One of the biggest challenges of what I’m facing is how to build a multi-region/multiple VPC (virtual private cloud) architecture. Keep in mind that this utilizing Multi-Master (2 node) MySQL DB, configuration management (via puppet) and Jenkins for CI. The first challenge: connectivity between regions. How would I solve this issue? Logically, point to point is an easy way to solve this, but the problem isn’t the PTP, it’s everything underlying that causes concerns. Our end goal is to be multi-regional while also allowing each region to live independently on its own. We all know that building in AWS is based on failure. Plan for every piece to fail (EC2 instance, Subnet oddities, ELB’s not remapping). So, the challenge is focused on how to maintain connectivity constantly. There are some outside issues with the PTP, like overhead or maybe even the SMALL fact that it’s software based on an instance that can die on it’s own.
OpenVPN has been pretty stable for our team. We utilize it for simple things like allowing users (developers, DBAs) onto the AWS VPC. Basically, it’s the central login point to access all backend systems (different subnets) in a secure manner without having to utilize a bastion host. Many of our developers work directly on development servers or need direct access without just SSHing. As a sys admin, I do wish developers understood how to do more without a GUI in front of them, but that can be left for another day/rant.
In a simple ascii drawing this is what we’re doing:
user--\ (ptp) /----[Web Server] \ US East <---------> EU West / 10.2.50.13 ----------[VPN host] [NAT Host]--------- / 192.168.40.X 10.2.20.230 \ [db server] [DB server] 192.168.100.30 10.2.233.150