistic.

708.131 -> So the idea is, yeah, the developers are moving fast.

710.46 -> And we need to build

711.293 -> a new cloud environment to handle this.

713.19 -> So we start off is, we're gonna create a single region.

719.19 -> We create that global network in network manager.

722.01 -> We create the core network.

724.62 -> And so, we have to design the policy.

726.51 -> We have to figure out what our intents gonna look like.

728.88 -> And then we're gonna apply the policy

730.26 -> and it's gonna create the network for us.

732.24 -> So the first step is really defining that network intent.

735 -> That's the hard part for a lot of folks.

737.1 -> Which is, in this case,

739.35 -> like you know, I've presented on this before.

741.3 -> You can figure out how you wanna split your environment up.

743.97 -> We see pretty commonly that people

745.62 -> use the software development lifecycle to do this.

748.59 -> So production development staging.

750.51 -> This could very easily be, you know,

752.43 -> client one, client two, client three.

754.23 -> Or you know, oil, water, rock, earth, sun, whatever.

758.52 -> Or finance, HR, IT.

761.58 -> But you figure out sort of your communication matrix here.

766.328 -> What you have to figure out is basically four main things.

768.21 -> One is the network configuration.

769.38 -> So which regions you're gonna be in.

771.18 -> Which ASNs you wanna use in those cases.

773.58 -> We will automatically deploy the ASNs,

776.7 -> or you can manually choose it per region if you want.

780.24 -> The segments, they have names.

782.07 -> They also have some defaults we'll talk about.

783.48 -> Like, should things be automatically accepted or not?

787.02 -> You know, what's the behavior

788.43 -> of two things attached to the same segment?

790.14 -> Some things like that.

792.27 -> The routing and essentially kind of

794.37 -> defining this green and red matrix here.

798.45 -> As well as how that attachment should work.

800.43 -> So what tags do we wanna use

802.89 -> to map things to these segments?

805.23 -> And so, this all basically becomes your network policy.

809.1 -> So in the case for this self-service IT thing,

812.67 -> we're gonna start here.

813.51 -> We're gonna do production, development, and hybrid.

815.82 -> Mostly because PowerPoint doesn't have

816.87 -> that many room for like a bunch of segments,

818.73 -> and it makes my life a little bit easier.

820.35 -> And I hope it makes it a little bit easier to follow too.

822.75 -> So production.

824.82 -> So essentially we're gonna start off in one region.

826.26 -> We're going US East-2.

828.84 -> It's like Virginia, but just not Virginia.

832.86 -> And we might need to go to more regions,

834.48 -> but the requirements document

835.8 -> didn't say anything about that.

838.23 -> We're gonna do the SDLC,

839.22 -> software development lifecycle type thing.

841.95 -> We do want development to be on demand.

843.66 -> So we're not going to require

844.675 -> any approval for developers to

847.08 -> get into the development segment.

849.99 -> And development can talk within development,

851.67 -> 'cause we're not sure what they may need to do there.

854.91 -> The routing, we're gonna share routes

856.62 -> from the hybrid segment to development and production.

860.64 -> Production should be able to talk to production,

862.2 -> 'cause we don't want something to happen there.

865.976 -> And then we're gonna use the very boring example here.

869.07 -> If you put the tag of segment,

870.81 -> development or segment production or segment hybrid in,

873.24 -> we're just gonna map that directly

874.26 -> to the name of the segment here.

876.96 -> And so, this is our new network policy.

881.52 -> If you're curious what the actual JSON looks like,

883.95 -> it looks like this.

885.6 -> So I've kind of highlighted in green,

886.86 -> like kind of like the key areas

888.48 -> that are not just sort of brackets.

891.87 -> You might notice over there on the right

893.03 -> in the attachment policies,

894.72 -> we basically say, hey, if the segment tag exists,

897.81 -> then we're gonna use the value, tag that,

900.9 -> and look for a segment with that name.

902.34 -> So even if we had 20 segments,

904.11 -> we only need that one policy,

906.21 -> 'cause then it just uses the name

907.38 -> that we're using in a tag.

908.46 -> You can also go hard code this.

910.02 -> You can also go use the VPC ID or account ID.

913.11 -> So there's a lot of different ways to handle that.

916.56 -> And so, now we've built our policy.

919.38 -> We've applied to the core network.

920.67 -> We've built it out.

922.53 -> So now what we're gonna do to get this out

924.45 -> to the rest of our organization,

925.53 -> we're going to resource access manager, or RAM.

928.71 -> And so, I can walk you through

930.57 -> a little bit what that looks like.

931.86 -> So essentially you have your Cloud WAN,

934.29 -> slash your core network.

935.337 -> And the console is actually called a core network.

938.4 -> That's usually in your cloud WAM admin account.

940.59 -> So that's typically your network engineering account,

942.93 -> maybe with direct connect in it,

944.22 -> or maybe with other Transit Gateway

946.89 -> and networking kind of stuff.

948.87 -> And then you share that out with the AWS organization.

951.24 -> You can also share that out with individual account IDs,

953.49 -> or just your whole organization.

955.35 -> But it is limited to one organization.

957.87 -> And so, those accounts now,

959.64 -> we'll be able to see a core network

961.71 -> and be able to go ask and attach to it.

964.62 -> And so when they have the VPCs and other things,

966.96 -> you can go create those cross account attachment requests.

972.03 -> So we share it with core network.

974.34 -> You know, just organizationally,

975.36 -> we need to let users know they can do this somehow.

977.82 -> So there's a couple tricks.

978.84 -> Like, for instance,

979.673 -> you could put like a little Wiki

980.506 -> in the description of the core network

982.08 -> so they can go look that up and find out

983.608 -> what tags and what things are supported.

987.93 -> So now you start creating attachments.

989.55 -> You create attachments and you tag those.

991.71 -> They start attaching to the network.

994.08 -> You also then, if it's a VPC,

995.73 -> you're gonna wanna go and insert a route

997.95 -> into the VPC route tables into the correct subnets.

1001.1 -> So what a lot of people will do in this case,

1002.99 -> if the internet is on premises like in here,

1005.3 -> they'll put a zero zero route

1006.59 -> that points to the core network interface.

1011.42 -> And so, that's most of it, right?

1014.36 -> So you've know built sort of a self-service network.

1019.04 -> And relatively low amount of effort here.

1022.31 -> So what happens next?

1024.95 -> You're doing actual work.

1026 -> And someone puts a meeting on your calender.

1028.61 -> Something, something, we need to get in the EU.

1030.86 -> You don't know what's going on.

1033.32 -> Eventually you find out that,

1035.66 -> hey, we have like legal requirements to be into Germany,

1040.01 -> and Germany doesn't wanna be

1041.03 -> treated like the rest of the world.

1042.05 -> So we need a specific set of our applications in Germany.

1044.84 -> Okay.

1046.64 -> So if you wanna see what this looks like in JSON,

1049.85 -> all you do is add one line here.

1051.74 -> So in edge locations list,

1053.99 -> you just add the EU central one, which is Frankfurt.

1057.83 -> And now we're gonna go automatically

1060.08 -> and replicate everything you've done

1061.73 -> for the rest of this policy into Frankfurt.

