By Bala Mugunthan, Sr. Partner Solutions Architect at AWS
By James Wenzel, Sr. Partner Solution Architect, Networking at AWS
By Laura Neacsu, SD-Branch Solution Architect at Aruba
By Kelly Fleshner, Solution Technical Marketing at Aruba

Transit Gateway

Like previous technology transitions, shifting to the “era of data” at the intelligent edge changes the role of the network infrastructure and introduces new challenges.

Corporate networks have always played a pivotal role in moving data, low latency applications, and connecting people to their applications and services. However, with the resiliency and global scale of infrastructure as a service (IaaS) offerings, many application workloads are permanently deployed on Amazon Web Services (AWS).

Whether you need to deploy application workloads across the globe in a single click, or build and deploy specific applications closer to end users with single-digit millisecond latency, AWS provides you the cloud infrastructure where and when you need it.

The traditional ways of building your Wide Area Network (WAN) infrastructure to accommodate large amounts of traffic to and from corporate-owned centralized data centers is no longer valid.

An Aruba SD-Branch solution enhances access to cloud-hosted applications by making it easy to initialize and optimize the connectivity to AWS, while also providing orchestration and complete lifecycle management of your WAN gateways.

The SD-Branch solution is a part of Aruba’s Edge Services Platform (ESP), which is a key evolution to their end-to-end network architecture. ESP provides a unified infrastructure with centralized management that leverages artificial intelligence (AI) for improved operational experience. This helps customers enable a Zero Trust security policy on their existing infrastructure.

Aruba, a subsidiary of Hewlett Packard Enterprise, is a global leader in secure, intelligent edge-to-cloud networking solutions. Aruba uses a cloud-native approach to help each customer with all aspects of wired, wireless LAN, and WAN. Hewlett Packard Enterprise is an AWS Advanced Consulting Partner.

In this post, we will demonstrate the Aruba Virtual Gateway Deployment process into an AWS network with Aruba Central Orchestration.

AWS Global Infrastructure

AWS Regions are physical locations around the world where data centers are clustered. Each group of logical data centers is called an AWS Availability Zone (AZ), and each region consists of multiple, isolated, and physically separate AZs within a geographic area.

An Availability Zone is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region. All AZs in a region are interconnected with high-bandwidth, low-latency networking, over fully redundant, dedicated metro fiber.

All traffic between Availability Zones is encrypted. The network performance is sufficient to accomplish synchronous replication between AZs, which makes partitioning applications for high availability easy. If an application is partitioned across Availability Zones, companies are better isolated and protected from issues such as power outages, lightning strikes, tornadoes, earthquakes, and more.

Aruba SD-Branch

The Aruba SD-Branch solution provides SD-WAN, wired, and wireless connectivity for branch users. The SD-WAN interconnects the physical and cloud-based hosted application sites with the remote site locations, making it an integral part of the network.

Modern WAN networks require a flexible and scalable design in order to support mission-critical applications and real-time multimedia communications from any location.

Access to cloud services from each location is key to the success of keeping the network running as efficiently as possible without sending internet-based traffic through designated data centers.

Aruba-SD-Branch-1

Figure 1 – Aruba ESP architecture.

Aruba SD-Branch allows you to implement the most cost-effective option at each branch and data center location by providing flexible alternatives to traditional private WAN offerings.

Different WAN transports can be chosen without worrying about changes to the IP addressing scheme in the corporate overlay. Traffic uses all of the available bandwidth while maintaining service level agreements (SLAs) defined in Aruba Central—your single point of visibility and control that spans the entire network, from branch to data center, wired and wireless LAN to WAN.

To allow flexible deployment options, the Aruba SD-Branch gateway components can be implemented in both physical and virtual form factors. By supporting a variety of form factors, you can connect and secure physical locations, private clouds, hybrid clouds, or public clouds in a consistent manner.

