Organizations typically connect to their applications through a single VPN tunnel between their data center and AWS. With the Cisco CSR 1000V Series deployed in AWS, every enterprise- and branch-office location can now have direct VPN access into the AWS-hosted applications without back-hauling through an existing data center. This approach reduces latency, eliminates the need for expensive private WAN services, avoids per-VPN-tunnel costs that Amazon charges, and even allows AWS to participate in existing route-based VPN topologies.
Figure 1-1 Multi-Site Hybrid Cloud Overlay Network
AWS does not provide VPN connectivity between VPCs in discrete AWS regions, making multi-region cloud deployments complex. By deploying a Cisco CSR 1000V Series Router in each region’s VPC and interconnecting Cisco CSR 1000V Series Routers through a VPN, enterprises can create a global, secure network topology within the AWS cloud.
Figure 1-2 Hybrid Cloud Overlay Connecting Cloud, Headquarters, Field Offices, and Teleworkers
The Cisco CSR 1000V Series is part of a family of platforms that includes the latest edge, branch-office, service, and telecommuting routers, providing the ideal platform on which to build a fully connected enterprise network. Together, these platforms provide easy multi-homing over any carrier service offering, a single routing control plane with minimal peering to the provider, automatic site-to-site IPSec tunnels, and comprehensive threat-defense.
Figure 1-2 shows how dynamically created tunnels help avoid bottlenecks by connecting the AWS hosted, fully connected hybrid cloud.
Figure 1-3 Cloud-Anchored Enterprise-Wide Overlay
If your organization wants a highly available VPN cloud with geographically disparate headend routers, you can place the headend routers in separate AWS data centers. The full mesh of dynamically created tunnels makes it possible to avoid potential bottlenecks and increased bandwidth costs associated with cloud-based headend routers by allowing spoke-to-spoke traffic (Figure 1-3). Only traffic destined for the application servers in the cloud flows through the headend routers.
Figure 1-4 Highly Available Enterprise Overlay with Fully Redundant AWS Cloud Router
In addition to high availability at the head-end, the Cisco CSR 1000V Series Router can provide high availability within the AWS VPC. You can place multiple Cisco CSR 1000V Series Routers in separate availability zones with a set of instances using that CSR 1000v as their default route. When maintenance is required on one of the Cisco CSR 1000V Series Routers, traffic can be routed from the CSR 1000v in one availability zone to the CSR 1000V in the other availability zone, either manually or automatically, through active monitoring. Each of the two Cisco CSR 1000V Series Routers can route to any other spoke in the Cisco DMVPN network as well as to other CSR 1000V Routers within AWS.
This design enables the following capabilities:
- Single Routing Plane —The Cisco CSR 1000V Series routing protocol support for Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF), and Border Gateway Protocol (BGP) allows it to integrate smoothly into the rest of your enterprise network instead of creating islands in the cloud.
- High Availability —The dual-hub Cisco DMVPN design provides a fault-tolerant overlay network with no single point of failure. This fault tolerance is increased when the hubs are geographically disparate.
- Defense in Depth —The security provided by the overlay network through IPsec tunnels and Zone-Based Firewalls (ZBFWs) is disjointed from the underlying AWS infrastructure, providing protection for your corporate network if the AWS account is compromised.
- Unified Security Policy —Using ZBFWs, your organization can use the Cisco CSR 1000V Series to create a cohesive security policy across your entire network, including branch offices, mobile workers, and public clouds.