1064.7 -> And so, in the console, it just looks like this.

1067.46 -> You would pick another edge location,

1069.65 -> create your policy, and apply your policy.

1072.35 -> And now your network is extended to another region.

1076.94 -> And so, like you said, yeah, you edited the policy.

1080.57 -> You apply the policy.

1081.83 -> And then once the policy is applied,

1083.81 -> you know, it takes maybe sometimes

1085.1 -> 10 minutes to go to another region.

1086.96 -> Under the hood,

1087.793 -> we're creating a whole new core network edge,

1089.57 -> and we're doing peering connections,

1091.19 -> and we're enabling dynamic routing and all these things.

1094.94 -> Just for that one line of configuration that you did.

1098.51 -> From there, you get another meeting.

1100.43 -> Another surprise meeting.

1102.02 -> You're not really sure what this is about.

1102.95 -> But now legal found out that we're in Germany.

1105.5 -> And they're very concerned that we're not meeting

1106.91 -> some laws and compliance over there,

1108.41 -> and they wanna really lock stuff down.

1110.36 -> And so, you find out that they wanna make sure

1113.33 -> that this segment only ever exists in Germany

1116.45 -> and that it can never talk outside of Germany.

1119.42 -> But from a networking perspective,

1120.53 -> you still wanna manage it all as one big network.

1123.11 -> So what you can do is there's a couple segments settings

1126.32 -> that you can go change here.

1127.46 -> So in this case, we're gonna actually--

1129.5 -> You can change which edge locations the segment runs in.

1131.66 -> By default, it runs in all segments, or in all regions.

1137.15 -> So we're gonna specifically limit it to just Germany.

1140.63 -> And then here, it also says,

1142.13 -> like which segments it's allowed to talk to.

1144.68 -> So by default, you can do this in very permissive,

1146.96 -> kind of easy ways to say like,

1148.43 -> I want hybrid to talk to everyone.

1150.62 -> Well, then, you know, you don't want

1152.03 -> hybrid talking to Frankfurt,

1153.08 -> 'cause they don't wanna talk to anyone else.

1154.13 -> So you can really lock that down do deny specific lists

1157.16 -> or allow specific lists in segments.

1160.1 -> So compliance people are pretty happy about this.

1161.8 -> So we take a look at what this looks like now.

1163.67 -> It is now, you know, we've got a Frankfurt region.

1166.904 -> But we're gonna create

1168.23 -> that specific segment just for the EU.

1170.12 -> And it's gonna live just in Germany.

1172.49 -> Which for us, is 65,002 is the ESN.

1176.09 -> Cool, so doing well so far.

1180.8 -> All right, now we get a page.

1182.06 -> We're eating lunch, doing more work.

1183.62 -> And production's down.

1185.51 -> Sam, it's always Sam.

1187.55 -> You knew they were gonna push a change today.

1190.52 -> Well, it brought the network down.

1193.1 -> This is no bueno.

1194.6 -> Which is Spanish for outage.

1196.49 -> So now people wanna know how like the network works,

1199.52 -> 'cause it didn't work very well.

1200.89 -> So everyone wants to know the details.

1203.06 -> So the way the changes actual happen in Cloud WAN

1205.97 -> is a two step process.

1208.37 -> So first is you create the network policy.

1210.59 -> There's an API for this.

1212.24 -> Once you create that API and submit it to us,

1215.48 -> or you know, the console or API,

1216.73 -> or however you wanna do it.

1219.14 -> We're gonna validate it as valid and the JSON's good

1221.45 -> and the rules are right, and that kind of stuff.

1223.7 -> But then we're gonna generate a change set.

1226.46 -> So this is a concept we borrowed from CloudFormation

1229.19 -> where we're gonna tell you what's different in the network.

1231.5 -> We can say that you're going to have more regions

1233.72 -> or less regions or some segments are gonna appear

1236.27 -> or some of your attachments are gonna move

1239.544 -> to someplace else based upon some new tag change.

1243.32 -> So we can give you an idea of

1244.28 -> the typology change that's gonna happen.

1246.29 -> As well as you can actually go

1247.58 -> and see like in a get style diff

1249.984 -> of what the actual changes look like.

1253.1 -> And so, from there once that looks good

1255.44 -> and it looks like what I expected,

1257.96 -> you can execute the policy.

1259.7 -> Once they execute policy,

1260.81 -> network managers gonna roll that change out

1262.82 -> to all the places where it needs to go.

1265.37 -> And we added some features recently

1266.75 -> to show you what's going on

1267.74 -> so you can get a couple steps

1268.7 -> so you can see what's going on and how long it took,

1270.29 -> that kind of thing.

1271.767 -> And so now when you go back to

1273.32 -> tell people how this stuff works,

1274.58 -> you can make some changes.

1275.42 -> So you can say, for example,

1277.13 -> we're gonna create a new role for Sam.

1279.41 -> And he only has access to the core network create function.

1284.48 -> And then now before we make any of these changes,

1287.6 -> we're gonna run this stuff through a change review board

1289.4 -> or a CAB, 'cause those are really fun.

1291.512 -> But it helps with compliance and not making mistakes.

1295.55 -> So the CAB can review changes.

1297.617 -> And we're gonna create another role

1299.3 -> for the more senior admins

1300.899 -> that know how this process should work,

1303.56 -> and they're the only ones that can execute the policy.

1305.57 -> So now we can let the new people create policies,

1308.39 -> but the sort of trusted people actually go put those on.

1311.027 -> And you can time bound that

1312.26 -> and all types of other things that works with IM.

1315.56 -> And so, you know, what's also gonna happen is,

1319.062 -> at Amazon, what we do is called a correction of error,

1322.31 -> or COE, which basically means like

1324.53 -> we're gonna ask a whole bunch of questions,

1325.67 -> like, why, why, why, why, why, why?

1327.29 -> And then we're gonna come up

1328.47 -> with what we call like mechanisms,

1329.51 -> which are like,

1330.59 -> if you think about this whole team,

1333.23 -> if you replaced the whole team

1334.13 -> with a whole new set of people

1335.15 -> and only had processes and procedures to fix this problem,

1338.45 -> what would that look like?

1339.83 -> 'Cause if you go, well, you know,

1341.06 -> Bob is supposed to look after Sam.

1342.32 -> So we're just gonna ask Bob to look after Sam better.

1345.11 -> Like, that doesn't work.

1345.943 -> That's called best intentions, at least what we call it.

1348.23 -> So that's not gonna work.

1350.93 -> And so, someone's gonna,

1352.58 -> usually your operation's person is gonna be like,

1354.14 -> how do we make sure this stuff is working properly?

1356.33 -> So one of the good parts of network manager,

1359.15 -> and this is, like I said,

1360.11 -> what we originally built it for was

1361.97 -> to give you that sort of level of visibility.

1364.1 -> And so, you can come in here

1365.267 -> and you can show like which regions you're in,

1367.58 -> you know, where you're at.

1368.9 -> You can see, for example, the topology

1370.7 -> and how the routing and the segments

1373.22 -> and the attachments are related to each other.

1376.58 -> You can come in and get events.

