Connect, Unify, and Scale with AWS and Alkira’s Cloud Area Networking
By Misbah Rehman, Technical Marketing Engineer – Alkira
By Dave Thibault, Sr. Solutions Architect – AWS
The cloud adoption journey for many Amazon Web Services (AWS) customers often starts with a small use case or single application. These initial deployments grow, evolve, and expand, becoming a conduit for an expanded cloud deployment.
As organizations look to expand their cloud footprint by hosting more applications or leveraging multiple AWS regions, the connectivity requirements to on-premises sites, users, and the company’s wide area network (WAN) infrastructure start to become more stringent and challenging.
Designing, deploying, and maintaining such a network at scale, with enterprise-grade security and quality of service, can be a daunting task for a network architect. Additionally, they have to make sure the solution can integrate with incumbent WAN infrastructure like MLPS, SD-WAN, and remote access virtual private network (VPN) solutions.
Depending on the size of the enterprise and available budget and resources, this could be a 12 to 18 month-long project, as it requires proper planning, designing, testing, and finally deploying it into production. Consequently, all of this can negatively impact the pace of cloud adoption even though an enterprise is fully committed to embrace it.
Alkira Cloud Area Networking helps customers fully embrace the benefits of AWS, as Alkira automates the tedious tasks required to connect enterprise WAN to the cloud. There is no hardware to buy, no agents to install, and it’s entirely delivered as a service.
About Alkira’s Cloud Area Network Solution
Alkira is an AWS Networking Competency Partner that enables enterprises to build networks with speed, agility, and scale. Alkira Cloud Area Networking is a full stack, edge-to-cloud, enterprise-grade network which is delivered as a service. It allows you to build a multi-region global network which can extend connectivity to the cloud in a matter of hours instead of months.
The service centers around a highly available and resilient network of globally distributed Alkira cloud exchange points (CXPs), the virtual multi-cloud points of presence. Alkira CXPs are interconnected over high bandwidth, low-latency cloud infrastructure.
Leveraging this infrastructure, you can establish a multi-region, multi-cloud virtual backbone connecting remote locations to AWS and software-as-a-service (SaaS) or internet applications in minutes. Remote locations and Amazon Virtual Private Clouds (VPCs) connect to the geographically closest Alkira CXP, improving overall application performance.
Using Alkira, customers can also do a service insertion and deploy a firewall from the marketplace for traffic inspection. Once the firewall is deployed, traffic from on-premises and cloud networks can be redirected to it using Alkira’s policy framework.
Figure 1 – Alkira Cloud Networking Platform.
Connecting from On-Premises to AWS Through Alkira
Alkira offers seamless integration of WAN technologies with the cloud. Having flexible connectivity options is important as enterprises face a diverse set of requirements due to varying business outcomes. This forces them to look into different connectivity options based on use case.
Some of the on premises-to-cloud connectivity requirements and use cases enterprises face are as follows:
- A retail customer needs to connect stores to the payment application running on AWS over the internet using IPSec.
- A Fortune 500 customer needs guaranteed bandwidth between AWS and its data centers over a private MPLS connection.
- An enterprise needs to deliver a horizontally scalable global remote access solution due to the pandemic.
With Alkira, an enterprise can achieve all of the above and more through a simple point-and-click operation, enabling you to connect on-premises applications and users with the cloud quickly and efficiently.
Extending SD-WAN into AWS
Alkira Cloud Area Networking offers a marketplace with all of the top SD-WAN vendors. As a customer selects the SD-WAN vendor of their choice, Alkira spins up the SD-WAN appliance and connects to a cloud exchange point for access. Devices spun up inside Alkira are configured and managed by customers’ existing SD-WAN controllers.
Alkira brings up the virtual machines (VMs), establishes connectivity between SD-WAN devices and CXP, and maintains the lifecycle of the VM appliance. Customers don’t have to worry about the architecture complexities and deployment challenges, while at the same time they have full control over the access and configuration of these devices.
Segmentation is one of the key benefits of SD-WAN, as it allows isolation of traffic using different routing domains and carries those over a common overlay network. Alkira enables customers to seamlessly extend the same level of segmentation into the cloud through its SD-WAN integration. You can map your cloud resources and applications to the appropriate segment so the resources within the same segment can talk to each other.
Figure 2 – End-to-end segmentation with Alkira.
In mergers and acquisitions, two companies can have different SD-WAN vendors or overlays which are completely isolated networks. However, both need connectivity to the same applications running on AWS.
