Deploy EDGE on AWS
This section guides you through the steps to get the Anapaya EDGE appliance from the AWS Marketplace up and running.
Prerequisites
Before you can start, you need to have an AWS account. If you do not have one yet, create one on AWS. You also need to have a SCION access into the AWS cloud. If you do not have one yet, contact the Anapaya Customer Success team.
Installation
The Anapaya EDGE appliance is available on the AWS Marketplace, under the name "Anapaya EDGE". The appliance is available in many different regions. After subscribing to the product, you can launch it directly from the AWS Marketplace in your preferred region.
We recommend starting with a t3.medium or similar instance type, which is
the smallest instance type that is supported by the appliance. You can always
change the instance type later on if you want to increase performance.
Make sure to select an SSH key pair that you have access to. You will need this key pair to connect to the appliance via SSH.
Cloud-Init
You can use cloud-init to further customize the appliance during the launch process, for
example to set SSH keys for the anapaya user.
#cloud-config
users:
- name: anapaya
ssh_authorized_keys:
- ...
Refer to the cloud-init documentation for more examples and details.
The Anapaya EDGE appliance will overwrite the SSH keys of the anapaya user
as soon as the first configuration is applied. This means that the SSH keys you
set in the cloud-init configuration will be removed. If you want to keep the
SSH keys, you need to configure them in the appliance configuration during initial
configuration.
VPC configuration
We recommend launching the appliance in a VPC that has at least three subnets:
- One subnet for the management interface (can have Internet access)
- One subnet for the SCION interface towards the SCION network (IP addressing details provided by your SCION access provider)
- One subnet to connect the EDGE appliance to your applications
If configuring three subnets/interfaces is too complex for your setup, it is possible to use only two subnets and share the management interface with either the SCION or application traffic.
Security group configuration
If you want to access the appliance from the Internet via SSH, you need to
configure the security group to allow incoming SSH connections. The appliance
uses port 22 for SSH.
Connecting to the appliance
Once the appliance is launched, you can connect to it via SSH. The appliance
uses the anapaya user for SSH access and the SSH key pair that you selected
during the launch process.
Configuration
After connecting to the appliance, configure it using by following the steps in Setup
The appliance is configured to use DHCP on initial launch. When you
start changing the appliance configuration, you should first configure the
interfaces section with the DHCP values for the management interface that were
assigned by AWS. Otherwise, you might lose connectivity to the appliance.
NAT configuration
In some scenarios you might need to configure NAT on the appliance. Refer to the NAT section in the general configuration guide for more details.
Redundancy
Reach out to the Anapaya Customer Success team when you are interested in integrating Anapaya EDGE with AWS Cloud WAN.
To achieve redundancy, you can deploy two appliances in different Availability Zones and configure them as a cluster. Refer to the Cluster section in the general configuration guide for more details. For a redundant deployment in AWS, we recommend using the BGP integration of the Anapaya EDGE, which can be configured together with AWS Transit Gateway.
The diagrams below show different examples of how you can deploy the Anapaya EDGE appliance in the AWS cloud within and across regions. In the Single and Dual ISP scenarios, the EDGE appliances are run as part of a SCION Cluster in different Availability Zones. The third scenario is with Independent EDGEs in different regions, for more details on Independent EDGEs please check here. The EDGE appliances are connected to the SCION network via AWS Direct Connect, provided by the SCION Access Provider (ISP).
For inter-VPC connectivity, the EDGE appliances are attached to an AWS Transit Gateway, which enables routing between multiple VPCs. GRE tunnels are established from the EDGE appliances to the Transit Gateway, and BGP is used over these GRE tunnels to dynamically exchange routing information with the AWS network. We recommend using a separate VPC for the applications that use SCION connectivity and connecting it to the Transit VPC via the Transit Gateway.
For details on the GRE interface configuration please check the GRE section.
For more details on the AWS Transit Gateway deployments please check the AWS Documentation
- Single ISP
- Dual ISP
- Independent EDGEs in multiple regions
A single SCION ISP can provide SCION connectivity to multiple EDGE appliances in an AWS VPC.
If you require ISP redundancy for your applications, you can connect the EDGE appliances to two different SCION ISPs. One EDGE appliance can be connected to one or more ISPs, depending on the offerings of the SCION ISPs.
If you require application access across regions, you can connect two independent EDGE appliances to two different SCION ISPs in different regions.
A limitation in AWS Transit Gateway requires static routes for inter-region peering. Because the Transit Gateway prioritizes static routes over BGP, you can configure a less-specific static route as a redundant path for overlapping IP ranges in case of a BGP failure. Please check here for more details on the Transit Gateway Routing.