1377.69 -> So this is all an event bridge.

1379.7 -> So for example, if you wanted to create a slack room

1382.61 -> that has every single BGP change

1384.77 -> or tag change or network change going on,

1388.01 -> you can get all that here.

1389 -> You can take all that

1389.833 -> and you can feed it into a pager,

1391.924 -> or into webpage or whatever.

1394.7 -> It's just events.

1395.69 -> That's what event bridge does really well.

1400.07 -> And then you also have some more

1401 -> of these dashboards and graphs.

1402.2 -> So if you want to, for example,

1403.67 -> put up a pretty graph so your knock

1405.68 -> looks like they know what they're doing,

1407.87 -> so that IT managers believe why

1409.85 -> they're spending all this money,

1411.65 -> you know, there's a graph for that.

1414.08 -> And also more of a logical graph.

1415.7 -> If you need to get into more

1416.6 -> of the troubleshooting or the,

1418.1 -> you know, architecture and design kind of side of things,

1421.25 -> there's some pretty graphs there for you to use.

1424.16 -> Cool, well, things are going pretty well.

1427.07 -> Now you get another email.

1429.29 -> Now you get an email that says,

1430.97 -> hey, the pen testers,

1433.19 -> they were deploying WordPress with

1434.21 -> some unpatched plugins or something like that out there,

1438.38 -> which doesn't last for very long

1440.09 -> on the internet when it's not patched.

1442.28 -> And they've also found out they've moved laterally

1444.59 -> from that one WordPress server to something else.

1448.07 -> So this is also no bueno, which means we got hacked.

1450.59 -> So one of the things you can do here,

1453.8 -> this one's pretty simple.

1454.85 -> You can go in here into the development segment.

1457.61 -> 'Cause again, we weren't approving

1459.41 -> or being in this workflow at all.

1461.63 -> So we just let anyone join the development segment

1463.58 -> if they used the right tags, which is cool.

1465.56 -> A little dangerous.

1466.79 -> So we can reduce the danger here

1469.55 -> by creating this isolated attachments mode.

1472.61 -> This means we can let hundreds

1474.68 -> or thousands of developers onto the same segment

1478.1 -> and they can't talk to each other.

1479.57 -> Much like if you're, you know, at a conference

1482.33 -> and you're on the access points for wireless, you know,

1484.85 -> I can't go and ping and SSH someone else's computer

1487.22 -> on the same wireless network,

1488.15 -> 'cause they block that sort of local control.

1490.4 -> So it's basically the same thing,

1491.51 -> but you know, for VPC and attachment type routing.

1495.77 -> So that's pretty good, 'cause that was a quick fix.

1500.06 -> So what this looks like is, you know,

1501.83 -> in this case, I have multi-region,

1503.48 -> but it could be in the same region.

1504.95 -> Which means these to VPCs on development

1508.22 -> now can't talk to each other.

1509.09 -> So I put this little lock icon next to development

1511.37 -> so I know what that means now.

1513.409 -> It's also good for sandboxes.

1516.195 -> It's good for production where production apps

1517.82 -> don't need direct access to each other.

1520.55 -> Any place where you're doing auto accept attachments

1523.55 -> because you have no idea what potentially are in those.

1526.7 -> Or we'll talk about this later,

1527.87 -> also if you wanna connect a bunch of external networks

1529.283 -> that you don't necessarily trust,

1531.59 -> you can do that as well.

1534.32 -> What if you don't know if this is a good idea or not?

1536.48 -> How do you know that I can just remove all this access?

1539.96 -> One way is you can do flow logs.

1541.37 -> So flow logs show you the IP address

1543.41 -> and VPC IDs of flows.

1545.42 -> So you can go in there

1546.253 -> and all your VPCs enable this that you care about,

1548.21 -> and then, you know, run it through Athena

1549.98 -> or some other query languages to find out

1551.69 -> if you have anything going on there.

1553.52 -> We also just enabled on Transit Gateway last week

1556.1 -> the able to turn flow logs on for a whole TGW.

1558.83 -> So that's a new feature you can use

1560.66 -> if you're already using TGWs.

1561.83 -> That's new.

1562.94 -> You can also check for security groups

1564.35 -> for access that you've explicitly allowed.

1567.05 -> As well as VPC access analyzers.

1568.79 -> A fairly new tool that will let you go in there

1571.55 -> and query like, can this talk to this?

1573.32 -> Can this talk to this?

1575.3 -> And like give you alerts and that kind of thing.

1576.83 -> And you can automate it.

1577.663 -> There's APIs. It's pretty cool.

1579.26 -> So if you're not aware of it, it's worth checking out.

1582.86 -> All right, so things are going well.

1585.38 -> Security was impressed by the fact

1586.94 -> that you just fixed the developer issue pretty fast.

1590.06 -> And now the contracts are up for all

1591.28 -> of the on prim security gear.

1593.75 -> They don't really wanna spend, I guess,

1595.07 -> 1.2 million dollars on super Gbix.

1598.31 -> And so they wanna move this to the cloud somehow.

1600.98 -> And have come to you to figure out what this looks like.

1605.66 -> This is not a real spreadsheet, by the way.

1607.13 -> But it's indicative.

1609.65 -> So essentially what they wanna do

1612.5 -> is they wanna take this internet access

1613.94 -> that's down here off the VPN.

1615.95 -> And they wanna move it into the cloud.

1618.5 -> And so, how does that work?

1620.21 -> Typically what happens is,

1621.41 -> you put the firewalls into a VPC.

1623.12 -> Call it like a buffer VPC or inspection VPC.

1625.43 -> Put a word on it.

1627.35 -> To the actual Cloud WAN network,

1629.33 -> it just looks like an VPC attachment.

1630.95 -> So what we're really doing here

1632.03 -> is we're doing some kind of fancy routing

1634.07 -> and fancy type of order of routes rules

1637.112 -> to make this happen in this way.

1640.52 -> If you're on this sort of journey,

1642.92 -> you're probably gonna look at

1643.76 -> a whole bunch of other services.

1645.26 -> So Gateway Load Balancer and AWS Network Firewall

1648.44 -> are the types of things you'd put

1649.273 -> in this inspection VPS.

1650.78 -> But you've also got things like GuardDuty,

1653 -> Amazon Detective, and AWS Security Hub,

1655.7 -> which are a little more sort of cloud native ways

1657.86 -> to look at your whole VPC environment.

1660.41 -> And so you'd probably wanna

1661.243 -> use these things in conjunction.

1662.69 -> So the real short story is like,

1664.64 -> yes, the firewalls stack.

1665.69 -> You have on premises meets 100 different check boxes.

1669.62 -> And when you move that into AWS,

1670.97 -> you're gonna have to change how you meet those check boxes

1673.07 -> usually in a couple of different ways.

1674.78 -> And so, you can basically combine

1675.92 -> a lot of AWS native services,

1677.24 -> plus if you want to, you can just bring your favorite,

1680.685 -> you know, favorite firewall vendor up

1682.55 -> into AWS and do that.

1685.395 -> To go a little bit deeper on that one,

1687.5 -> to give you a little bit better idea

1688.52 -> of that magic routing I was talking about,

1689.93 -> it looks something like this.