Alkira can meet this requirement as well, since it allows you to connect multiple SD-WAN solutions to the CXPs and then connect to the applications running in the cloud.
Figure 3 – Integration topology with a single segment deployment.
IPSec over Public Internet
You can also connect on-premises sites to Alkira over the public internet using either policy-based or route-based IPSec. This can be used to connect remote locations, on or off your SD-WAN, to access cloud resources and applications within your environment.
From a configuration standpoint, you can use a static or dynamic IP address to terminate the IPSec connections. Usually, IPSec requires a static IP to terminate the connection. However, Alkira has customers where the end location IP address is dynamic. Every time the IP changes, the customers are required to update their IPSec connection.
Alkira solves dynamic IP problems for customers by giving them the option to use dynamic IP for IPSec connectors. For IPSec phase I and phase II configuration, there are options for full custom configuration in case you don’t want to use the default options.
Figure 4 – IPSec configurations.
To set up routing over this IPSec connection, Alkira supports both static routing and dynamic routing with Border Gateway Protocol (BGP). For traffic engineering and route manipulation, use of route policies enable you to take care of any complex routing needs.
For disaster recovery, you can choose a failover CXP for cross-region redundancy. Once you configure it, a backup connector is created on the failover CXP, which can be used to forward in case the active CXP region is down.
Private Connectivity to AWS
Many enterprise customers prefer the option of dedicated MPLS-based private connectivity for mission-critical applications. These are the enterprises who have either one or a combination of the below requirements:
- Consume MPLS in their on-premises infrastructure and want to extend the same to cloud.
- Need higher bandwidth throughput for applications requiring data backups and replication.
- Desire lower latency for applications using real-time feeds.
- Require strict SLAs for better user experience for cloud applications.
With Alkira, all you need is an AWS Direct Connect circuit from a service provider or colocation provider deployed and configured in your AWS account. After this, you can go to the Alkira portal and provision a Direct Connect connector on the CXP.
As part of provisioning, a hosted virtual interface (VIF) for the Direct Connect connection will be created in the Alkira account, and the connectivity to the CXP is extended from that VIF automatically without requiring you to configure anything.
Once the provisioning is complete, you can download the necessary configuration for your on-premises router. Once the configurations are applied on the router, connectivity from your data center or colocation environment to the cloud is established.
Remote User Connectivity
Alkira CXPs can be configured for direct remote user access, which allows users to securely connect to the closest Alkira CXP to access applications in the cloud, on-premises data centers, or the internet.
For applications hosted in remote regions, users can leverage Alkira’s high bandwidth, low-latency backbone for optimized access. Alkira’s remote access VPN solution allows customers to create VPN termination points across all Alkira CXPs.
When a remote user establishes a VPN connection, they get connected to the closest Alkira CXP using latency-based routing functionality offered by Amazon Route 53, thus limiting any kind of backhauling of remote user traffic to a central location.
Figure 5 – Remote user connectivity.
Once authenticated, remote users are assigned to a user group, which then maps to an Alkira segment. Different user groups can map to different segments without a requirement to have to separate Alkira CXP remote access connectors for each segment.
Figure 6 – Remotes users and segmentation.
As demand for concurrent user capacity varies over time, the Alkira remote access VPN solution can automatically scale the service up and down, preventing overprovisioning and overspending of resources.
From a customer perspective, Alkira provides a feature-rich solution for AWS customers to extend on-premises connectivity into the cloud. Below are a list of benefits joint customers will get using Alkira Cloud Area Network:
- Single unified solution with all the WAN connectivity options including remote users.
- Optimized connectivity by terminating branch/users to the CXP hosted inside the closest AWS region.
- End-to-end monitoring and visibility for WAN and cloud networks.
- Unified security architecture.
- Seamless extension of virtual routing and forwarding (VRF)-based segmentation to the public cloud.
- Simple point-and-click interface for provisioning.
- Resilient solution with support for inter-region failover.
Alkira Cloud Area Networking provides a fast and frictionless way to onboard and connect your WAN to cloud workloads and applications running on AWS. It opens up possibilities for networking teams to be more agile, nimble, and to no longer be the bottleneck in the cloud adoption journey for organizations.
To get started, visit the Alkira Cloud Area Networking website.
Alkira – AWS Partner Spotlight
Alkira is an AWS Networking Competency Partner that enables enterprises to build networks with speed, agility, and scale. Alkira Cloud Area Networking is a full stack, edge-to-cloud, enterprise-grade network which is delivered as a service.