If you work in IT, and you haven’t been living under a rock, then you have likely heard of Amazon Web Services (AWS).  There has been a substantial increase in the maturity and stability of the AWS Elastic Compute Cloud (EC2), but you are wondering – can I continue to leverage F5 services in AWS?  In this series of blog posts, we will discuss the how and why of running F5 BIG-IP in EC2.  In this specific article, we’ll start with the basics of the AWS EC2 and Virtual Private Cloud (VPC).  Later in the series, we will discuss some of the considerations associated with running BIG-IP as compute instance in this environment, we’ll outline the best deployment models for your application in EC2, and how these deployment models can be automated using open-source tools.

Note: AWS uses the terms "public" and "private" to refer to what F5 Networks has typically referred to as "external" and "internal" respectively.  We will use this terms interchangeably. 

First, what is AWS? If you have read the story (http://blog.b3k.us/2009/01/25/ec2-origins.html), you will know that the EC2 project began with an internal interest at Amazon to move away from messy, multi-tenant networks using VLANs for segregation.  Instead, network engineers at Amazon wanted to build an entirely IP-based architecture.  This vision morphed into the universe of application services available today. Of course, building multi-tenant, purely L3 networks at massive scale had implications for both security and redundancy (we’ll get to this later).  Today, EC2 enables users to run applications and services on top of virtualized network, storage, and compute infrastructure, where hosts are deployed in the form of Amazon Machine Images (AMIs).  These AMIs can either be private to the user or launched from the public AWS marketplace.  Hosts can be added to elastic load balancing (ELB) groups and associated with publicly accessible IPs to implement a simple horizontal model for availability.

 

AWS became truly relevant for the enterprise with the introduction of the Virtual Private Cloud service.  VPCs enabled users to build virtual private networks at the IP layer.  These private networks can be connected to on-premise configurations by way of a VPN Gateway, or connected to the internet via an Internet Gateway.  When deploying hosts within a VPC, the user has a significant amount of control over how each host is attached to the network. For example, a host can be attached to multiple networks and given several public or private IPs on one or multiple interfaces.  Further, users can control many of the security aspects they are used to configuring in an on-premise environment (albeit in a slightly different way), including network ACLs, routing, simple firewalling, DHCP options, etc.  Lets talk about these and other important EC2 aspects and try to understand how they affect our application deployment strategy.

 

L2 Restrictions:

As we mentioned above, one of the design goals of AWS was to remove layer 2 networking.  This is a worthy accomplishment but we lose access to certain useful protocols, including ARP (and gratuitous ARP - http://networkengineering.stackexchange.com/questions/7713/how-does-gratuitous-arp-work), broadcast and multi-cast groups, 802.1Q tagging.  We can no longer use VLANs for some availability models, for quality of service management, or for tenant isolation.

 

Network Interfaces:

For larger topologies, one of the largest impacts given the removal of 802.1Q protocol support is the number of subnets we can attach to a node in the network. Because in AWS each interface is attached as a layer 3 endpoint, we must add an interface for each subnet.  This contrasts with traditional networks, where you can add VLANs to your trunk for each subnet via tagging. Even though we're in a virtual world, the number of virtual network interfaces (or Elastic Network Interfaces (ENIs) in AWS terminology) is also limited according to the EC2 instance size. Together, the limits on number of interfaces and mapping between interface and subnet effectively limit the number of directly connected networks we can attach to a device (like BIG-IP, for example).

 

IP Addressing:

AWS offers two kinds of globally routable IP address; these are “Public IP Addresses” and “Elastic IP Address”.  In the table below, we outlined some of the differences between these two types of IP addresses.  You can probably figure out for yourself why we will want to use Elastic IPs with BIG-IP.  Like interfaces, AWS limits the number of IPs in several ways, including the number of IPs that can be attached to an interface and the number of elastic IPs per AWS account.

Table 1: Differences between Public and Elastic IP Addresses

 

Public IP

Elastic IP

Released on device termination/disassociation

YES

NO

Assignable to secondary interfaces

NO

YES

Can be associated after launch

NO

YES

 

Amazon provides more information on public and elastic IP addresses here:

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses

 

Each interface on an EC2 instance is given a private IP address.   This IP address is routable locally through your subnet and assigned from the address range associated with the subnet to which your interface is attached. Multiple private secondary IP addresses can be attached to an interface, and is a useful technique for creating more complex topologies. 

The number of interfaces and private IPs per interface within an Amazon VPC are listed here:

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#AvailableIpPerENI

 

NAT Instances, subnets and routing:

When creating a VPC using the wizard available in the AWS VPC web portal, several default configurations are possible.  One of these configurations is “VPC with Public and Private subnets”.  In this configuration, what if the instances on our private subnet wish to access the outside world? Because we cannot attach public or elastic IP address to instances within the private subnet, we must use NAT provided by AWS.  Like BIG-IP and other network devices in EC2, the NAT instance will live as a compute node within your VPC.  This is good way to allow outbound traffic from your internal servers, but to prevent those servers from receiving inbound traffic.

When you create subnets manually or through the VPC wizard, you’ll note that each subnet has an associated routing table. These route tables may be updated to control traffic flow between instances and subnets in your VPC.

 

Regions and Availability Zones

We know quite a few number of people who have been confused by the concept of availabilty zones in EC2.  To put it clearly, an availabilty zone is a physically isolated datacenter in a region.  Regions may contain mulitple availability zones (for example, us-east-1 has 5 zones at time of writing).  Availabilty zones run on different networking and storage infrastructure, and depend on seperate power supplies and internet connections. Striping your application deployments across availability zones is a great way to provide redundancy and, perhaps a hot standby, but please note that these are not the same thing.  Amazon does not mirror any data between zones on behalf of the customer.  While VPCs can span availability zones, subnets may not.  

 

To close this blog post, we are fortunate enough to get a video walk through from Vladimir Bojkovic, Solution Architect at F5 Networks.  He shows how to create a VPC with internal and external subnets as a practical demonstration of the concepts we discussed above.