1691.49 -> So in this example, in your core network,

1693.98 -> and you create a separate firewall segment,

1696.59 -> or you just use the hybrid segment

1699.32 -> and attach a new VPC to that.

1701.03 -> And that VPC, in this example,

1702.65 -> I'm using two different availability zones.

1704.93 -> So I'd split that into four subnets.

1706.85 -> One for my core network attachments

1708.95 -> and one for the firewalls.

1710.27 -> If you have a Gateway Load Balancer involved,

1711.68 -> you might have a little bit more in here.

1714.65 -> Or if you're using some of the new firewalls of service,

1716.51 -> like Paul Alto has one,

1717.89 -> that drops endpoints in your VBC,

1719.12 -> that looks a little bit different.

1719.99 -> So this is kind of a generic version of this.

1723.05 -> But the idea is, you create that VPC.

1724.82 -> You attach it to Cloud WAN.

1726.275 -> And then you create segment actions.

1728.99 -> So you would basically make sure

1730.25 -> that the hybrid network is sharing its routes

1733.7 -> with development and production.

1735.2 -> And then within development and production,

1736.85 -> for example, if you wanna do centralized network egress,

1739.88 -> you would put a zero zero route,

1741.71 -> a static zero zero route through

1743.63 -> the segment actions in those segments.

1746.51 -> And that would forward all

1747.83 -> the traffic through the firewall.

1750.65 -> And so, depending upon your architecture here,

1752.63 -> this design is gonna shift a little bit.

1754.13 -> We have some blogs.

1755.45 -> Most of this stuff that you'd do with Transit Gateway

1756.98 -> is gonna sort of apply one to one here.

1760.88 -> So yeah, that's gonna just depend a little bit.

1763.1 -> You know, you can talk to any of us,

1763.933 -> and we can help you out with that

1764.93 -> if you get sort of stuck on it.

1768.38 -> Cool, all right, well, things are going well.

1770.69 -> You have security and internet in the cloud.

1772.94 -> And now, you know, you're minding your business.

1776 -> Eating cereal on your kitchen counter

1779.15 -> and reading tweets for the day

1780.59 -> before you do some actual work.

1782.33 -> And you find out from Twitter

1784.34 -> that your company's buying another company.

1787.49 -> And no one talked to you because you're not, I guess,

1789.89 -> high enough or important enough to know about these things.

1792.59 -> But you know, like this is gonna roll your way.

1796.22 -> 'Cause they're gonna need network stuff at some point.

1798.17 -> So over the next couple of weeks,

1800.03 -> you get clued in, you find out.

1802.31 -> You find out more about the startup.

1804.5 -> The startup's cool.

1805.46 -> They're making a bunch of money.

1807.41 -> They're so cool your company doesn't wanna mess with them.

1810.08 -> Like, don't mess what's working with them.

1811.94 -> Like, we don't wanna turn them into us.

1814.52 -> We want them to just continue being cool for awhile.

1816.17 -> We'll ruin them later.

1817.25 -> But for now, they'll be cool.

1820.19 -> And so you find out from their networking folks,

1821.78 -> they've got a Transit Gateway with, you know, some VPCs.

1824.78 -> So it kind of looks like your architecture,

1826.07 -> but it's not your architecture.

1828.83 -> And they don't want your standards.

1830.39 -> This is kind of like the cowboy scenario.

1832.46 -> You might even have these people working in your company

1834.38 -> that just don't like IT.

1836.42 -> Maybe you don't have to acquire someone

1837.53 -> to have cowboys in your company.

1839.39 -> But this is pretty standard.

1840.32 -> We see this all the time.

1841.73 -> Don't feel bad if this happens to you.

1842.99 -> This is very normal.

1845.36 -> So the way this work is,

1847.97 -> they have an existing Transit Gateway.

1850.31 -> Luckily, for the ease of PowerPoint magic,

1853.37 -> they're in one of the regions we're already using.

1855.14 -> And it doesn't matter if they are actually.

1857.71 -> It just makes my PowerPoint more complicated.

1859.76 -> So in this case, what we can do is

1861.95 -> we can attach their Transit Gateway to the Cloud WAN.

1864.59 -> We may attach it multiple times.

1866.3 -> So some of their traffic goes to one place,

1868.28 -> some of it goes to another place.

1869.84 -> Luckily, because they watch all these

1871.16 -> same reinforce and reinvent presentations,

1872.93 -> they've also chosen to use development

1875.57 -> and production for their route tables.

1876.92 -> So it actually maps very cleanly to our architecture.

1879.5 -> And so, in this case, you map the Transit Gateway

1882.8 -> to a couple different segments here.

1885.2 -> Their VPCs.

1886.033 -> And so now you can think about it

1886.866 -> instead of these VPCs attaching directly to the Cloud WAN,

1889.25 -> they just transitively map through Transit Gateway.

1894.59 -> And so, in cases like this, a couple different things.

1897.98 -> Like one is we see this interop use case.

1900.23 -> Hey, someone has a TGW, you wanna work with it.

1902.45 -> We also see these like migrations in Brownfields.

1905.87 -> And then we also see sort of like

1907.1 -> this like federation type case,

1908.6 -> which I'll talk in a little bit more depth here.

1911.84 -> So the way this actually works is like this.

1914.33 -> So a Transit Gateway, Cloud WAN.

1917.78 -> You create a peer.

1919.91 -> This is a little bit different.

1920.75 -> If you're familiar with like VPC peering

1922.49 -> and Transit Gateway peering,

1923.9 -> once you do a peer with those services,

1925.64 -> like you can start routing stuff.

1927.32 -> It's not the case with Cloud WAN.

1928.85 -> When you peer this,

1929.683 -> this is kind of like a trunk in

1931.64 -> the old layer two switching world.

1933.38 -> This just opens up a relationship

1935.36 -> between the Transit Gateway and the Cloud WAN.

1938 -> And so, what's actually happening underneath the hood here

1941.21 -> is we're going into your Transit Gateway

1943.13 -> and we're doing some things.

1944.57 -> So we're enabling dynamic routing.

1946.7 -> We're creating something that's called a policy table,

1949.01 -> which allows us to do this keep segments mapped.

1952.49 -> So we're actually doing some policy stuff

1954.14 -> underneath the hood.

1955.01 -> You don't have to worry about that stuff,

1956.42 -> 'cause it's network magic.

1957.89 -> But it is there, and it's pretty cool.

1959.84 -> It also means this is how you can enable

1961.25 -> dynamic routing on your Transit Gateway today

1964.46 -> by using this feature.

1966.2 -> And so, next what you do is

1968.27 -> you create route table attachments.

1970.4 -> So these are attachments just like

1972.26 -> every other attachment we have.

1973.79 -> And it follows the same rules

1975.05 -> and the same automation that we built earlier,

1977.39 -> which means that if you want these attachments

1979.04 -> to actually map to something,

1980.84 -> you have to tag them.

1981.92 -> So you tag these route table attachments.

1984.14 -> And then after that,

1985.34 -> that's when the BGP

1986.21 -> and all that sort of stuff is functioning.

