Image

Case Study:

SBB 

Image

The Challenge

The connectivity problem

In the journey to the Cloud, many companies face the challenge of having to interconnect multiple on-premises workloads with their cloud workloads. While segmentation is key to network design in order to have a secure architecture, interconnecting several networks can be challenging, especially from the point of view of scalability and manageability. Typically, connecting on-premises offices and data centers to the cloud requires the use of point-to-point connections, such as IPsec Virtual Private network (VPN) tunnels or private network fiber connections. Connecting virtual networks (groups of networked cloud resources) with each other also requires point-to-point connections. However, as the number of on-premises offices and virtual networks increases, the number of point-to-point connections grows, resulting in a large mesh network that can be difficult, cumbersome, and costly to manage. Organizations using AWS have typically used AWS Direct Connect and AWS Site-to-Site Virtual Private Network (VPN) connections for connecting their on-premises environment to individual Amazon VPCs and VPC peering for connecting their Amazon VPCs with each other.

The main problem of such a scenario is that setting up VPC peering connections between separate accounts became unmanageable and cumbersome. For a VPC peering connection to be established, one account sends the connection request, while the other account must accept it.

The account accepting the request must manually configure the Amazon VPC to accommodate the new connection. While this may be a simple process when dealing with a small number of connections, SBB anticipated repeating this process and reconfiguring connections as part of their normal operations

This root problem, generates many other issues:

  • Networking becomes fast too complex to manage
  • Automation is challenging, as VPC peering requires manual intervention.
  • Level of visibility and control over traffic flow is reduced.
  • Monitoring of traffic becomes challenging, as multiple logs need to be collected from different sources and accounts.

The following diagram summarizes the peering architecture.

Image
Image

The Solution

AWS Transit Gateway

AWS Transit Gateway simplifies how organizations connect their Amazon VPCs with one another and to their on-premises networks within a region   by serving as a central point for Layer 3 network connectivity. By enabling a “hub-and-spoke” topology, the solution can help organizations reduce the number of VPC peering connections and consolidate access to the on-premises network.

Even though the number of VPCs is small and there is only one enterprise location in the previous figure, it is easy to see how the Transit Gateway simplifies the environment. Imagine how much complexity is removed when there are additional enterprise locations and hundreds or thousands of Amazon VPCs. Now, organizations can simply connect their on-premises networks and Amazon VPCs via AWS Transit Gateway.

Integrating cloud and on-premises IT environments remains a challenge for organizations when pursuing a hybrid cloud strategy. A necessary part of that integration is ensuring that resources both in the cloud and on-premises locations are networked to respond to business needs without the need for extensive architecture planning, management, and administration.

AWS Transit Gateway enables organizations to network their cloud and on-premises environments. With this managed, distributed, and scalable service, large enterprises can develop global private networks connecting on-premises locations to Amazon VPCs in any AWS region without the need for multiple point-to-point connections. Enterprises can leverage AWS Transit Gateway Network Manager to monitor the performance and availability of their AWS Transit Gateways and corresponding attachments. AWS Transit Gateway also offers other features that help organizations to build out and manage global enterprise-grade networks. With AWS Transit Gateway, organizations can ultimately decrease the time and resources required to deploy and manage a global network architecture with less complexity, decreasing both network infrastructure and operational costs.

Image
Image

Tools & Technologies

Implementation on AWS

As in this case the main target it’s to separate the traffic from the VPC’s and ensure that external companies connecting through VPN can only access the respective workloads on their VPC, the architecture we decided to implement consists on using 2 different routing tables, one for the VPN, allowing only the routes to the relevant VPC’s and restricting the access to the on-premises network, and another for the VPC’s, which ensures the no interconnection between accounts and VPC’s and allows only northbound-southbound traffic (VPC-VPN and back).

Image
Image

Results & Benefits

Benefit 1

One of the key properties of this implementation is the simplification of the network connectivity: Instead of multiple VPN connections for each of the accounts/VPC’s we use only one VPN connected to the Transit Gateway and manage all the traffic through the Transit Gateway.

Benefit 2

Isolation is key to ensure security, especially when connecting the company’s network infrastructure with external/3rd party datacenters. By using AWS Transit Gateway it’s easy to control the network routing in a centralized routing table, having therefore a better overlook and making the security policies easier to enforce and manage.

Benefit 3

As Transit Gateway it’s an AWS Managed Service, it integrates seamlessly with other AWS Tools, like CloudTrail, CloudWatch, IAM, making it easier for operation and security teams to monitor and automate the deployments. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to the AWS Transit Gateway. AWS Transit Gateway provides statistics and logs that are then used by services such as Amazon CloudWatch and Amazon VPC Flow Logs. You can use Amazon CloudWatch to get bandwidth usage between Amazon VPCs and a VPN connection, packet flow count, and packet drop count. You can also enable Amazon VPC Flow Logs on AWS Transit Gateway so you can capture information on the IP traffic routed through the AWS Transit Gateway. AWS Transit Gateway Network Manager includes events and metrics to monitor the quality of your global network, both in AWS and on premises. Event alerts specify changes in the topology, routing, and connection status. Usage metrics provide information on up/down connection, bytes in/out, packets in/out, and packets dropped.

