Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
354
Views
0
Helpful
0
Comments

Deploying Cisco Catalyst 8000V in AWS Local Zones

alexiflo
Cisco Employee
Cisco Employee

on ‎02-05-2024 11:05 AM

 

Purpose

 

The Catalyst 8000V is now available in AWS Local Zones on select EC2 instance sizes. Deploying Catalyst 8000V in AWS Local Zones can be used to provide VPN termination and NAT capabilities, similar to functionality provided by AWS Transit Gateway and AWS NAT Gateway in other AWS Regions and Availability Zones. You may use Catalyst 8000V in AWS Local Zones in the same manner as you would in AWS Availability Zones within a region. This includes SD-WAN use cases and traditional routing use cases such as NAT and VPN termination.

 

What are AWS Local Zones and their benefits?

 

LZ_arch.png

Figure 1: AWS Local Zones Architecture.

Like Availability Zones in AWS, Local Zones (right side of Figure 1) are a type of infrastructure that allow end users to deploy and run applications with low latency requirements. Local Zones bring the same compute and storage services, along with other select AWS services, but in a physically closer location to end users and businesses in popular metropolitan areas.

Users can extend their existing AWS Virtual Private Cloud (VPC) to these Local Zones in select regions, giving them the flexibility and power to deploy Catalyst 8000V instances closer to their datacenter and branch locations resulting in lower latency performance and enhanced user experience.

 

Networking limitations in AWS Local Zones compared to Availability Zones

 

AWS Local Zones are available in specific metro locations and support a select number of AWS services. A subset of networking services are available in select Local Zones compared to Availability Zones. For example:

  1. NAT Gateway is currently not available in most Local Zones. This means, as an example, a private application server that needs software updates from the Internet is not be able to download them because there is no NAT translated public IP address. A Catalyst 8000V instance deployed in a Local Zone can provide this NAT functionality.
  2. VPN termination is not supported in Local Zones. This means that users will not be able to establish a safe, encrypted connection between their on-premise locations and their cloud workloads. A Catalyst 8000V instance deployed in a Local Zone can provide feature-rich VPN termination services to create and establish secure Site-to-Cloud VPN towards the Local Zone.

 

How does Catalyst 8000V help address AWS Local Zones limitations?

 

c8kv_in_LZ_2.drawio.png

Figure 2: Catalyst 8000V deployment in AWS Local Zones. 

To address the networking services gap in Local Zones, a Catalyst 8000V instance can be deployed and provide rich networking feature sets (Figure 2). Users can deploy a Catalyst 8000V instance the same way it can be done in Availability Zones.

Utilizing AWS Local Zones along with Cisco SD-WAN or SD-Routing ensures streamlined access to resources hosted within the local zone, effectively mitigating limitations such as VPN support and NAT Gateway. Furthermore, the deployment of the Catalyst 8000V in the local zone adeptly addresses various NAT restrictions, enabling applications to connect to the internet seamlessly and securely. The SD-WAN Manager facilitates comprehensive application-level visibility and consumption, enabling efficient communication between branches/data centers and the local zone or the Internet.

Besides providing NAT and secure VPN gateway services, the Catalyst 8000V delivers comprehensive SD-WAN and other network services functions into cloud environments. For a full list of features and benefits of deploying Catalyst 8000V in virtual and cloud environments, please refer to the official datasheet.

 

Use Case 1: Catalyst 8000V in AWS Local Zone for VPN termination

 

S2S_VPN_termination_LZ.png

Figure 3: Catalyst 8000V deployed in Local Zone for VPN termination. 

In addition to supplementing networking services in Local Zones, the Catalyst 8000V can also be used as a VPN termination point between branch or datacenter locations and cloud workloads within these Local Zones (Figure 3) for a fast, secure and reliable connection.

Using the Catalyst 8000V as a highly secure VPN termination point can provide users high degree of encryption using today's cryptography standards. The Catalyst 8000V supports numerous VPN technologies such as IPsec, DMVPN, and FlexVPN. With these VPN set of features, users can confidently establish secure Site-to-Cloud connections to keep their sensitive data safe in transit.

The Catalyst 8000V also provides greater granularity, control, and visibility, given full configuration and monitoring control through the CLI, API's, or through the Catalyst Manager for Catalyst SD-WAN deployments.

 

Use Case 2: Catalyst 8000V in AWS Local Zone as NAT Gateway

 

 

 

c8kv_in_LZ-egress.png 

 

 Figure 4: Catalyst 8000V deployed in Local Zone as NAT Gateway.

Since AWS NAT Gateway service is not available in majority of Local Zones, Workload B traffic would need to be backhauled through AWS infrastructure for the NAT translation at the Availability Zone public subnet, introducing tens of milliseconds of latency (red arrow flow, Figure 4). Catalyst 8000V can provide NAT Gateway functionality at the Local Zone, allowing workloads without public IP addresses to access external resources through the virtual router and provide connectivity between subnets with overlapping IP address space. As discussed in the NAT example earlier, a private application server that needs software updates from the Internet is now able to download them because the Catalyst 8000V will be able to route the software update request through a NAT translated public IP address and exit through the Local Zone Internet egress path (green arrow flow, Figure 4) resulting in a single-digit latency experience. 

Configuring a Catalyst 8000V instance with an Elastic IP (EIP) address can allow up to 63K NAT translations.

 

How to deploy Catalyst 8000V in Local Zones

 

Before deploying Catalyst 8000V instances, Local Zones must be enabled in the AWS account. Instructions on how to enable Local Zones can be found here. Once enabled, users can create subnets within a Local Zone if it is supported by the VPC’s Parent Region.

Deployment instructions for the Catalyst 8000V are the same as the ones found in the official Catalyst 8000V in AWS Configuration Guide. Place the Catalyst 8000V instance under the appropriate subnet in which the Local Zone resides.

Step 1. Enable Local Zones in AWS account.

Navigate to the EC2 dashboard of your AWS account and under 'Account Attributes', select 'Zones'.

 

EC2_account_attributes.png

 

 

 

Select the Local Zone you want enabled based on the parent region you are under. In this example, we are in the US West region (Oregon) and we will enable the Las Vegas Local Zone. Once selected, go to 'Actions' and select 'Manage Zone group'.

 

select_LZ_from_list.png

 

 

 

Check the enable box and then click on the orange 'Update' box to continue. To confirm, you will need to type 'Enable' and then click 'Enable zone group'.

manage_zone_update1.png

 

manage_zone_update2.png

 

The Local Zone you have selected should now be enabled. Both State and Opt-in status should be green and say Available/Enabled.

 

 

local_zone_enabled.png

 

 

Step 2. Create a Local Zone subnet.

Now that the Local Zone is enabled (Las Vegas in this example), we now must create a subnet and add the enabled Local Zone as our Availability Zone. The process of creating a Local Zone subnet is the same as any other subnet on a VPC.

Navigate to the VPC dashboard and select the VPC of choice (or create one if not existing already). Create a new subnet, give it a name, and select the Local Zone enabled in the previous step as the Availability Zone and allocate the appropriate IP address block.

 

LZ_subnet.png

 

Create the subnet by clicking on the orange box to complete this step.

 

Step 3. Deploy Catalyst 8000V in Local Zone subnet.

Once the Local Zone subnet is created, go to the EC2 dashboard, and create a new instance using the Catalyst 8000V AMI. As mentioned previously, you can find detailed instructions on how to deploy Catalyst 8000V instances in AWS on the AWS deployment guide here.

Select the Catalyst 8000V AMI and proceed with filling out the EC2 instance information such as name, login keys, networking, etc.

 

c8kv_ami.png

 

When configuring the network settings for the Catalyst 8000V instance, it is important that you select the Local Zone subnet created in the last step so that it gets deployed in the Local Zone. You can also enable 'Auto-assign public IP' to give the Catalyst 8000V a public IP address, or you can attach an Elastic IP address post-deployment as well.

 

alexiflo_0-1707155573244.png

 

Once the Local Zone subnet has been selected, complete the deployment process by clicking the orange 'Launch instance' box.

You have now successfully deployed a Catalyst 8000V instance in a Local Zone and can now reap the benefits as mentioned in the article.

For supported Catalyst 8000V versions and Amazon EC2 instance details, see the announcement.

 

References

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents