283 | | a) In order for EC2 instances to be part of a VLAN, the simplest solution is to run a VLAN software like OpenVPN in the EC2 instances. It is the responsibility of the user to setup that VLAN so that it can communicate with the rest of its GENI resources. There is no additional cost for such setup besides the network traffic charges described in Section 1. |
284 | | |
285 | | b) Amazon Virtual Private Cloud service allows setting up a bridge to expand a VLAN with EC2 resources. Note that this can only be a layer 3 VLAN. Amazon VPC provides end-to-end network isolation by utilizing an IP address range that is specified by the user, and routing all network traffic between VPC and the user network through an encrypted IPsec VPN. |
| 283 | a) In order for EC2 instances to be part of a VLAN, the simplest solution is to run a VLAN software like OpenVPN in the EC2 instances. It is the responsibility of the user to setup that VLAN so that it can communicate with the rest of its GENI resources. There is no additional cost for such setup besides the network traffic charges described in Section 1. |
| 284 | |
| 285 | b) Amazon Virtual Private Cloud service allows setting up a bridge to expand a VLAN with EC2 resources. Note that this can only be a layer 3 VLAN. Amazon VPC provides end-to-end network isolation by utilizing an IP address range that is specified by the user, and routing all network traffic between VPC and the user network through an encrypted IPsec VPN. |
288 | | Note: Providing the VPC functionality can only work for a single user (one VPC per AWS account only). This would not allow a broker to manage its resources globally and have |
289 | | multiple concurrent users using a pool of EC2 resources. |
290 | | |
291 | | |
292 | | Another option illustrated in Figure 3 would consist in having the broker run the |
293 | | customer gateway and act as a bridge with the end-user resources. This option would still |
294 | | have the limitation that all users going through the same broker would be sharing the |
295 | | same VPN on the EC2 side. Having as many AWS accounts as GENI users does not |
296 | | seem practical and would make accounting and billing much more complex. |
297 | | |
298 | | |
| 288 | Note: Providing the VPC functionality can only work for a single user (one VPC per AWS account only). This would not allow a broker to manage its resources globally and have |
| 289 | multiple concurrent users using a pool of EC2 resources. A workaround solution would consist in having the broker run the customer gateway and act as a bridge with the end-user resources. This option would still have the limitation that all users going through the same broker would be sharing the same VPN on the EC2 side. (Having as many AWS accounts as GENI users does not seem practical and would make accounting and billing much more complex.) |
| 290 | |
| 291 | Recommendation; |
| 292 | |
| 293 | The EC2 offering is expanding quickly and we expect additional VLAN support for EC2 resources through Amazon VPC or another service (note that Amazon VPC just went from restricted beta to public beta in December 2009). |
| 294 | |
| 295 | Given the current lack of offering for layer-2 connectivity with EC2 resources and the current limitations of the Amazon VPC offering, the recommended solution is just to use the public IP addresses provided by Amazon to address EC2 resources. Then, if VLAN capabilities are required, the user can easily setup a software IPSec VPN in the EC2 instances it is running. We propose to offer Amazon images with a pre-installed OpenVPN package for that purpose. |