1989.12 -> And so this allows you,

1990.35 -> you can do many to one or one to one

1992.27 -> or whatever you wanna do on your route tables here.

1994.52 -> If you only have one route table

1995.66 -> and you want a flat network, that's cool too.

1997.43 -> You don't have to use segments at all.

2002.41 -> If, for example, you said, hey, look,

2003.85 -> I don't wanna maintain two networks,

2005.02 -> 'cause that's expensive and time consuming

2006.4 -> and I don't wanna talk to auditors

2007.78 -> about two different sets of solutions,

2009.13 -> and like I only want one set of Terraform code or whatever.

2012.73 -> You can migrate.

2013.78 -> And so, what that looks like is,

2015.37 -> you've got inside your VPCs.

2017.14 -> You have that zero zero route

2018.64 -> pointing to a TGW network interface.

2022.03 -> What this would look like is you would attach

2023.8 -> your VPCs to Cloud WAN.

2026.2 -> You would have both of those live at any given point.

2030.16 -> You test it.

2031.06 -> Or I'm sorry, you would move the route table over.

2033.61 -> And now you can start testing it.

2034.807 -> You could do this for just a single slash 32 route,

2036.88 -> or whatever you wanna do.

2038.35 -> You could test all this stuff out.

2039.97 -> And if this doesn't work and something goes wrong,

2041.89 -> you just change that route back

2043 -> and you're back on Transit Gateway again.

2045.43 -> Once you feel comfortable and happy with all these things,

2047.65 -> you can then take away some of the old stuff.

2050.08 -> So you can take away the peerings and attachments.

2053.44 -> You can take away the whole Transit Gateway if you want to.

2054.9 -> If you don't need it anymore.

2056.47 -> And so you could do a full migration sort of like that.

2062.86 -> All right, well, we thought we were doing pretty well

2065.89 -> with this whole startup thing.

2067.84 -> We find out the startup has made some very bad decisions.

2071.35 -> And they're using some other thing

2073.24 -> that looks like a cloud.

2074.65 -> Some other thing.

2076.54 -> I couldn't find like any sort of diagram for other clouds

2081.67 -> in our architecture diagram library for some reason.

2084.01 -> So I had to hand draw this one.

2087.07 -> I also made sure the kerning was incorrect

2088.78 -> that way the branding doesn't look the same as ours.

2090.711 -> Just so no one gets confused at all.

2093.7 -> So this is now our official other cloud symbol.

2097.45 -> And so we have to figure out how to deal with this.

2100.93 -> So in this case,

2103.72 -> the other cloud's over here somewhere.

2106.66 -> One of the things we can do is

2107.59 -> we can create a VPN directly there.

2110.23 -> Because IP set a standard,

2111.49 -> and it's pretty well established across lots of places.

2114.79 -> And because about a year ago,

2116.59 -> AWS built a feature called Ike Initiation,

2119.35 -> which allows us to initiate

2120.76 -> a VPN connection to somewhere else.

2122.83 -> This allows us to interoperate

2123.97 -> with a bunch of other VPN services.

2126.43 -> And so not all of the other VPN services

2130.33 -> act exactly like ours

2131.47 -> and use the same sort of like two tunnels,

2134.38 -> you know, 169.254 addressing, all those kind of things.

2137.32 -> So in a lot of cases,

2139.18 -> once you interoperate,

2140.08 -> you only get one of those tunnels running.

2142.27 -> But maybe you create two VPN connections.

2144.46 -> And a lot of the other folks don't support

2146.11 -> equal cost multipath, ECMP.

2148.3 -> So usually you're limited to like one tunnel

2150.19 -> at about one gig, 1.2 gigs or so.

2154.03 -> But for a lot of cases, like maybe for authentication

2156.19 -> is just hanging out over there.

2157.417 -> And you don't need a lot of intensive data and whatnot.

2160.33 -> You just need basic connectivity.

2162.37 -> So VPN's a great option for that.

2164.17 -> Otherwise if you say like,

2165.64 -> hey, actually we need to run like 10 gigs

2167.41 -> of stuff to this other place.

2170.95 -> You can use direct connect.

2172.03 -> So right now, a Cloud WAN doesn't have

2173.933 -> a native direct connect attachment.

2176.83 -> We're just transitively using it

2178.18 -> through Transit Gateway.

2179.08 -> So we're getting a lot of use

2179.92 -> out of the transit word on TGW here.

2183.79 -> And so you can do direct connect

2185.35 -> down to your direct connect point of presence.

2186.91 -> There's a whole bunch of partners

2188.62 -> that will basically connect you

2190 -> to every other cloud's sort of direct connect equivalent.

2193.72 -> And then you can just basically

2194.86 -> hairpin through them to get there.

2197.65 -> You could also just use the internet.

2199.84 -> I mean, if it's cloud native enough and it's got encryption

2202.63 -> and it's got authorization and security on it,

2205.18 -> then you may not need to create a private network at all.

2208.45 -> Or there's a whole bunch of SD WAN sort of solutions here

2211.54 -> that will run wherever you want them to

2213.337 -> and all connect together.

2216.58 -> So now your call center person,

2219.64 -> who you text every now and then

2221.26 -> and you mostly get bad news from, tells you that,

2223.544 -> hey, the voice quality in Singapore is not good.

2226.09 -> You know, they've got VPNs to Singapore and they flap,

2229.36 -> and the quality's not great.

2231.16 -> We need to fix it.

2232.33 -> So essentially what we're gonna do here

2235.66 -> is we're gonna add another region,

2237.1 -> which I showed you how to do earlier.

2240.1 -> But now what we're gonna do is

2241.12 -> we're not gonna create any VPCs in that region.

2242.89 -> We're just gonna create a VPN connection.

2245.86 -> So basically our core network is now in three regions.

2249.7 -> And now the site in Singapore

2251.92 -> can do a VPN connection just from,

2255.28 -> you know, within Singapore to the Singapore region.

2257.86 -> Luckily, Singapore is not a very big geographical place.

2260.38 -> So the internet connectivity from Singapore

2261.97 -> within Singapore is pretty good.

2264.04 -> And then it's gonna run over the AWS backbone,

2267.16 -> all the way into Germany or the United States,

2269.95 -> or wherever you wanna go.

2271.69 -> And so we can use that high quality network

2273.94 -> without having to go procure a whole bunch of,

2276.43 -> you know, third party contracts and whatnot over there.

2279.367 -> And so, now our voice quality people are pretty happy,

2281.95 -> and that makes us happy.

2286.12 -> Your CFO now asks you a question.

2288.94 -> He's sending this over RFC 1149.

2291.61 -> For those of you that aren't into

2293.5 -> 20 year old networking jokes,

2295.12 -> that's IP over avian carriers.

2298.54 -> So this goose--

2299.68 -> I put this in like pretty much all of my presentations,

2301.63 -> 'cause people leave feedback all the time

2303.22 -> of like they want more goose.

2305.26 -> So I'm always looking for more ways to insert more goose.

2308.131 -> If you leave feedback,

2309.56 -> maybe I'll do something different next time.

2313.81 -> Either way, this goose delivers a message to you.

2316.15 -> And it says like, hey,

2319.48 -> our data center's looking pretty lame.

2321.19 -> All the apps are out of it.

2322.84 -> And the only thing left are your stupid network racks.

2324.79 -> Get them out.

2325.623 -> I wanna close that contract out.

2328.42 -> And so, all right, well,

2329.74 -> let's figure out what that looks like.

2332.44 -> So what's actually left in your data center

2334.87 -> after you've done a huge migration?

2337.63 -> You've got the WAN and your WAN routers

2339.52 -> connecting MPLS and whatnot.

2343.06 -> You've got maybe a connection to another data center.

2346.18 -> Some dark fiber that you used to

2347.65 -> run storage synchronization over.

2350.38 -> Maybe you do have this sort of extranet

2352.877 -> where you have VPNs and maybe even direct fiber

2356.53 -> out some business partners of sorts.

2359.8 -> And then, you know,

2360.696 -> we're still going through the whole pandemic thing.

2363.37 -> So people are still coming in via VPN and client VPN.

2368.08 -> And so, yeah, we're still treating the data center

2370.18 -> like it's the center of our gravity,

2371.62 -> even though most of this stuff has gone up to AWS.

2373.33 -> And so, we wanna shift that.

2375.79 -> How do we shift all that into AWS now

2377.59 -> that AWS is now the new center of gravity for us?

2380.71 -> So way that this looks like is

2382.72 -> a couple different things we can do here.

2384.13 -> So we can take the VPN for the branches.

2387.22 -> So maybe they need MPLS, maybe they don't.

2390.37 -> We can came in over VPN.

2392.05 -> If they do want to keep MPLS, we can use direct connect.

2396.13 -> We can keep that coming in.

2399.864 -> Maybe you've got some sites where you're doing

2402.1 -> a bake off or some testing of SD WAN.

2406.083 -> You know, a lot of customers I've talked

2406.93 -> to are looking into SD WAN, or they have plans for it,

2409.51 -> or they're still in the initial

2410.925 -> sort of phases of roll out of it.

2414.22 -> And so, you can have a mix of both.

2415.78 -> You can have some VPN, some SD WAN.

2418 -> You know, if you have some old sites

2419.17 -> that you don't wanna maybe put a new SD WAN box in,

2421.6 -> you could have a mix.

2423.49 -> Or you could be fully SD WAN if you want.

2425.08 -> So we can handle sort of either scenario.

2428.32 -> And then, like I said,

2430.15 -> if you wanna do direct connect in the cloud, you can.

2432.58 -> But there's also a new feature called Site Link.

2435.76 -> So if you have two ports,

2437.17 -> like in the case of the slide before

2438.88 -> where we have two data centers

2440.26 -> that both have direct connect to AWS,

2442.18 -> if those two data centers need to talk to each other,

2444.49 -> you can use Site Link.

2445.45 -> You just basically enable flag on your direct connect port

2448.87 -> on the virtual interface that says enable Site Link.

2451.66 -> And if two ports on the same

2453.28 -> direct connect gateway enable that,

2454.72 -> you can send traffic directly between those data centers

2456.7 -> without ever hitting an AWS region.

2458.38 -> So you're just using our fiber

2460.3 -> to get between two locations.

2462.58 -> And so, if you need that sort of like faster bandwidth

2465.91 -> and you already have direct connect ports,

2467.86 -> it makes a ton of sense.

2471.13 -> And then, yeah, we can do client VPN as well.

2473.26 -> So we have a native service that you map into this.

2476.29 -> Or you can use your third party solution if you want.

2478.66 -> Pretty much all of them have some sort

2479.95 -> of virtual AMI that you can load up, put it in a VPC,

2483.7 -> point the routes similar to the firewall situation.

2486.28 -> You put in a VPC,

2487.113 -> put some static routes pointing at each other,

2488.68 -> and you can get your client VPN all into this as well.

2491.89 -> Which that's handy for client VPN,

2494.26 -> 'cause now like, hey, we need client VPNs in India.

2497.86 -> We need them in South Africa.

2499.3 -> We need them in Dubai.

2500.14 -> We need them wherever.

2502.21 -> You can create those endpoints

2504.13 -> all over the world very quickly.

2509.5 -> So the other case that we see sometimes is more about like,

2512.95 -> okay, so all of the stuff we own

2514.51 -> is out of the data center now.

2515.38 -> But what about all those business partners we connected to,

2517.635 -> and the extranet, and the VPNs?

2519.22 -> How does that work with Cloud WAN?

2521.8 -> And I've gotten this question

2522.633 -> actually pretty regularly since we launched.

2525.79 -> And every customer approaches me being like,

2528.07 -> are we allowed to do this?

2529.06 -> Is this something that can work?

2530.47 -> Is this something you guys wanna do?

2531.937 -> And the answer is, yeah.

2532.87 -> I think we actually have a pretty good model for it.

2535.75 -> You know, I think one of the interesting things

2537.37 -> about these networks is you can't control

2539.95 -> how other companies want to contact you.

2542.5 -> They have their own HQs, and their own resources,

2545.11 -> and their own locations.

2547.63 -> They may be all over the world.

2548.92 -> You can't force them into the regions

2550.45 -> that just you operate in.

2552.16 -> And so, you can use Cloud WAN to sort of

2554.41 -> extend these networks to wherever they wanna be.

2556.9 -> But you still get one management

2557.944 -> and sort of control plane.

2560.56 -> And so, yeah, it's kind of the same case

2563.5 -> as we just talked about with the branch offices.

2565.33 -> They wanna come over on our VPN?

2566.83 -> Great, that's easy.

2568.51 -> Direct connect, SD WAN also.

2571.69 -> Well, we've also seen some customers that go,

2573.76 -> hey, we're using this as our data provider.

2575.65 -> And they used to be in a data center,

2577.03 -> but they migrated to AWS.

2578.59 -> And so now they're in a VPC.

2580.21 -> So how would I basically connect

2581.83 -> my corporate network to this third party network,

2584.47 -> but they're in a VPC now, not a VPN,

2586.24 -> and not some physical thing.

2588.61 -> And so this tends to be kind of a case where,

2591.94 -> there's a couple different designs you could do here.

2593.71 -> The one I chose for this slide

2595.48 -> was to create a separate core network.

2597.43 -> Just because people like to treat these

2599.17 -> external networks as a separate thing

2600.88 -> with separate change control and separate everything.

2604.78 -> And so, yeah, you could put, you know,

2605.89 -> vendor one, vendor two, vendor three,

2607.48 -> et cetera into separate segments.

2609.49 -> Or you could put the acquisition into it over here.

2613.21 -> You wanna connect to other clouds.

2614.62 -> You can connect this into this.

2616.3 -> And then any VPC that needs accessed

2618.4 -> in any sort of special networks,

2620.08 -> you can connect it twice, essentially.

2622.33 -> Connect it to the corporate network,

2623.44 -> as well as to this sort of external network.

2625.66 -> And you could do this all within the same Cloud WAN.

2628.93 -> Absolutely, you could.

2630.37 -> But some people just, again, like that

2631.597 -> sort of pure separation here.

2635.74 -> It's interesting.

