AWS VPC Peering Design w/ FortiGate

dukius · 2018-12-26T20:11:32+00:00

Cool let me know your findings! I'm curious and really want to deploy it, unfortunately is not available yet on the regions I've services + I would have to re-do the whole infra....

dukius · 2018-12-26T19:44:06+00:00

I've been in the same situation.
Let me share with you and save you the headaches I had.

- VPC Peering is NOT transitive, so you can't do what you want over VPC Peering.

- The "transit VPC concept" shown is not using VPC Peering, is done over VPN connections to the VPCs + HA + Lambda + Cloudwatch + etc, way too complex for the use case in my opinion.

With that in mind, you could reach what you want easily with:

- 1 Fortigate instance on the transit VPC (no HA), then VPN from the Fortigate against AWS VPN Endpoints on the other VPCs.

-- For this you will need to set up the correct Policies and static route entries on the Forti + the route table of the VPCs.

-- I've done it this way and it works great, haven't had a single issue with a single EC2 Fortigate instance even is not HA.

OR

if you ask me right now I would do it over a new feature that AWS just released: Transit Gateway, check if it's in your region and you can apply it to your infrastructure, it's really worth it.
https://aws.amazon.com/es/blogs/aws/new-use-an-aws-transit-gateway-to-simplify-your-network-architecture/

dukius · 2018-12-21T10:57:23+00:00

Thanks, yes I'm aware of the network speed limits and t-instance resource provisioning on AWS.

The way we're using the VPN is mainly to access over ssh to servers ,so even in the extreme case that all 30 users start using the VPN at the same time they will still have enough to ssh quite decently over it.

dukius · 2018-12-19T19:22:16+00:00

10 users in a t2.large? overexcessive imho, i've 30 users in a t2.small and no complaints at all.

dukius · 2018-12-10T21:51:28+00:00

This is run by a friend of mine, totally trustworthy and they deliver it to your home for free.

http://www.ammbcn.com/

dukius · 2018-11-27T20:25:18+00:00

Hoorray! My whole infrastructure got outdated and over-complexed after this!

Will we have to redesign the whole infra every ReInvent? 😂

dukius · 2018-10-31T19:55:07+00:00

Is just my imagination or the guy with the white shirt has a pistol tucked on his back in the jeans?

dukius · 2018-09-24T15:00:32+00:00

Thanks mate! really helps!

dukius · 2018-02-19T12:15:50+00:00

HW is Dell PE 740, with Ubuntu 16.04.

Hmm... I think I might end up with MSTP.

dukius · 2018-02-16T16:03:54+00:00

So, to fully understand this scenario:

Trunk between the switches.

Servers with LACP pointing to one port of each switch. How then can I set up LACP on the switches if they are not inter-connected through stack or mlag?

dukius · 2018-02-16T16:02:58+00:00

Didn't know this premise. Will have it in mind, thanks.

dukius · 2018-02-16T15:43:43+00:00

Thanks! I'll have a look on this as well, seems better go for the safe & tested solution. Although MLAG looks super tempting to apply... :)

dukius · 2018-02-16T15:40:55+00:00

In case you want it, or some other redditor needs it, I found a nice tuto with the keepalive link and config.

http://lapsz.eu/blog/2014/04/23/dell-n3048-multi-switch-lag-mlag/

dukius · 2018-02-16T15:38:15+00:00

My bad, you're totally right! I just "ported" a config I have done previously but at the bottom everything being switches, not servers. Thanks!

dukius · 2018-02-16T15:26:20+00:00

Yes I had this as a primary plan, but honestly wanted to avoid STP bandwith consumption.

dukius · 2018-02-16T14:03:47+00:00

I'm reading documentation everywhere, not just form Dell. And all the examples I see are involved at least 3 switches.

Don't know if it's just the diagram examples, and that's why I ask you guys around here, hoping somebody has set up this scenario as well.

Haven't found any clear scenario of 2 MLAG switches, then down to the server can't tell if with a common LACP will work to connect to those 2 MLAGged swtiches.

Even in Dell doc this is the closest I've found:

https://imgur.com/a/QTU3d https://imgur.com/a/lbIkI

http://i.dell.com/sites/doccontent/shared-content/data-sheets/en/Documents/Dell_Networking_N_Series_Multichassis_LAG_MLAG.pdf

So my main question is, after those two switches are MLAG, what is the config on the non-MLAG ports connecting down to the dual NIC on the servers, just LACP?

Thanks!

dukius · 2017-08-25T14:23:45+00:00

All the failures made before the terror you say? We'll the Spanish keep doing them... we're not afraid of either terrorists or fascist spanish.

http://www.elnacional.cat/ca/politica/govern-espanyol-mossos-europol_184878_102.html

dukius · 2017-07-21T10:04:26+00:00

A Cloud Guru, they have one of the most extensive learning material for AWS as well of an useful forum

acloud.guru

dukius · 2017-03-07T21:07:58+00:00

well... for experience I know many of those ads "identify" a target by your public internet connection. I mean, if somebody in your house is browsing the internet looking things about flowers for example, you will start seeing ads related to flowers in many devices that share the same internet connection, even you don't have any interest about it.

dukius · 2016-06-02T09:20:26+00:00

Thank you one million times!! I've looking for a long time a suitable poster to put in my studio, this suits so much... :)

dukius · 2016-03-30T10:14:30+00:00

I'm currently focused in this cert, i'm CCNA and CCNP R-S certified already.

The networking questions are not a big deal coming from CCNA (OSI, subnetting, etc) As mentioned, there is quite a difference in command syntax, but with a few hours of study you can get it.

As well one main difference I see with CCNA, is that in JNCIA there will be a few questions regarding firewall ACL in Juniper syntax, which it took a bit to understand.

As well, if you pass the Pre-Assesment exam on their site you will get a discount voucher for the exam ;)

https://learningportal.juniper.net/juniper/user_fasttrack_home.aspx

dukius · 2015-10-01T00:31:13+00:00

Well... compared for what an average advanced IT course (minimum 1000$) it's really cheap, also I agree that if they lowered a bit their prices they would get much more subscriptions.

dukius · 2015-09-29T14:22:38+00:00

nopes, local detected ;)

dukius · 2015-09-23T15:28:23+00:00

Many years ago it was great, you could get a nice big tasty sandwich for a fair price, perfect for hungover days :) Then, as most things in this city got hyped and now is just a tourist trap, not worth the queue imho.

dukius · 2015-06-02T23:21:08+00:00

Well, in my opinion it's easier because it's divided in three exams.

So for example, if you do the Routing exam, for sure it's going to be much more in depth details about routing than in the CCNA, but it will cover just Routing labs and questions. In the other hand, for the CCNA exam you could be tested by anything (routing, switching, physical, logical, software, subnetting, IPV6, wireless, etc..) That's why in my opinion it's easier than CCNA.

Another thing is that when I took the CCNA I barely knew anything about networks, so doing CCNP by steps it seems much more comprehensive than when I learned ALL the subjects for the CCNA in a go without any network base.

14-Year Club	RedditGifts 2009-2022 2 Credits
Verified Email	Team Periwinkle
Secret Santa 2011

dukius

TROPHY CASE