Key Benefits of SD-Branch with AWS

Combining Aruba’s SD-Branch with hosted applications running on AWS provides several key benefits:

  • Easily connect your WAN sites to AWS.
  • Add path resiliency and advanced routing capabilities to your Amazon Virtual Private Cloud (VPC) environments.
  • AWS points of presence become the equivalent of another node in the SD-Branch infrastructure and enhances seamless traffic flow.
  • Enhance application delivery and optimize traffic to and from AWS deployments.
  • Manage the entire lifecycle of gateways in AWS.

AWS Key Networking Services

AWS provides the broadest and deepest set of networking services with the highest reliability, most security features, and highest performance in the world. This helps ensure you can run any kind of workload you have in the cloud.

Security at AWS starts with core infrastructure, and AWS networking capabilities are designed to meet the most stringent security requirements. AWS infrastructure is monitored 24/7 to ensure the confidentiality, integrity, and availability of your data. The AWS Region/Availability Zone model has been recognized by industry analysts as the recommended approach for running enterprise applications requiring high availability.

The AWS global network lets you run workloads on the cloud that deliver the best support for the broadest set of applications, even those with the highest throughput and lowest latency requirements.

A few of the key AWS network services for the SD-Branch integration are:

  • Amazon VPC: Define and provision a logically isolated network for your AWS resources.
  • AWS Transit Gateway: Connect VPCs and on-premises networks through a central hub.
  • AWS Direct Connect: Establish a private, dedicated connection between AWS and your data center, office, or colocation environment.

Aruba Virtual Gateways

Aruba’s SD-Branch solution uses the Aruba Virtual Gateway (vGW), which serves as an entry point into the VPC. Aruba provides simple automation to initialize and manage vGWs, making it easy to connect workloads in the cloud while allowing them to benefit from SD-Branch’s functionality to improve overall application performance.

The manual process of managing connectivity into native AWS environments is time-consuming and error prone. It involves several steps to bring up virtual machines, configure routing tables, assign certificates, and manage the gateways. It’s labor intensive to ensure the proper configuration with the correct tunnels and routes have been configured for each location.

SD-Branch simplifies this process and provides complete lifecycle management for vGWs. An Aruba vGW managed by Aruba Central significantly improves traffic management and application delivery by:

  • Orchestrating the establishment of IPsec tunnels from branch and data center locations to vGWs on AWS.
  • Automating the exchange of routes to and from the VPC across the SD-WAN fabric.
  • Extending SD-Branch policies to AWS by performing dynamic path selection and load balancing traffic.
  • Automatically maintain application SLAs.
  • Providing end-to-end visibility of the entire SD-WAN network.
  • Offering multiple vGW form factors from 500Mbps to 4Gbs today with higher scalability planned.
  • Scaling to terminate thousands of IPsec VPN tunnels on a single vGW.
  • Delivering a highly resilient gateway to span multiple AZs with automatic failover.

The use of an Aruba vGW to connect the SD-Branch locations to AWS simplifies cloud access and the Amazon VPC becomes another managed node in the SD-WAN overlay network.

Aruba-SD-Branch-2

Figure 2 – Aruba vGWs on AWS as an SD-WAN overlay node.

Aruba Central Orchestration for Virtual Gateways

AWS introduces a unique workflow from the typical edge IT networking. Services are established and managed using APIs provided by AWS, and these interactions are quite different from the tools used to manage enterprise or data center networks.

For this reason, simply offering a virtual machine from AWS Marketplace is an inadequate method for you to utilize the service. You need the ability to treat AWS gateways as any other node in the network to make the best use of your WAN and cloud resources.

The Aruba SD-Branch solution provides an orchestration application within Aruba Central to handle the full life cycle of the Aruba vGW. Although manual initialization is supported using the AWS Management Console (or native APIs), the preferred mechanism uses the automated workflow.

Aruba-SD-Branch-3

Figure 3 – Lifecycle management for Aruba vGW using Aruba Central Orchestration.

Aruba Central handles the entire lifecycle of the Aruba vGW, from the initialization and provisioning, through all levels of management, monitoring, and troubleshooting. From Aruba Central’s perspective, the vGW in AWS is just another gateway node in your network.

