AWS in Switzerland and Austria (Alps)

Empowering Regulated Customers: Connecting SCION Networks to AWS Environments

Since the launch of the AWS Europe (Zurich) Region, we have not only been focussing on making additional services and features available, but also on offering specific capabilities designed for our local customers. Empowering critical infrastructure customers from finance, healthcare and government industries with SCION network access is another such accomplishment.

SCION network infrastructure is an inter-domain internet architecture that is designed to enhance availability, security and performance of data communication for a next-generation internet. To offer SCION-enabled access to AWS customers, we collaborate with Anapaya, the commercial provider of SCION. This collaboration resulted in a co-developed solution that delivers SCION-enabled access to your Amazon Virtual Private Cloud (Amazon VPC).

Why is SCION network connectivity relevant for AWS Swiss customers?

SCION technology provides path control, failure isolation, and explicit trust information by design for end-to-end communication. The SCION network enables all parties – senders, receivers, and Internet Service Providers (ISPs) in the communication to control and decide which parties can use the communication network and which data path to take when transmitting over the network.

SCION technology has been integrated in critical and sensitive Swiss infrastructure. For instance, the Swiss National Bank and the infrastructure operator SIX jointly introduced the Secure Swiss Finance Network (SSFN) for their data communication network. The SSFN communication network was standardised based on SCION technology.

Moreover, Finance IPNet, the gateway to infrastructure services used by SIX (connecting 300+ banks) will be decommissioned at the end of September 2024. The recommended technology for banks is the SSFN.

In early 2023, Health Info Net AG (HIN), a key player in the Swiss healthcare system linking more than 50,000 healthcare organizations, announced their SCION technology adoption with the HIN Trust Circle. HIN provides secure communication service and trustworthy handling of sensitive data to healthcare professionals by means of the HIN Trust circle.

Furthermore, the Swiss Federal administration is also considering SCION network connectivity for federal administration secure data traffic and as part of their cloud strategy.

Connecting AWS Account to SCION Network using Anapaya appliances

Prerequisites

  • AWS Direct Connect connection from AWS to Anapaya CORE router in available state (Dedicated or Hosted) in your AWS account.
  • Subscription to Anapaya EDGE virtual appliance in AWS Marketplace.

Overview

To build an IP connectivity from customers’ Amazon VPCs to the SCION network, we used AWS Direct Connect for a private connection to the Anapaya CORE router — the SCION network entry point. We chose Direct Connect for its reliable and consistent low-latency performance. This connection is provided through AWS or AWS’s partners, and it can offer up to 100 Gbps for high bandwidth demand as well as MACSec encryption in a dedicated Direct Connect connection.

Direct Connect basically establishes the IP connectivity between the Anapaya EDGE virtual appliance running in Amazon VPC to the Anapaya CORE router which is part of the backbone of the SCION network. This approach enables workloads within the VPC to seamlessly connect to the SCION network and access the services offered within SCION.

style=

Figure 1: Leveraging AWS Direct Connect for connecting Amazon VPC to Anapaya CORE – SCION entrypoint

Step-by-Step Guide: Linking Amazon VPC to Anapaya CORE

In this section, we provide a high level step-by-step guide on how to build the solution and link Amazon VPC to the SCION internet. Note that the physical Direct Connect link must be in an available state in your Direct Connect console before proceeding with the following steps.

1. Create Direct Connect Gateway

We leveraged Direct Connect Gateway (DGW) to address the following requirements:

  • Establishing a connectivity that spans Direct Connect across multiple AWS regions. So the connectivity is not restricted to the AWS Region where the Direct Connect location is homed as DGW is a AWS global resource.
  • Need to connect multiple VPCs over a single direct connect and single BGP session to Anapaya CORE. This will reduce the administrative overhead as well as cost.

2. Create Virtual Interface (VIF)

Accessing the VPCs using private IPs via Direct Connect requires either a Private or Transit virtual interface (VIF).

Using Transit VIF is preferred over Private VIF in following scenarios:

  • Connecting to multiple VPCs across different AWS Regions.
  • Enabling connection across different accounts.

On the other hand, if establishing a private connection between a single VPC (or up to 10 VPCs) in a single account or dedicated connection for a specific application is the usecase, we suggest creating a Private VIF.

Based on the chosen type of virtual interface, we have implemented two alternative architectures, which are described in scenario A and B:

Scenario A: Transit VIF

Using Transit VIF associated with DGW and AWS Transit Gateway (TGW) has the advantage of consolidating multiple VPC attachment routing configuration in one place over a single BGP session to an Anapaya CORE. Anapaya CORE is the entry point for downstream SCION customers. This approach can reduce operational overhead and gain the ability to centrally manage all the connectivity through TGW.

