Professional Documents
Culture Documents
Aruba SD-WAN Integration With Public Cloud (AWS) - Technical Note
Aruba SD-WAN Integration With Public Cloud (AWS) - Technical Note
Author:
Samuel Pérez Buñuel
Contributors:
Laura Neacsu
Mani Ganesan
Shashikala Subramanya
Technical Note
Copyright Information
Copyright © 2019 Hewlett Packard Enterprise Development LP.
www.arubanetworks.com
Fax 408.227.4550
Contents
Contents
6 Reference ...................................................................................... 69
If you’re already familiar with how the SD-WAN Orchestrator works, feel free to skip this part and
NOTE
go directly to section 3.
Aruba SD-WAN Integration with AWS Public Cloud Establishment of the Overlay Network | 9
2.1.1 Control Channel Communication
The communication between the Aruba SD-WAN gateways (regardless of their function in the network) is
established through a gRPC (refer to grpc.io) channel that Gateways use to communicate with the SD-WAN
Orchestrator (over TCP 443). This is a high priority communication channel that is established through any of
the available uplink interfaces of any gateway.
Aruba SD-WAN Integration with AWS Public Cloud Establishment of the Overlay Network | 10
2.1.2 Tunnel Orchestration
In order to build an SD-WAN network, the first step is to bring up a transport independent secure overlay
network. Or, in other words, manage the establishment of IPSec tunnels between the nodes of the network
through all available circuits as per the policy defined by the administrator.
In order to do this, the administrator will identify the uplink interfaces in all nodes with the corresponding
service provider. Once that’s available, the SD-WAN Orchestrator instructs the establishment of tunnels
according to the policy. This will be done by matching the service provider uplinks in the following way:
• In the case of private circuits (MPLS), the name (i.e., SUPER) will have to match on both ends. Partial
matches such as “SUPER01-MPLS” with “SUPER_MPLS” would also result in sending IPSec SAs to both
ends of the tunnel.
• In the case of public circuits (INET, MetroE, LTE), the SD-WAN Orchestrator will first try to establish
tunnels between uplinks with matching names (i.e., SPEEDY_INET with SPEEDY_INET). If no match is
possible, cross-SP matches will be attempted (i.e., SPEEDY_INET with FAST_INET). In both cases, the
SD-WAN Orchestrator will send the IPSec SAs to the gateways to bring up the tunnels.
Aruba SD-WAN Integration with AWS Public Cloud Establishment of the Overlay Network | 11
2.1.3 Route Orchestration
The last component for the SD-WAN Orchestration is the automation of routing between the nodes in the SD-
WAN network. For this purpose, the SD-WAN Orchestrator operates like a horizontally scalable routing service
for the SD-WAN:
• Routes learnt by the different gateways participating in the SD-WAN network will be advertised (or
redistributed) into the SD-WAN.
• Likewise, routes learnt via SD-WAN will be redistributed or advertised to other routing protocols.
• Route summarization inside the SD-WAN will be done by the route orchestrator itself.
• The summary routes needed for branch-to-branch communication through the hubs will be
selectively advertised as per configured policy.
• When a given prefix is reachable through multiple paths, set cost as per the configured policy.
Aruba SD-WAN Integration with AWS Public Cloud Establishment of the Overlay Network | 12
2.2 Configuration of SD-WAN Orchestration
The configuration for SD-WAN orchestration is extremely simple, consisting of only three steps:
• Establishing DC preference
• Redistributing routes
This is covered in greater detail in the SD-WAN product documentation. Nevertheless, the minimum steps are
outlined below for the sake of completeness.
Aruba SD-WAN Integration with AWS Public Cloud Establishment of the Overlay Network | 13
DC preference for branch groups will be defined in this section:
Aruba SD-WAN Integration with AWS Public Cloud Establishment of the Overlay Network | 14
2.2.3 Redistribute to/from Overlay
As mentioned above, the last step will be to redistribute other routing protocols (and connected subnets) into
SD-WAN and vice-versa.
Aruba SD-WAN Integration with AWS Public Cloud Establishment of the Overlay Network | 15
2.3 Expected Result
Once the configuration is done, the outcome can be easily verified from the Aruba Central monitoring screens.
Aruba SD-WAN Integration with AWS Public Cloud Establishment of the Overlay Network | 16
2.3.2 Route Orchestration
Once the tunnels are up, check that the routing is working as expected. On the “Monitoring & Reports > SD-
WAN Orchestrator > Overlay Route Orchestrator” dashboard, check the routes advertised by the different
nodes of the SD-WAN.