Deploying Virtual Gateways in an AWS Environment

Aruba Central uses a given AWS user account when creating an Amazon Resource Name (ARN). The right level of AWS Identity and Access Management (IAM) access is required to gain visibility of the environment and to automate the deployment of the vGW.

The gateway application provisions the vGW instances, together with the necessary interfaces, subnets, and IP mappings, allowing for a seamless integration into the VPC. The following figure shows the vGWs deployed in an AWS infrastructure.

Aruba-SD-Branch-4

Figure 4 – Aruba Central’s virtual gateway application.

The first step to integrate the gateway is to add your AWS account into Aruba Central. You add the account name, as well as the IAM credentials, and the AWS account shows up in the available accounts list, which can now be used to deploy the virtual gateways.

IAM credentials allow Aruba Central to discover the VPC topology since IAM polices are applied on the AWS account, which is especially valuable when you have many VPCs.

Aruba-SD-Branch-5.1

Figure 5 – VPC topology.

The VPCs within a given region are displayed, along with the subnets for the VPC. You can also import new VPCs as they are added.

Once the VPC topology is discovered, you select a VPC and deploys Aruba vGWs. The following figure shows an example of creating the vGW in an AWS environment.

Aruba-SD-Branch-6

Figure 6 – Creating the virtual gateway.

To take advantage of resiliency features available, and to follow AWS best practices, a high availability (HA) pair of Aruba vGWs should be deployed in multiple Availability Zones. This is a straightforward process, achieved by selecting the HA option and multiple AZ options when you configure it in Aruba Central.

Aruba-SD-Branch-7

Figure 7 – HA pair of Aruba vGWs in a single VPC.

Multiple VPCs with an Edge VPC

When bringing SD-Branch into an AWS environment with applications running in multiple VPCs in each region, it’s easier to create an edge VPC to serve as the intermediary between the AWS environment and the SD-Branch’s connected sites.

The edge VPC connects multiple VPCs within the region. This simplifies network management and minimizes the connections needed between multiple VPCs and remote networks.

Aruba-SD-Branch-8

Figure 8 – Multiple VPCs with an edge VPC.

Aruba vGWs peers directly with AWS Transit Gateway and allows connectivity to the rest of the VPCs using standard routing protocols, like Border Gateway Protocol (BGP).

From Aruba Central’s point of view, a deployed vGW is another managed node in the SD-WAN overlay. Connectivity is automatically established as defined in the SD-Branch policies, and the gateways are visible in the monitoring dashboard for visual verification of their status.

The topology diagram below shows the connectivity from a branch to on-premises headend gateways and an Aruba vGW on AWS.

Aruba-SD-Branch-9

Figure 9 – End-to-end visualization from branch to private data center and AWS.

Summary

The Aruba SD-Branch design provides a prescriptive solution based on industry best practices and customer-adopted topologies. This allows network administrators to build a robust WAN network that accommodates the organization’s requirements.

Whether users are located at a headend site or smaller branch site, and whether hosted applications are in private data centers or public cloud, this design provides a consistent set of features and functionality for network access. This enables improved user satisfaction and productivity with reduced operational expense.

Aruba’s SD-Branch solution greatly enhances the benefits of integrating with AWS, as it turns the public hosted cloud environment into a managed node in the SD-WAN overlay network.

With the redundant, robust global infrastructure footprint of AWS, Aruba vGWs are scalable and can terminate thousands of IPsec VPN tunnels, making it easy for your locations to directly access hosted workloads on AWS.

Aruba vGWs connect individual VPCs with the customer’s enterprise network via high bandwidth, low latency AWS Direct Connect, or the Internet Gateway by extending the SD-WAN fabric to the cloud edge.

For complex cloud environments, Aruba’s AWS integration network endpoints simplify the process of connecting large numbers of VPCs using an edge VPC connecting to an AWS Transit Gateway.