Conclusion

Transit Gateway is the key for multi-account multi-VPC connectivity scenarios, simplifying the connectivity in complex networks, offering a superior manageability, scalability and security than other solutions. In the modern IT environments, where automation is key, once you’ve registered existing AWS Transit Gateways, the Network Manager automatically identifies the Site-to-Site VPN connections and the on-premises resources with which they are associated. The SD-WAN consoles from vendors that have integrated AWS Transit Gateway, such as Cisco, Aruba, Silver Peak, or Aviatrix, automatically provision new AWS Site-to-Site VPN connections in Transit Gateway Network Manager and automate the definition of your on-premises network in Transit Gateway Network Manager. You can also manually define your on-premises network in Transit Gateway Network Manager

Image
Image
Kunde

SBB

SBB is the federal railway company in Switzerland. With more than 300 million journeys per year and more than 3.000km of track infrastructure, it is known worldwide for the quality of its services and its punctuality. Today, SBB is already purchasing public cloud services from AWS for innovation projects. SBB wants to progressively move more workloads to the public cloud.

Partner

AWS

As AWS Advanced Consulting and training partner, we support Swiss customers on their way to the cloud. Cloud-native technologies are part of our DNA. Since the company’s foundation (2011), we have been accompanying cloud projects, implementing and developing cloud-based solutions.

Image

Reducing Document Translation Costs with Machine Translation

What if an internal portal could cut part of costs for document translation by using machine translation services for some type of documents, and reduce the cost of others by using a combination of machine translation and human review?
learn more
Image

Mit Nutanix für die Zukunft gerüstet.

Suchst du nach einer leistungsstarken und leicht skalierbaren Infrastruktur? Wir zeigen dir, wie wir dem Pflegezentrum Süssbach zu einer hochmodernen, leistungsstarken und leicht skalierbaren IT-Infrastruktur verhelfen konnten.
learn more
Image

Eigenständige Virtualisierungs-Lösung mit Nutanix

Die Pädagogische Hochschule Bern (PHBern) profitiert dank Nutanix und der Amanox Solutions von einer eigenständigen Virtualisierungs-Lösung. Alle Server der Hochschule laufen nun auf Nutanix.
learn more
Image

Reducing Language Barrier During Meetings

Like documentation translation, language barriers and comprehension issues during meetings is a challenge for many companies in Switzerland. What if speech-to-text transcription and machine translation services could be leveraged to ease those issues during meetings?
learn more
Image

Automatisierung durch die richtige Backup-Lösung

In unserem Referenz-Video erklären dir Mike Freudiger und Samuel Rothenbühler, wie die Mobiliar ihre Betriebsaufgaben automatisiert hat und die freigewordenen Ressourcen für zusätzliche Projekte einsetzen kann.
learn more
Image

Automatisierung im Übersetzungsprozess

Raiffeisen nutzt die AWS Cloud zur zentralen Steuerung der Übersetzungsprozesse über das Webportal Raiffeisen Translation – umgesetzt in enger Zusammenarbeit zwischen Raiffeisen, Amanox Solutions und AWS Professional Services.
learn more
Image

Whitepaper: Die natürlichen Chancen künstlicher Intelligenz

Bist du bereit für die Zukunft? Unser kostenloses Whitepaper stellt dir die Vorteile und Anwendungsmöglichkeiten von Machine Learning vor. Wie genau Machine Learning in der Praxis aussehen kann, erfährst du hier.
learn more
Image

Digital Twin Service

Our customer needed to extract the most recent data points from a wide range of live data provider. Those data are continuously acquired through a set of data pipelines. Also the customer wanted that the most recent data points were made available through a HTTP REST API. Our case study shows you how we solved this challenge with a fully serverless AWS solution called “Digital Twin” for our customer SBB Cargo.
learn more
Image

Vereinfachung und Minimierung komplexer IT-Aufgaben

Die Nutanix Enterprise Cloud Plattform ermöglicht es Galliker, sich auf Anwendungen und Services zu konzentrieren, welche den Erfolg der Galliker Transport AG voranbringen. In kurzer Zeit konnte so eine dynamische, hoch performante IT-Umgebung bereitgestellt werden.
learn more
Cloud Lösung für den Kunden SBB Cargo

The silo problem of SBB Cargo

In modern businesses, data is ubiquitous and comes from a wide array of different sources, each of those data are saved into so called «vertical siloes» and those siloes aren’t designed to allow cross-siloes data sharing. Let us show you how we tackled this scenario with the help of AWS Data Services for our long time customer SBB Cargo.
learn more
    Image
    sharing is caring
     #knowledgesharing
    Our experts share their knowledge with you. Check out our blogs for the latest technologies and trends.
    Knowledge sharing posts