2636.573 -> Even if they have a VPC or their own Transit Gateway,

2639.49 -> this model still works.

2641.32 -> And so it's kind of like connect

2642.46 -> how you want when you want to these models.

2645.67 -> Because remember, I did say you can share

2648.1 -> a core network out via the account ID

2650.65 -> and not just within your AWS organization.

2652.99 -> And you can do that, I don't know, couple hundred times.

2654.76 -> So this is gonna scale pretty well.

2658.9 -> And yeah, so one thing people don't understand

2660.483 -> is you can connect on VPC to multiple could WANs,

2663.07 -> or to TGW and Cloud WAN at the same time, right?

2665.11 -> So there's no limitations there.

2667.03 -> Well, we have a limitation of a soft limit of five.

2669.22 -> Mostly 'cause if you're connecting

2670.12 -> more than five Cloud WANs to a single VPC,

2672.67 -> I think we should talk.

2674.59 -> Not that it's necessarily a bad idea,

2675.94 -> but I can't draw a good idea of

2678.07 -> what that would look like quite yet.

2679.75 -> I have a couple ideas, but--

2681.1 -> So if you need to do that, let us know.

2685.75 -> And so yeah, some of the FAQs here that we get.

2688.9 -> So now, yeah, we've built a really cool network.

2691.33 -> It's multi-region, it's secure,

2693.58 -> it's doing all of our internet firewall stuff.

2695.65 -> It's doing our business partners.

2697.66 -> It's acting as our WAN.

2700.96 -> And yeah, we're network heroes here.

2703.69 -> So some of the questions I get.

2706.84 -> So the BGP, for example, is pretty simple.

2709.3 -> So if you're used to banging on a Cisco or Juniper device

2712.48 -> and having a million policy tables,

2714.31 -> and you know, all these things.

2715.9 -> Like, we don't have that yet.

2717.94 -> So essentially, there's no filter in community support.

2720.97 -> It's just from route table to route table,

2723.16 -> it's gonna copy everything.

2724.963 -> All the routes it learns from attachments

2728.26 -> is gonna basically redistribute.

2729.85 -> The static routes don't get redistributed.

2731.95 -> You have to do that manually.

2733.63 -> So if you need the static route in multiple places,

2735.64 -> just do it in multiple places, essentially.

2740.38 -> In terms of limits and quotas,

2742.6 -> it's 5,000 attachments.

2747.43 -> I think that actually should say 10,000 routes.

2749.41 -> It's 5,000 attachments, but 10,000 routes.

2752.195 -> And then 20 segments.

2754.3 -> Oh, that's again, 20 segments is a fairly soft number.

2757.63 -> Just talk to us if you wanna do more than that.

2759.07 -> But most of the time I do these designs with customers,

2762.4 -> by the time you get to 20, more than 20,

2764.86 -> it's usually like, oh, well,

2766.45 -> you could get rid of 100 segments

2767.283 -> if you just used isolated attachments mode.

2770.23 -> And some of these kinds of things.

2771.85 -> We're in 17 regions.

2773.47 -> So right now we're everywhere except for

2776.95 -> Korea, Hong Kong, and Sao Paulo.

2781.03 -> Pretty much all the other regions we're operating in.

2783.76 -> Oh, except for gov cloud in China.

2785.5 -> The purchasing regions.

2788.32 -> Because this service has the word WAN in it,

2790.36 -> we get a lot of very traditional WAN questions like,

2792.7 -> hey, can I support, you know, DACPEF on QOS?

2796.03 -> You know, the answer we have is not no.

2799.39 -> It's just that we do things differently.

2800.92 -> So we do capacity management across our backbone

2803.98 -> and we aim for 0% packet loss.

2805.36 -> And we do a pretty good job at that.

2807.67 -> We just don't have like prioritized queuing

2809.71 -> for any given thing over the backbone.

2811.9 -> And as well as the SLAs are, you know,

2814.9 -> for a VPC within the region,

2816.76 -> there's not SLAs from, for example,

2818.47 -> from Ireland to New York or something like that.

2823.33 -> So there's not like hard SLAs

2824.89 -> that you might get from a typical service provider.

2828.85 -> We do have full automation support.

2830.47 -> So we have Terraform support, Terraform,

2833.11 -> CloudFormation, CDK support even.

2836.29 -> So that's all out there and ready for people.

2838.69 -> We've already got people building with that stuff,

2840.82 -> even though we went GA two weeks ago.

2843.25 -> And so, the other question I get,

2845.95 -> 'cause I've been presenting on this for like six years,

2848.26 -> is like, all right, so what's the difference

2849.273 -> between Transit Gateway and this?

2850.99 -> When do I use one or the other?

2852.91 -> And so, I can break that down a little bit real quick.

2856.69 -> So one, Transit Gateway's not going anywhere.

2859.48 -> Still love Transit Gateway.

2860.74 -> It's an awesome product.

2862.75 -> You know, we've got everyone from the smallest companies

2865.18 -> to the largest companies, you know,

2866.71 -> the last four years building on that.

2868.3 -> So it's not going anywhere.

2869.86 -> We're building roadmap on both.

2872.2 -> And so, the way to think about it is,

2874.03 -> you know, Transit Gateway is really,

2876.73 -> it's still the work course for a lot of things.

2878.71 -> I recognize that like, you know,

2880.42 -> customers are skittish,

2881.5 -> and networking juniors are skittish

2882.52 -> about new services, right?

2884.23 -> So if you want something that's got

2885.4 -> a million references and a lot of customers using,

2887.65 -> Transit Gateway.

2889.51 -> Cloud WAN is built under the hood with something very,

2891.58 -> very, very, very similar to Transit Gateway.

2893.14 -> So we haven't like gone and built

2895.48 -> new data plane mechanisms or anything.

2898.15 -> So you're still getting

2898.983 -> that reliability from those services,

2900.07 -> but the front end APIs

2901.387 -> and the management is gonna be different.

2903.16 -> And importantly, you know, for example,

2906.01 -> AWS does that stuff for you, right?

2908.08 -> If you're running a four region Transit Gateway deployment

2910.93 -> and you wanna add a fifth region,

2912.58 -> you're talking about like 30

2914.293 -> to 40 APIs to add a fifth region.

2916.81 -> It's one line of, you know, configuration in Cloud WAN.

2920.59 -> And so, depending upon your use cases,

2922.78 -> like it could be a lot simpler in Cloud WAN.

2924.85 -> But if you've already built that automation

2927.13 -> and you like it,

2928.39 -> you can just keep using it with Transit Gateway.

2931.78 -> That's the case for a lot of customers.

2933.52 -> I've also just talked to some customers that go,

2935.44 -> yeah, we run our own automation

2936.58 -> and we're terrified of it.

2937.72 -> We don't wanna run it anymore.

2939.28 -> And so, if that's you,

2940.927 -> you might wanna take a look at Cloud WAN as well.

2944.17 -> One of the things that is a little bit different

2945.76 -> on Cloud WAN is the ability to segment.

2948.07 -> So if you wanna keep segmentation

2950.32 -> and sort of route table access across,

2953.2 -> you know, multiple TGWs or regions,

2955.87 -> that's one of the unique cases

2957.22 -> for Cloud WAN for you to do that with.

2962.47 -> But you don't have to choose one or the other, right?

2965.11 -> You can say like, hey, you know what,

2966.37 -> Cloud WAN is our corporate IT standard,

2968.11 -> but like the cowboys can use Transit Gateway.

2970.69 -> Or, you know what,

2971.86 -> actually Transit Gateway is our corporate standard,

2973.63 -> but like for the self-service developer sandbox,

2976.3 -> we really wanna use that built-in automation stuff

2978.52 -> and we'll have a spoke of Cloud WAN there.

2981.24 -> And so you don't have to choose one or the other.

2983.725 -> And you don't get double dinged on the data transfer.

2985.78 -> So if traffic goes from Transit Gateway

2987.57 -> to Cloud WAN or vice versa,

2989.32 -> you only pay one data processing charge.

2991.512 -> And so you don't get billed for both of them.

2994.18 -> Which means that you can kind of run that stuff for awhile

2996.19 -> without paying like longterm costs on it.

3001.17 -> And then, yeah, there's a couple things

3002.97 -> on Transit Gateway that aren't on Cloud WAN.

3005.7 -> Some of those are, they're not on there yet,

3007.8 -> and some of those are, they probably just won't come.

3010.23 -> So for example, like multi-cast.

3012.66 -> It gets really, really hairy whenever

3014.31 -> you try to develop in a global manner.

3016.14 -> So Transit Gateway gonna probably

3018 -> have multi-cast locally for much longer

3020.34 -> than you'd ever see on Cloud WAN, for example.

3022.38 -> And that could change.

3023.22 -> But that's a good example of something

3024.6 -> that you would use Transit Gateway for.

3026.73 -> And direct connect isn't currently

3028.08 -> supported on Cloud WAN yet.

3029.4 -> So if you need to do a lot of direct connects,

3032.85 -> you can either, again,

3033.81 -> transitively bring it through Transit Gateway,

3036.15 -> or just use Transit Gateway for it.

3039.352 -> So, yeah, some of the interaction models we see

3043.35 -> between Transit Gateway and Cloud WAN look like this.

3045.9 -> One is this sort of Brownfield thing.

3048.42 -> We often see customers kind of

3049.56 -> choose their phases of architecture.

3052.11 -> Like they were in VPC peering,

3053.97 -> and then they did Transit VPC,

3055.47 -> and then they did Transit Gateway,

3056.76 -> and now they're looking at like,

3058.23 -> what is version four of their architecture look like?

3061.47 -> And so, version three might be Transit Gateway.

3063.99 -> And so in between version three and version four,

3066.96 -> you might just keep this peering connection up

3069.12 -> and keep both running.

3070.14 -> You may keep Transit Gateway alive

3072 -> until those applications die off.

3074.31 -> Totally valid.

3076.74 -> But like I said, some people might go like,

3078.21 -> actually I don't want two versions of

3079.71 -> my architecture running at the same time.

3080.97 -> I wanna converge those, especially if it's quick.

3084.544 -> And so, you can migrate if you wanted to.

3087.96 -> And then you've also got kind of like,

3090.18 -> I would say, this is even right now

3092.34 -> pretty appealing for a lot of Transit Gateway customers,

3094.23 -> which is, hey, I just want dynamic routing between my TGWs.

3097.83 -> So I peer all of my Transit Gateways to Cloud WAN once,

3101.43 -> and then it gets dynamic routing

3102.42 -> from all of the other TGWs.

3104.25 -> And so, it almost looks like a bit

3105.69 -> of like an MPLS cloud almost.

3107.61 -> Peer once, get my routes from everyone.

3110.55 -> And then, you know, I think I could see

3112.02 -> that evolving over time to that like,

3114.12 -> we want our centralized internet egress

3115.86 -> and ingress on the Cloud WAN.

3117.9 -> And maybe there's no VPCs there.

3119.19 -> VPCs always stay on Transit Gateway

3120.6 -> because I don't know.

3121.433 -> We've built that automation or whatever.

3124.68 -> But it's kind of like the federation model

3126.33 -> that we see like particularly like large companies

3128.52 -> that have a lot of like sister and partial companies

3131.58 -> and ownerships and mergers and acquisitions.

3134.25 -> Like, okay, fine.

3135.57 -> All of you get your own TGWs.

3137.13 -> Don't bother us.

3138.06 -> But when you come to the corporate network,

3139.29 -> you're gonna follow the Cloud WAN rules.

3141.72 -> And sort of seeing a lot more of that model as well.

3145.667 -> And so, in terms of partners,

3146.94 -> we got a whole bunch of folks

3147.84 -> that are working with us on Cloud WAN.

3149.58 -> So you know, we've got the SD WAN folks here.

3153.36 -> So if you wanna choose your favorite SD WAN vendor,

3156.27 -> we'll work with them.

3157.92 -> We've also got the folks on the integration side of things.

3161.28 -> So one of the things we've seen is

3163.083 -> that like often like a CIO

3165.09 -> or sort of high level person will be like,

3167.25 -> yeah, I don't wanna buy contracts around the world anymore.

3169.59 -> This seems like a really great idea.

3170.73 -> But, you know, even just me

3172.59 -> walking through this presentation,

3173.7 -> that was like nine phases of

3175.44 -> what we call network transformation.

3177.21 -> And so how would I go and kick this off with my team?

3179.22 -> How would I lead that?

3181.016 -> So a lot of these SIs listed here,

3183.469 -> that's their sweet spot.

3185.07 -> We've also got professional services internally at AWS

3188.1 -> that they're up to speed on this type of stuff too.

3189.78 -> So we've found that to be pretty helpful on these.

3193.11 -> We also have some case studies

3194.4 -> from some of the analysts that show like,

3196.29 -> hey, over this many years,

3197.67 -> you save this much ROI and TCO,

3199.17 -> and it all sounds great, like all of them do.

3201.63 -> But we've got those papers if that helps you

3203.49 -> get that kicked off as well.

3206.64 -> And so, yeah, I would say, you know,

3208.74 -> closing remarks here which is like,

3210.45 -> the use cases for Cloud WAN are really

3211.86 -> sort of like this sort of self-service IT model.

3214.65 -> This multi-region networking.

3216.93 -> Branch offices and ST WAN

3218.49 -> and building your backbone with us.

3222.12 -> Any sort of like extranets

3223.44 -> and communicating outside of typical AWS type stuff.

3228.87 -> And then, yeah, together, they work better together.

3231.84 -> Transit Gateway and Cloud WAN are good friends.

3233.55 -> And so, they can be forever together,

3235.02 -> migration, or federation.

3237.66 -> So there's a lot of models there.

3240.33 -> So thanks everyone for coming.

3242.4 -> Oh, I pressed the wrong button.

3243.84 -> Thanks everyone for coming.

3245.52 -> I know you guys have a party to get to and everything.

3246.9 -> So, I'll be up here for questions if anyone--

3249.81 -> Submit your feedbacks and let me know

3250.74 -> what you wanna see next time.

3251.573 -> So, thanks, everybody.

Source: https://www.youtube.com/watch?v=T0vEq9uSHRk