In this section:
VPC Overview
An SBC SWe deployment requires a VPC with at least four IPv4 subnets:
- Management (MGT0)
- High Availability (HA0)
- Packet 0 (PKT0)
- Packet 1 (PKT1)
All four subnets must be located in the same availability zone.
The suggested size of the VPC is CIDR x.x.x.x/16, where each subnet has a CIDR of x.x.x.x/24, although you can use smaller CIDR ranges.
Create a New VPC
- Navigate to the VPC Dashboard: https://console.aws.amazon.com/vpc/
- Click Your VPCs on the panel at left.
- Click Create VPC.
The Create VPC window appears. - Enter a Name Tag to identify this new VPC uniquely.
- Enter an IPv4 CIDR block value which is large enough to support four subnets. The suggested size is CIDR x.x.x.x/24.
- Click Create.
On success, the new VPC ID opens in a new window.
Dynamic Host Configuration Protocol (DHCP) Options for your VPC
The Dynamic Host Configuration Protocol (DHCP) provides a standard for passing configuration information to hosts on a TCP/IP network. The options
field of a DHCP message contains the configuration parameters. The parameters include the domain name, domain name server, and the netBIOS-node-type.
The DHCP options sets are associated with your AWS account so that you can use them across all of your VPC. For detailed information on the DHCP option sets, refer to DHCP Options Sets in the AWS documentation.
AWS provides the following DHCP option sets:
- default DHCP option set
- custom DHCP option set
When creating a VPC, AWS automatically creates a set of DHCP options and associates them with the VPC. This set includes two options:
domain-name-servers=AmazonProvidedDNS
domain-name=domain-name-for-your-region
The AmazonProvidedDNS
is an Amazon DNS server, which enables DNS for instances that need to communicate over the VPC's Internet gateway. The string AmazonProvidedDNS
maps to a DNS server running on a reserved IP address at the base of the VPC IPv4 network range, with the last octet incremented by two digits. For example, the DNS Server on a 10.0.0.0/16 network is located at 10.0.0.2.”. For VPCs with multiple IPv4 CIDR blocks, the DNS server IP address is located in the primary CIDR block.
AWS HA uses several API requests to know the peer instance and also during IP switch-over. At the back-end, AWS has several servers with a different IP address running to provide the SBC seamless performance or response. If one server goes down, the Amazon-provided DNS automatically updates the API endpoint. This may not be the case with the custom DNS and results in an API request failure. To overcome this issue, the SBC needs to add the field AmazonProvidedDNS
in the DNS server, in addition to the IP address of the custom DNS server. For detailed information on the custom DNS, refer to Using DNS with Your VPC in the AWS documentation.
AWS VPC-end-point is a service that enables you to connect to services powered by AWS PrivateLink which means AWS services can be accessed by SBC without routing traffic over public IP/internet.
VPC Endpoint-Based HA Installation
The SBC SWe supports a VPC endpoint-based setup which allows you to deploy an HA SBC (with or without HFE) without an EIP attached on the mgt interface of the SBC SWe. The VPC endpoint allows the SBC SWe to reach the REST API gateway without using EIP.
With VPC endpoint, the SBC eth0 port accesses AWS services over a private IP (using VPC-end-point) to move IPs from failed instance to new active instance.
VPC Endpoint-based Setup
If you deploy the SBC HA with a VPC endpoint, you must create the VPC endpoint first, and then deploy the SBC with HA.
Since EIP is optional on mgt0 on the SBC, select Yes/No for the EipAssociationForMgt parameter, as desired, in the Cloud Formation Template (see the parameter description below).
Field | Description |
---|---|
EipAssociationForMgt | Choose whether to associate the EIP on mgt0 of the HFE and SBC. to login and access SBC application from public networks
Note: Select "No" if you have already created the VPC endpoint before creating the SBC SWe. |
- Create VPC endpoints before creating an SBC HA pair.
- Ribbon supports VPC endpoints only if they are created in any subnet other than HA0, Pkt0 and Pkt1. The recommended VPC endpoint subnet is mgt0.
- If any VPC endpoint is present in an HA0, Pkt0 or Pkt1 subnet of the SBC, the SBC will fail to come up as an HA pair.
- Make sure mgt0 security rules allow traffic to VPC endpoints.
- VPC endpoints do not support all AWS services, so Ribbon may stop support of this feature in the future.
Create VPC Endpoints for AWS Services
Use the AWS page https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpce-interface.html to create an EC2 endpoint (interface endpoint) for AWS services.
This endpoint is required to make the requests about the peer CE and move IPs. It is always in the form com.amazonaws.region.ec2
.