Aruba SD-WAN Integration with AWS Public Cloud Establishment of the Overlay Network | 17
3 Single VPC deployments
3.1 Single VPC Architecture Overview
3.1.1 Connectivity into the VPC
For an SD-WAN environment where the BGWs are connected to the AWS environment through one or
multiple Internet circuits or a combination of Internet circuits with an MPLS with AWS DirectConnect, the
deployment would look more or less like the illustration below:
Figure 15 - SD-WAN with Multiple INET Circuits Figure 16 - SD-WAN with Combination of MPLS and
INET
From the perspective of the SD-WAN (and the SD-WAN vGW), the only difference between these two models
(Internet only or combination of MPLS and Internet) is the fact that tunnels would be just going through the
Internet, or through the Internet as well as the DirectConnect interface.
Aruba SD-WAN Integration with AWS Public Cloud Single VPC deployments | 18
3.1.2 Routing inside an AWS VPC
In a single VPC environment, the only routing mechanism available in AWS is to apply routing tables to the
subnets in the VPC (source: AWS). These routing tables have a maximum size of 50 entries (source: AWS),
which means that learning all routes from the SD-WAN is not a good option. In order to connect this
environment to the SD-WAN and other resources, the vGW will act as the gateway for all traffic coming in and
out the VPC.
The vGW Orchestrator facillitates this connectivity by creating 8 /27 subnets to connect the vGW with other
resources in the VPC. The result will be:
• VPC subnets will point to the vGW for all traffic in/out of the VPC.
• The vGW should have routes pointing traffic destined to corporate subnets through the VPN
Gateway. Use larger subnets to those learnt from the SD-WAN to ensure that traffic always picks the
shortest path (as with any other router, the vGW will use the more specific routes).
• The vGWs default gateway will be the VPC’s Internet Gateway.
The resulting network diagram would be something like this:
Aruba SD-WAN Integration with AWS Public Cloud Single VPC deployments | 19
3.1.3 High Availability in Single VPC environment
As mentioned before, the native routing mechanism available inside a VPC are static routes applied to the
subnets where the workloads are connected. That, coupled with the fact that AWS doesn’t support broadcast
or multicast inside the VPC (source: AWS) makes High Availability (HA) quite challenging. Thankfully, the Aruba
vGW Orchestrator can take care of providing high availability in such environment.
The (HA) solution for Aruba vGW works in an Active-Passive paired configuration. In this setup, there can be
only one active Virtual Gateway that can forward data in and out of the Virtual Private Cloud's (VPC) subnets.
The Virtual Gateway Orchestrator app decides which of the Virtual Gateways becomes Active or Passive and
communicates this decision to all the pivotal components. The decision of setting the Active or Passive Virtual
Gateway is based on the following requirements:
• Virtual machine health of each of the vGWs in a given HA-pair.
• The health of the vGW gRPC control connectivity to the SD-WAN Orchestrator.
• The connectivity of each of the vGWs to all the BGWs.
The vGW Orchestration app decides the status based on the state of each Virtual Gateway. The app runs a
poll every 20 seconds on each vGW for these criteria:
• VM Health: The VM health status is obtained from the cloudapp (AWS) for each of the gateways in all
the VPCs across each of the regions of a given AWS cloud account.
• Control Health: The control health status is provided by the SD-WAN Orchestrator.
• Data and Tunnel Health: The data and tunnel health status is provided by the SD-WAN
Orchestrator module.
Aruba SD-WAN Integration with AWS Public Cloud Single VPC deployments | 20
In the event of a failover (which can be caused by any of the reasons mentioned above), the vGW Orchestrator
automatically modifies the routing table attached to the subnets to start pointing them towards the other
vGW, which will now be the active vGW.
Aruba SD-WAN Integration with AWS Public Cloud Single VPC deployments | 21
3.2 Configuration for Single VPC Deployments
3.2.1 Basic AWS Setup
Even though the vGW would generally be set up in an existing VPCs, knowing how to do at least a basic setup
will be necessary to have a good understanding about the overall solution.
The following are pre-requisites needed by the vGW Orchestration service:
• A non-default VPC must exist for the vGW Orchestration to work.
• The Orchestration engine will split it into 8 /27 subnets and consume them to connect the vGW to
different resources in the VPC. This means that the VPC must at least have a /24 subnet
available.
• Internet and VPN Gateways, as the vGW Orchestrator will connect the vGW to these AWS objects.
• A Security group to place the vGW into (the default group can be used, but it’s not advised). Ensure
that you enable inbound UDP 4500 for the IPSec tunnels to come up.
• An SSH Key Pair to allow an out of band connection into the vGW before it’s managed by Aruba
Central.
And the following would usually be in place (but aren’t mandatory):
• Subnets (with VMs connected to them)
• Route tables – In the case of AWS, route tables are directly tied to subnets
• Resources (Instances)
NOTE Step-to-step guidance on how to set up the VPNC can be found in the annexure of this document.
Aruba SD-WAN Integration with AWS Public Cloud Single VPC deployments | 22
3.2.2 Virtual Gateway Orchestration
As mentioned in the earlier sections, Aruba’s SD-WAN solution handles the whole lifecycle of a Virtual
Gateway, including the orchestration of the vGW AMI. This will not just matter for the provisioning phase, but
it will also be critical to provide high availability in single VPC environments, where traditional L2 mechanisms
such as VRRP won’t work (source: AWS).
For this orchestrated workflow, Central uses a third-party token. This token is only valid when used from a
certain Aruba Central account:
Aruba SD-WAN Integration with AWS Public Cloud Single VPC deployments | 23
2. In Aruba Central, go to Global Settings > Virtual Gateway > Accounts > Add Account. Copy the
Account ID and External ID:
Aruba SD-WAN Integration with AWS Public Cloud Single VPC deployments | 24
4. Set permission to be “AmazonEC2FullAccess”. This will allow Aruba Central to handle AMIs, subnets,
Elastic IPs, etc. Click Next: Tags, and then click Next.
Aruba SD-WAN Integration with AWS Public Cloud Single VPC deployments | 25
5. To generate the ARN, provide a name for the AWS role and click Create Role. This will provide the ARN
to be pasted in Aruba Central.
Aruba SD-WAN Integration with AWS Public Cloud Single VPC deployments | 26
3.2.2.2 Virtual Gateway Orchestration
The third-party token can then be used to give Aruba Central access to the AWS account. This will allow the
Orchestration app to read the state of the VPCs and create/monitor/fail-over/delete the vGWs.
1. In Aruba Central, go to Global Settings > Virtual Gateway > Accounts > Add Account. Paste the
account name (which can be any administrative name we provide) as well as the third-party token ARN
(obtained from the AWS IAM workflow).
Aruba SD-WAN Integration with AWS Public Cloud Single VPC deployments | 27
2. As soon as the account is in ACCESS VERIFIED status, go to Deployment. The Orchestration app will
automatically display the VPCs in our account as well as the subnets belonging to the different VPCs.
3. It will also give us the option to spin up a vGW (or vGW pair in HA) in our VPC. Once there, simply
provide Virtual Gateway size, AWS Instance type, Key name, and Security group and click Deploy
Virtual Gateway. The deployment will take 1-2 minutes, during which the Orchestration app will
display a message saying DEPLOYING VIRTUAL GATEWAY and a progress bar.
Aruba SD-WAN Integration with AWS Public Cloud Single VPC deployments | 28
4. Once the deployment has finished, the message will change to “VIRTUAL GATEWAY DEPLOYED”.
Hovering over the message displays the serial number(s) of the Virtual Gateway(s) that have been
deployed.
Aruba SD-WAN Integration with AWS Public Cloud Single VPC deployments | 29
3.2.4 vGW Initial Configuration in Aruba Central
Now that the vGW AMI has been orchestrated, the vGWs can be configured like any other VPNC. The following
steps will therefore resemble those that we would follow with an on-premises VPNC.
Aruba SD-WAN Integration with AWS Public Cloud Single VPC deployments | 30
3. Go to Global Settings Manage Groups Drag vGW to the newly created “Virtual Gateway” group.
Aruba SD-WAN Integration with AWS Public Cloud Single VPC deployments | 31
3.2.4.2 vGW Initial Configuration
The orchestrated nature of the vGW will mean that the Virtual Gateway group will have slightly different
characteristics that the ones we’d normally see in a VPNC group. Ports and VLANs will be automatically set by
the orchestration engine, and some system-wide parameters such as the System-IP work better when
automated.
Aruba Central does not push any configuration to a gateway until the System IP is present, which
NOTE means that, once you set the System IP, Aruba Central will push all pending configurations and
trigger a reboot.
Other recommended settings that can be done at the group level are:
• Disable Spanning Tree – as there’s no need for it inside an AWS VPC.
• The vGW will learn the AWS DNS server as part of the orchestration. To use a different one, set it
manually.
• Set an NTP Server
Aruba SD-WAN Integration with AWS Public Cloud Single VPC deployments | 32
3.2.5 Virtual Gateway Routing Configuration
When using the Virtual Gateway Orchestration in Aruba Central, vGW interfaces will be automatically set with
an IP address. In the case of the INET port/VLAN, even the default-gateway will be learnt. The vGW
Orchestration app will create /27 subnets to connect to the IGW, the VPN GW and the VPC LAN. These subnets
will be associated with the following Ports/VLANs:
NOTE n will be 0 for the “active” vGW and 1 for the “passive” vGW when setting up redundant vGWs.
At this point, the AWS subnets still don’t have a route to the vGW. This step is achieved by clicking
NOTE
Connect in the vGW Orchestration page, this step should be done after vGW is configured.
Aruba SD-WAN Integration with AWS Public Cloud Single VPC deployments | 33
3.2.5.1 VPNC Network Configuration (Device-specific)
Even though most of the configuration is done by the vGW Oorchestration app, it is still necessary to add
routes pointing to the VPC as well as to the AWS VPN GW to ensure the traffic gets routed properly. This can
be done through the device-specific configurations of each vGW by going to Gateway Management > vGW
(device-specific) > Routing > IP Routes”.
Considering the vGW Oorchestrator has used the A.B.C.0/24 subnet to provision the different interconnect
/27 subnets, the AWS “gateway” IPs will be the following:
AWS Interface INET GW (VLAN VPN Gateway (VLAN LAN Gateway (VLAN
4094) 4093) 4092)
This can also be checked (once the vGW has come up), through the monitoring pages in Aruba Central.
Monitoring and Reports Gateways Select vGW LAN
Aruba SD-WAN Integration with AWS Public Cloud Single VPC deployments | 34
3.2.6 Connect Virtual Gateway to VPC Subnets
Once it’s verified that the vGW is UP and operational, it’s finally advisable to start routing traffic through it. To
do so, go to the orchestration app and click Connect in the subnets that need to be routed through the vGW
from the Deployment tab of the vGW Orchestration app.
Global Settings Virtual Gateway Deployment
It’s important to keep in mind that this routing table will replace whatever was previously
CAUTION!
attached to the device. Ensure that your vGW has the ability to reach all destinations!
Aruba SD-WAN Integration with AWS Public Cloud Single VPC deployments | 35
After this change, the topology of the AWS VPC would look more or less like this (simplified view):
Aruba SD-WAN Integration with AWS Public Cloud Single VPC deployments | 36
To check the real-time routing information, go to Routing > Route Table:
Aruba SD-WAN Integration with AWS Public Cloud Single VPC deployments | 37
3.3.2 AWS Routing Configuration
Clicking Connect in the vGW Orchestrator workflow triggers a route being attached to the subnet in AWS
pointing all non-VPC traffic through the vGW. This can be further validated in the AWS console by going to
Services > VPC > Subnets:
Aruba SD-WAN Integration with AWS Public Cloud Single VPC deployments | 38
4 Multi-VPC Deployments
4.1 Multi VPC Architecture Overview
4.1.1 Connectivity into the Cloud Environment
When bringing SD-WAN into a more advanced AWS environment with multiple VPCs, having vGWs in every
VPC is not a scalable model, nor it makes any operational sense. For such scenarios, Aruba recommends
setting up an “edge VPC” that would serve as the gateway between the AWS environment and the SD-WAN.
Aruba vGWs would be deployed in this “edge VPC” and would peer directly with the AWS Transit Gateway
(TGW) (detaied information about the AWS TGW can be found in this link).
The configuration downloaded from AWS includes information for the setup of 2 IPSec tunnels
NOTE
(and 2 BGP peerings). Don’t miss the configuration for the second IPSec tunnel/BGP peering.
NOTE Remember, this step has to be done for both IPSec tunnels.
Aruba SD-WAN Integration with AWS Public Cloud Annexure—Useful AWS Procedures | 56
5.1.2 Internet Gateway (IGW)
Follow the steps described in this section to create an Internet Gateway, (which is the AWS object that connects
the VPC to the outside world):
1. Go to Services > VPC > Internet Gateways and click Create Internet Gateway”
Aruba SD-WAN Integration with AWS Public Cloud Annexure—Useful AWS Procedures | 57
3. Attach it to the recently created VPC:
Aruba SD-WAN Integration with AWS Public Cloud Annexure—Useful AWS Procedures | 58
5.1.3 VPN Gateway
The next steps are to be followed to create a VPN Gateway (which is the AWS object used to set up a
DirectConnect between VPC and the customers’ private network):
1. From the AWS regional console, go to Services > VPC > VPN Gateways:
---
Aruba SD-WAN Integration with AWS Public Cloud Annexure—Useful AWS Procedures | 59
3. Attach the VPN Gateway to the recently created VPC:
Aruba SD-WAN Integration with AWS Public Cloud Annexure—Useful AWS Procedures | 60
5.1.4 Create a Security Group
The next steps are to be followed to create a Security Group. This is the firewall policy applied to a given AWS
instance. In the case of the vGW, we need to ensure that inbound port UDP 4500 is open to allow tunnels
coming from the Branch Gateways. From the regional AWS console, go to Services > VPC > Security Groups
and click Create security group.
Aruba SD-WAN Integration with AWS Public Cloud Annexure—Useful AWS Procedures | 61
2. Create inbound policies. Make sure you at least allow inbound UDP 4500.
Aruba SD-WAN Integration with AWS Public Cloud Annexure—Useful AWS Procedures | 62
5.1.5 Create SSH Key Pair
The last of the mandatory steps would be to create a SSH Key pair. In case anything were to go wrong with
the orchestration, this Key Pair can be used to SSH into the vGW.
Once this is done, the AWS console provides a PEM key that will allow user to SSH into our vGW (provided the
security policy allows inbound SSH). Make sure you keep it in a secure location.
From your AWS regional console, go to Services > EC2 > Key Pairs and generate your Security Key:
Aruba SD-WAN Integration with AWS Public Cloud Annexure—Useful AWS Procedures | 63
5.1.5.1 Create a Test Subnet
Although not strictly necessary, having a test subnet is usually helpful. The last step would therefore be to
create a test subnet where test services can be brought up:
1. Create the subnet:
Aruba SD-WAN Integration with AWS Public Cloud Annexure—Useful AWS Procedures | 64
5.2 Setting up a Test Server in AWS
If you have been following the steps described in this Technical Note, the communication with the AWS VPC
should be all set. However, validating operational status using only monitoring dashboards in Aruba Central
may not be sufficient. Here’s a small guide explaining how to bring up a small Linux server in AWS to connect
to it through the SD-WAN and test the service end-to-end.
Aruba SD-WAN Integration with AWS Public Cloud Annexure—Useful AWS Procedures | 65
3. Select the t2.micro VM and click on Next: Configure Instance Details:
Figure 82 - Select VM
4. If this server is purely being brought up for testing purposes, select Request Spot Instance (it’s
significantly cheaper, as it doesn’t have reserved resources). More importantly, make sure you the right
VPC and subnet. Click Review and Launch.
Aruba SD-WAN Integration with AWS Public Cloud Annexure—Useful AWS Procedures | 66
Figure 83 - Launch Test VM
You’ll then be given the option to use a Key Pair or use one that has been previously generated.
Aruba SD-WAN Integration with AWS Public Cloud Annexure—Useful AWS Procedures | 67
5.2.2 Connecting to the Test Server
Now that the test server is up, connect to test server through SSH from the test branch network. In your AWS
regional console, go to Services > EC2 > Instances. Click on the checkbox next to your test server instance
and click Connect.
Aruba SD-WAN Integration with AWS Public Cloud Annexure—Useful AWS Procedures | 68
6 Reference
Aruba SD-Branch Fundamentals Guide:
• https://community.arubanetworks.com/t5/Validated-Reference-Design/SD-Branch-Fundamentals-
Guide/ta-p/482038
Mid-Size Deployment Guide:
• https://www.arubanetworks.com/assets/tg/AVD_SD-Branch-Midsize-Design.pdf
Aruba SD-Branch Online Documentation
• http://help.central.arubanetworks.com/latest/documentation/online_help/content/sd_wan/cloud_ga
teway/vgw_overview.htm
• https://help.central.arubanetworks.com/latest/documentation/online_help/content/gateways/cfg/ov
erlay-orchestration/sdwan-oto-oro.htm
AWS links:
• VPC Route tables: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html
• Amazon VPC limits: https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html
• Amazon VPC FAQs: https://aws.amazon.com/vpc/faqs/
• Transit Gateway limits: https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-limits.html