I'm excited to announce the launch of Amazon Cloud WAN , a new networking service that makes it easy to build and operate wide area networks (WANs) that connect your data centers and branch offices, as well as multiple VPCs in multiple Amazon regions. ).
| The Amazon cloud technology developer community provides developers with global development technology resources. There are technical documents, development cases, technical columns, training videos, activities and competitions, etc. Help Chinese developers connect with the world's most cutting-edge technologies, ideas, and projects, and recommend outstanding Chinese developers or technologies to the global cloud community. If you haven't paid attention/favorite yet, please don't rush over when you see this, click here to make it your technical treasure house! |
Typically, the resources of a large enterprise run in different on-premises data centers, branch offices, and clouds. To connect these resources, the network team builds and manages its own global network using a variety of networking, security and Internet services from multiple providers. They are likely to use a variety of technologies and providers to manage cloud-based networks, connect their data centers to the Amazon cloud, and connect between on-premises data centers and branch offices. All of these networks employ different methods of connectivity, security, and monitoring, resulting in an intricate patchwork of individual networks that is difficult to configure, secure, and manage.
For example, to prevent unauthorized access to resources operating across locations connected using different network technologies, network operations teams must combine disparate firewall solutions from different vendors and then manually configure and manage policies between them . Complexity grows exponentially with each new location, network device, and security requirement.
With Cloud WAN, networking teams can connect to Amazon through the local network provider of their choice, then use a central control panel and network policies to create a unified network that connects their locations and network types. This eliminates the need to individually configure and manage different networks, even if they are based on different technologies. Cloud WAN generates a complete view of your on-premises network and Amazon's network, helping you gain visibility into the health, security, and performance of your entire network.
Cloud WAN provides advanced security and network isolation, and I'm excited about the possibilities this network segmentation brings. No matter how many Amazon regions or on-premises locations you add to your network, you can easily segment network traffic using policies in Cloud WAN. For example, you can easily isolate network traffic from retail payment processing from other traffic on your corporate network while still allowing both segments to access shared corporate resources. Another example is isolating development and production environments by creating logical network segments for each environment. This makes it easier to ensure consistent security policies when connecting a large number of locations to your VPC, especially if your policies need to apply to large groups with unique security and routing requirements. Cloud WAN maintains a consistent configuration across regions on your behalf. In traditional networks, segments are similar to globally consistent virtual routing and forwarding (VRF) tables or Layer 3 IP VPNs transported over MPLS networks . Segmentation is optional; smaller organizations can use Cloud WAN with a single network segment to cover all your traffic.
In addition to network segmentation and the simplicity it brings to network management tasks, I see four main advantages to using Cloud WAN:
Centralized management and network monitoring dashboard – Network Manager provides a central dashboard for connecting and managing branch offices, data centers, VPN connections, and software- defined wide area networks (SD-WAN), as well as your Amazon VPC and Amazon Transit Gateway . This dashboard helps you monitor and view the health of your network in one place, simplifying day-to-day operations.
Centralized Policy Management – You can define access control and traffic routing rules in a central network policy document expressed in JSON. When updating policies, Cloud WAN uses a two-step process to ensure that accidental errors do not affect your global network. First, check and verify that your changes work as expected in production. Once the changes are approved, Cloud WAN handles the configuration details for the entire network. You can change policy documents using the Amazon Management Console or the Cloud WAN API.
Multi-region VPC connectivity – Cloud WAN connects your VPCs across Amazon regions. Using simple network policy documents, you can create global networks that connect all EC2 resources, or optionally segment those networks across regions.
Built-in automation . Cloud WAN can automatically attach new VPCs and network connections to your network, so you don't have to manually approve each change. This reduces the operational overhead involved in managing a growing network. You do this by tagging attachments and defining network policies that automatically map attachments with specific tags to specific network segments. This tagging structure lets you choose which attachments can be automatically added to a segment, which segments require manual approval, and whether attachments in the same segment can communicate with each other, all based on the tags you choose.
let us start
To start using Cloud WAN, I opened the Amazon Management Console . In the VPC section, there is a new entry for Amazon Cloud WAN in the left menu. Creating and configuring a global network is a four-step process.
First, I create a global network and a core network.
After entering a Name and an optional Description, I choose Next.
After specifying the Name and Description** for the core network , I enter my ASN range and list of Edge locations , and enter a Segment name for my default segment ) and Segment description (segment description). Default segmentation will be automatically enabled at all selected edge locations.
Second, I define and attach my core networking strategy. Core policies define rules that control network access across segments and Amazon regions. Third, I configure segmentation and segmentation operations. I can view all routes and filter by network Segment and Edge location .
Finally, I register the existing Transit Gateways to the new global network.
Once configured, your global network will have a single monitoring dashboard. You can access the list of networks.
Alternatively, you can use the Topology graph and Topology tree for a finer detailed view.
other considerations
During the preview phase of running Cloud WAN, we often get the question, "When should I build a network using Cloud WAN instead of Transit Gateway?" This is a logical question because both Transit Gateway and Cloud WAN allow Centralized connection between VPC and on-premises location. The Transit Gateway is a regional networking hub, and is the best choice when you operate in a small number of Amazon regions, or want to manage your own peering and routing configuration, or prefer to use your own automation.
Cloud WAN, on the other hand, is a managed wide area network (WAN) that unifies your data center, branch offices, and Amazon network. While you can create your own global network by interconnecting multiple Transit Gateways across regions, Cloud WAN provides built-in automation, segmentation, and configuration management capabilities designed for building and operating global networks. Cloud WAN adds features like automated VPC attachment, integrated performance monitoring, and centralized configuration.
But the world is a better place together, and you can peer your Transit Gateways with Cloud WAN's Core Network Edge (CNE) and benefit from the centralized management and monitoring capabilities I described earlier. Peering between Cloud WAN and Transit Gateways keeps your options open, you can migrate from one gateway to the other, or centrally connect all existing Transit Gateways using Cloud WAN.
But then, Amazon released SiteLink last December . When should I use SiteLink and when should I use Amazon Cloud WAN? Depending on your use case, you can choose one, the other, or a combination of both. Cloud WAN can create and manage VPC networks that span multiple regions. SiteLink, on the other hand, bypasses Amazon regions to connect Direct Connect locations together to improve performance. Direct Connect is one of several connectivity options that you can use locally on Cloud WAN in the future. As of now, you can interconnect Direct Connect with Cloud WAN through Transit Gateway peering.
Availability and Pricing
Cloud WAN is now available in the following Amazon regions: US East (N. Virginia), US East (Ohio), US West (Northern California), US West (Oregon), Africa (Cape Town), Asia Pacific (Mumbai ), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Canada (Central), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Milan), Europe Region (Paris), Europe Region (Stockholm), and Middle East (Bahrain).
As usual, there are no setup fees or upfront fees, and there is on-demand billing based on your actual usage. What you pay for using Amazon Cloud WAN depends on four factors. First, the number of core network edges (CNEs) deployed. Second, the number of attachments per CNE. Attachments could be Amazon VPC , VPN, or SD-WAN. Third, the number of Transit Gateways peering with your CNE. Fourth, traffic sent through each CNE is subject to a data processing fee.
In addition to these Cloud WAN-specific factors, sending data between regions triggers EC2 inter-region data transfer charges. While EC2 inter-region data transfer egress is billed separately from Cloud WAN, it is a factor in the total cost of the Cloud WAN service. The pricing page contains details .
Go build your global network !
Article source: https://dev.amazoncloud.cn/column/article/6309aaa686218f3ca3e8f809?sc_medium=regulartraffic&sc_campaign=crossplatform&sc_channel=CSDN