Using AWS Direct Connect and AWS Transit Gateway

Figure 2: Linking Amazon VPC to Anapaya CORE using Transit Virtual Interface

  1. Create Transit VIF and establish BGP peering on the Direct Connect connection.
  2. Create a Transit Gateway and associate it to the Direct Connect Gateway. Transit Gateway that acts as a network transit hub, is deployed in a central network account and offers SCION-enabled VPC attachment to other accounts in the same region.
  3. Share the Transit Gateway with other accounts using AWS Resource Access Manager (RAM).
  4. Create VPC attachments and set up a Route Table in the Transit Gateway.

Scenario B: Private VIF

Using Private VIF associated with DGW and Virtual Private Gateway (VGW) offers a simplified setup and a better isolation of the attached VPC. However it has the limitation of maximum 10 VPCs over a single connection.

Linking Amazon VPC to Anapaya CORE using Virtual Private Interface and Direct Connect

Figure 3: Linking Amazon VPC to Anapaya CORE using Virtual Private Interface and Direct Connect

  1. Create hosted Private VIF in the AWS account that hosts the Direct Connect connection. In the scenario which you host the private VIF in your own AWS account, you need to follow instruction here
  2. Accept the hosted private VIF in the recipient AWS account and choose the DGW that Private VIF should be attached to.
  3. Setup the peering settings and bring up the BGP session over Direct Connect.
  4. Create VGW and attach to the VPC that needs connection to SCION.
  5. Associate VGW to DGW

3. Setup SCION VPC, subnets and route tables

In this example, we want to create 2 VPC’s – also to showcase the ability to connect VPC’s through TGW.
In each VPC, we provision 2 private subnets:

  • SCION LAN: dedicated subnet for the application workload.
  • SCION WAN: subnet that has route to Anapaya CORE.

Note that keeping the subnets private is not a requirement, and the SCION VPC’s can be tailored to offer internet access too. Figure 4 shows how the subnets and route tables are defined in this setup. SCION CORE access is provided via 10.10.0.0/24 Transit Gateway attachment.

Subnets and Route tables settings

Figure 4: subnets and route tables settings

4. Launch Anapaya EDGE from AWS marketplace

To deploy the Anapaya EDGE virtual appliance in your AWS account, start by retrieving the AMI from the AWS Marketplace and subscribing to it. Afterward, launch an EC2 instance using the Anapaya EDGE AMI within the SCION VPC.

5. Routing setup in Anapaya EDGE

Anapaya EDGE has been attached to SCION-LAN and SCION-WAN subnets. The general application traffic will flow through the SCION-LAN subnet, while the traffic destined to reach the SCION network will be routed via the SCION-WAN subnet.

6. Configure Anapaya EDGE virtual appliance

Follow the configuration instructions detailed in the Anapaya knowledge base to establish the connectivity to Anapaya CORE. After this step, the Anapaya EDGE should be able to deliver traffic to the SCION-network.

Traffic Flow to Anapaya EDGE

Instances within the SCION-LAN that require access to services in the SCION network can effectively use Anapaya EDGE as their next hop. For every IP packet that is sent to the Anapaya EDGE within the AWS VPC, the EDGE checks if it has a route to the SCION network. If it doesn’t, it will either drop the packet or forward it along another route.

If the route to the SCION network is available on the Anapaya EDGE, it encapsulates the original data packet within a SCION packet and adds the SCION header, including path information. Anapaya EDGE is designed to support multiple paths to a destination and it also allows the traffic to be routed along diverse paths. Anapaya EDGE considers factors such as latency, bandwidth, and network health to choose the optimal path for a given communication.

SCION packets then utilize the underlying IP/UDP connection to reach the Anapaya CORE router of the transit provider outside of the AWS network. Subsequently, the packets are forwarded along the path specified in the packet header within the SCION network. The initial hop in this path is the Anapaya EDGE AS (Autonomous System), succeeded by the Anapaya CORE hop, before reaching another transit provider or destination AS at the third hop.

Conclusion

In this blog post we demonstrated how to provide SCION-enabled access for AWS customers. We set up a hosted AWS Direct Connect, connecting the AWS backbone to the SCION network at colocation facilities or ISP points of presence that run an Anapaya CORE. The AWS Direct Connect establishes a link from Anapaya EDGE running in an Amazon VPC to Anapaya CORE.

The solution outlined in this blog is one of several tailored options designed and implemented as a Proof-of-Concept in collaboration with Anapaya. A reference architecture and additional implementation details that provide production ready solutions including increased resiliency and high-availability will be released on the Anapaya resources page and referenced here.

To read more about the SCION network and Anapaya please refer to the following resources:

If you are interested in connecting your AWS account to the SCION network, contact the Anapaya Customer Success team or an AWS Expert.