Using SD-WAN to Supercharge your AWS Direct Connect

Amazon Web Services is a critical part of many companies’ day-to-day operations and comprises core capabilities such as Amazon Elastic Compute Cloud (EC2), Amazon Virtual Private Cloud (VPC), Amazon Simple Storage Service (S3), and Amazon DynamoDB. Very high bandwidth, low latency, high reliability connectivity to these essential services can be provided through AWS Direct Connect (AWS DC), which is a cloud service that physically connects one of the 100 AWS Direct Connection locations to AWS using private circuitry.

As a first step, you will add a new node to your network within one of the 100 AWS Direct Connect locations. Then, as a next step, you will create a new connection, choosing between a hosted connection provided by an AWS Direct Connect Delivery Partner, or a dedicated connection from AWS at one of those 100 AWS Direct Connect locations.

A dedicated connection from AWS is a physical Ethernet connection associated with a single customer, and supports bandwidth speeds of 1 Gbps, 10 Gbps, and 100 Gbps. A hosted connection is a physical Ethernet connection managed and provisioned by an AWS Direct Connect Partner on behalf of multiple customers, and supports bandwidths from 50 Mbps up to 10 Gbps, although special requirements must be met by the AWS DC Partner in order to provide above 1 Gbps.

So, using AWS Direct Connect, a company now has one of the absolute top performing connections (in terms of bandwidth, latency, and reliability) to transfer data between the AWS ecosystem and company resources. But the following problem remains unaddressed – How best to connect the “last mile” from the AWS Direct Connect location to your home office, headquarters, other data centers, and other remote or satellite locations?

SD-WAN with Virtual Leased Lines to the Rescue

Typically, companies connect to the AWS DC site over the Internet, using an ISP or MSP. This means that the “first-hop” from the DC site to your office/data center/headquarters operates at much lower bandwidth than the pipe between the DC site and AWS. This may be fine for many companies, but if your business relies on high volumes of traffic, especially real time, latency-critical traffic such as real-time traffic or voice/video applications, then optimizing that “last mile” becomes very important.

Software-defined WAN (SD-WAN) with broadband bonding/aggregation provides a cost-effective solution by combining multiple broadband sources (such as cable, fiber, 4G/5G cellular, fixed wireless, satellite, MPLS) into a single “super pipe” connection. This pipe now has the combined bandwidth of all the individual sources, and when orchestrated by the best SD-WAN devices on the market, becomes a high-bandwidth, low-latency, high-reliability, highly versatile Internet connection, that we can also refer to as a VLL or virtual leased line, similar (but much more powerful) to a VPN.

Virtual Leased Lines (VLL)

A Virtual Leased Line (VLL) provides secure, fast and reliable VPN connectivity between multiple locations by creating an IP tunnel that uses the bonded Internet access lines available on each side. This is accomplished via SD-WAN appliances at each endpoint. VLL can bond any type of Internet access line from any service provider including DSL, cable, fiber, satellite, T1, E1, DIA, MPLS, etc., without requiring any coordination with the ISPs. This enables tunnels with packet-level granularity bonding for any protocol or application including video, VoIP, uploads, chatty applications and others. With VLL, even a single session can be striped over the available links unlocking the aggregate speed of the individual connections.

VLL can enable a bonded VPN Internet pipe between your home office/headquarters/data center and your AWS DC location, two office locations, or between the office and its Internet data center. VLL tunnels support star and mesh topologies for site-to-site VPN, supports encryption or can work transparently with your existing VPN.

Some Useful VLL Configurations to Supercharge Your AWS Direct Connect

Let’s look at several ways that VLL can significantly improve your connectivity within, and alongside, an AWS Direct Connect framework.

• VLL to provide access to the AWS DC location
  • Using an SD-WAN appliance (virtual or physical) at the DC location along with another SD-WAN appliance at the office, branch, or any other remote location, enables a direct VLL link between the two sites, providing high-speed, low-latency access to AWS.
• VLL to provide access to AWS itself, over the public Internet
  • Using an SD-WAN device at any office location, branch, or remote location coupled with a VLL endpoint inside AWS to provide the direct link between any company location and AWS, using the public Internet. In effect, this makes the VLL connection a Direct Connect alternative/supplement/failover.
• VLL to provide access to non-Amazon company resources, data centers, offsite locations.
  • Using SD-WAN devices, and VLL, provides supercharged Internet connectivity between any 2 (or more) company locations.

VLL and AWS Direct Connect – A Perfect Marriage

AWS Direct Connect provides for extremely high bandwidth and high reliability connections to AWS from Amazon’s 100 or so Direct Connect locations worldwide. Connecting these DC locations to your company’s offices, data centers, or other remote locations using SD-WAN devices allows for the use of highly capable, bonded VPNs, or virtual leased lines (VLL), to manage traffic into and out of the AWS ecosystem. VLL can also supercharge the rest of your company’s Internet connectivity by similarly linking headquarters, branch offices, and other remote locations via the “super pipe” that VLL provides.

Virtual Leased Lines provide a quick Return on Investment (ROI) and lower operating expenses when used in conjunction with MPLS or as an alternative to MPLS. Cost-effective bandwidth is supplied through cheaper broadband lines and Quality of Service (QoS) is managed by algorithms within the VLL.

VLL provides other benefits as well, including:

• Downlink and Uplink Bonding
  • The ability to bond Internet access lines for all types of traffic (including encrypted traffic such as VPN) for aggregated downlink and uplink capacity.
• Application Armor with Session Keep-Alive
  • Network conditions within the VLL tunnel are monitored to intelligently react in real time to mitigate any performance degradation caused by the WAN links. In case of any degradation on any of the WAN links, the VLL tunnel maintains the ongoing IP sessions, including VoIP calls, without loss of performance by shielding the effects of dropped WAN links, lost packets, or high latency on any of the links.
• Advanced QOS Algorithms
  • Application-centric bonding tunnels have the ability to optimize the flows for specific applications. As an example, App Armor tunnel has the ability to route packets around networking problems for on-going application flows.
• WAN on Autopilot for High 9s Reliability
  • In case of Internet access line network problems, VLL has the ability to make real-time, per-packet routing path decisions, even for the sessions in progress. Additionally, automatic failover protects against failures of one or more WAN links. This ensures better reliability (more 9s) that any individual link.
• Elastic Static IP
  • Static IP addresses in the cloud (or from your data center) can be mapped onto the branch office SD-WAN device. This means that static IP is available for services that rely on stable IP addressing (such as VPN, VoIP/SIP, etc.) and inbound network access is available, even during WAN outages, as long as at least one of the WAN links is up.

So, while AWS Direct Connect is great to have, combining this capability with strategically placed VLL tunnels, through the use of SD-WAN devices, greatly enhances your overall connectivity footprint and posture, in terms of higher bandwidth, lower latency, and higher reliability and overall performance.

Rob Stone, Mushroom Networks, Inc. 

Mushroom Networks is the provider of Broadband Bonding appliances that put your networks on auto-pilot. Application flows are intelligently routed around network problems such as latency, jitter and packet loss. Network problems are solved even before you can notice.

https://www.mushroomnetworks.com