on 02-05-2024 11:05 AM
The Catalyst 8000V is now available in AWS Local Zones on select EC2 instance sizes. Deploying Catalyst 8000V in AWS Local Zones can be used to provide VPN termination and NAT capabilities, similar to functionality provided by AWS Transit Gateway and AWS NAT Gateway in other AWS Regions and Availability Zones. You may use Catalyst 8000V in AWS Local Zones in the same manner as you would in AWS Availability Zones within a region. This includes SD-WAN use cases and traditional routing use cases such as NAT and VPN termination.
Figure 1: AWS Local Zones Architecture.
Like Availability Zones in AWS, Local Zones (right side of Figure 1) are a type of infrastructure that allow end users to deploy and run applications with low latency requirements. Local Zones bring the same compute and storage services, along with other select AWS services, but in a physically closer location to end users and businesses in popular metropolitan areas.
Users can extend their existing AWS Virtual Private Cloud (VPC) to these Local Zones in select regions, giving them the flexibility and power to deploy Catalyst 8000V instances closer to their datacenter and branch locations resulting in lower latency performance and enhanced user experience.
AWS Local Zones are available in specific metro locations and support a select number of AWS services. A subset of networking services are available in select Local Zones compared to Availability Zones. For example:
Figure 2: Catalyst 8000V deployment in AWS Local Zones.
To address the networking services gap in Local Zones, a Catalyst 8000V instance can be deployed and provide rich networking feature sets (Figure 2). Users can deploy a Catalyst 8000V instance the same way it can be done in Availability Zones.
Utilizing AWS Local Zones along with Cisco SD-WAN or SD-Routing ensures streamlined access to resources hosted within the local zone, effectively mitigating limitations such as VPN support and NAT Gateway. Furthermore, the deployment of the Catalyst 8000V in the local zone adeptly addresses various NAT restrictions, enabling applications to connect to the internet seamlessly and securely. The SD-WAN Manager facilitates comprehensive application-level visibility and consumption, enabling efficient communication between branches/data centers and the local zone or the Internet.
Besides providing NAT and secure VPN gateway services, the Catalyst 8000V delivers comprehensive SD-WAN and other network services functions into cloud environments. For a full list of features and benefits of deploying Catalyst 8000V in virtual and cloud environments, please refer to the official datasheet.
Figure 3: Catalyst 8000V deployed in Local Zone for VPN termination.
In addition to supplementing networking services in Local Zones, the Catalyst 8000V can also be used as a VPN termination point between branch or datacenter locations and cloud workloads within these Local Zones (Figure 3) for a fast, secure and reliable connection.
Using the Catalyst 8000V as a highly secure VPN termination point can provide users high degree of encryption using today's cryptography standards. The Catalyst 8000V supports numerous VPN technologies such as IPsec, DMVPN, and FlexVPN. With these VPN set of features, users can confidently establish secure Site-to-Cloud connections to keep their sensitive data safe in transit.
The Catalyst 8000V also provides greater granularity, control, and visibility, given full configuration and monitoring control through the CLI, API's, or through the Catalyst Manager for Catalyst SD-WAN deployments.
Figure 4: Catalyst 8000V deployed in Local Zone as NAT Gateway.
Since AWS NAT Gateway service is not available in majority of Local Zones, Workload B traffic would need to be backhauled through AWS infrastructure for the NAT translation at the Availability Zone public subnet, introducing tens of milliseconds of latency (red arrow flow, Figure 4). Catalyst 8000V can provide NAT Gateway functionality at the Local Zone, allowing workloads without public IP addresses to access external resources through the virtual router and provide connectivity between subnets with overlapping IP address space. As discussed in the NAT example earlier, a private application server that needs software updates from the Internet is now able to download them because the Catalyst 8000V will be able to route the software update request through a NAT translated public IP address and exit through the Local Zone Internet egress path (green arrow flow, Figure 4) resulting in a single-digit latency experience.
Configuring a Catalyst 8000V instance with an Elastic IP (EIP) address can allow up to 63K NAT translations.
Before deploying Catalyst 8000V instances, Local Zones must be enabled in the AWS account. Instructions on how to enable Local Zones can be found here. Once enabled, users can create subnets within a Local Zone if it is supported by the VPC’s Parent Region.
Deployment instructions for the Catalyst 8000V are the same as the ones found in the official Catalyst 8000V in AWS Configuration Guide. Place the Catalyst 8000V instance under the appropriate subnet in which the Local Zone resides.
Navigate to the EC2 dashboard of your AWS account and under 'Account Attributes', select 'Zones'.
Select the Local Zone you want enabled based on the parent region you are under. In this example, we are in the US West region (Oregon) and we will enable the Las Vegas Local Zone. Once selected, go to 'Actions' and select 'Manage Zone group'.
Check the enable box and then click on the orange 'Update' box to continue. To confirm, you will need to type 'Enable' and then click 'Enable zone group'.
The Local Zone you have selected should now be enabled. Both State and Opt-in status should be green and say Available/Enabled.
Now that the Local Zone is enabled (Las Vegas in this example), we now must create a subnet and add the enabled Local Zone as our Availability Zone. The process of creating a Local Zone subnet is the same as any other subnet on a VPC.
Navigate to the VPC dashboard and select the VPC of choice (or create one if not existing already). Create a new subnet, give it a name, and select the Local Zone enabled in the previous step as the Availability Zone and allocate the appropriate IP address block.
Create the subnet by clicking on the orange box to complete this step.
Once the Local Zone subnet is created, go to the EC2 dashboard, and create a new instance using the Catalyst 8000V AMI. As mentioned previously, you can find detailed instructions on how to deploy Catalyst 8000V instances in AWS on the AWS deployment guide here.
Select the Catalyst 8000V AMI and proceed with filling out the EC2 instance information such as name, login keys, networking, etc.
When configuring the network settings for the Catalyst 8000V instance, it is important that you select the Local Zone subnet created in the last step so that it gets deployed in the Local Zone. You can also enable 'Auto-assign public IP' to give the Catalyst 8000V a public IP address, or you can attach an Elastic IP address post-deployment as well.
Once the Local Zone subnet has been selected, complete the deployment process by clicking the orange 'Launch instance' box.
You have now successfully deployed a Catalyst 8000V instance in a Local Zone and can now reap the benefits as mentioned in the article.
For supported Catalyst 8000V versions and Amazon EC2 instance details, see the announcement.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: