Cisco CSR1000V Transit VPC DeepDive and Best Practice
Показать описание
DeepDive into Transit VPC including
1. What components are created by Cloud Formation Template and how they are setup to work together.
2. Routing and automation are also covered.
3. Best Practices are shared
This video rocks!! One-stop shop for all things CSR1000v in AWS. I love it!
DTR
The text in this link is as follows (note the last line):
Q. How does a hardware VPN connection work with Amazon VPC?
A hardware VPN connection connects your VPC to your datacenter. Amazon supports Internet Protocol security (IPsec) VPN connections. Data transferred between your VPC and datacenter routes over an encrypted VPN connection to help maintain the confidentiality and integrity of data in transit. An Internet gateway is not required to establish a hardware VPN connection.
This can be tested by removing the IGW from you account, but an existing VPN back to on prem will still function (given that the IGW is not required). In the detached VGW scenario, if the CSR tunnels are connected to the detached VGW, this condition still applies. An IGW is NOT used. I recently set this up with a very large enterprise customer, and removed the IGW from their account. They have a detached VGW with tunnels to the CSR (using the CloudFormation provided by the AWS site), along with a static VPN back to their on prem data center. Everything still functions properly without the IGW, showing that the video above is factually incorrect at the 2 minute mark.
Source: AWS documentation; also I am a certified AWS Cloud Infrastructure Architect who has set up this solution for enterprise customers about 6-7 times.
chadiIIac
This is really an ALL-IN-ONE Video for understanding TVPC Solution. Thanks for great presentation! We're also working on the same and have also built an Efficient Automated TVPC Solution.
ashishahuja
I have a query here. How about if we use VPC Peering instead of VPN Connections (Tunnels) between the Spokes and the Transit Hub in the same Architecture + if we are also using Viptela vEdge Routers for SD-WAN Connectivity from Transit VPC to On-Prem Edge Routers?
I know that we cannot extend VPC Peering Network to On-Prem over VPN/SD-WAN/Direct Connect but I'm still curious to know that is it possible to do so? If yes, then will it be a better, more reliable and cost-effective solution? Also, in this architecture, there is no clear scope for Network security. How about if we want to use a Network Firewall Cloud Appliance between all the spoke connections and also the connection between Transit VPC and On-Prem Network.
No offense, but honestly speaking I think that using PAN VM Series Bundle is a smarter and more secure option in place of Cisco CSR for the Transit VPC Architecture.
It will be great if we can some how possibly use VPC Peering for Spokes to Transit Hub Connection and then for on-prem connectivity, route the traffic to PAN Firewall Routers and then to Customer DC through VGW. // But this solution is not feasible at the moment. I hope if this comes as a possible option in future. It will be a more secure, more reliable, efficient and cost-effective solution.
ashishahuja
There is Transit gateway today so this design is not needed right?
hyaenas
I'm not talking about your accent but your sentence framing is so hard to understand. I had to watch each section 3 times to get what you're saying. Other wise very good stuff.
