In my previous blogs I have outlined how the Frame™ Bring Your Own (BYO) Networking capability in Amazon Web Services (AWS) could be used to deploy a Frame account in a manner that would allow Frame-managed workload VMs to be connected to an existing private network. Recent addition of Frame Remoting Protocol (FRP) 8 has adjusted some of the ports and protocols used for workload connectivity. In this blog, I will update how the Frame Streaming Gateway Appliance (SGA) interacts with the new FRP8 networking environment.
Frame Remoting Protocol (FRP) 8
FRP8 is a new streaming protocol for how the end user’s browser connects to the Frame workload VM. The protocol leverages the WebRTC standard and UDP protocol to provide enhanced connectivity and additional capabilities and features. At the time of this writing, FRP8 is in Early Access and the enhancements and features are documented here. Since FRP8 is a pretty major switch from WebSockets (TCP) to WebRTC (UDP, by default), it has some networking implications that we will outline below.
Streaming Gateway Appliance (SGA)
The Streaming Gateway Appliance (SGA) is a reverse proxy, based on NGINX® software, that customers can deploy to allow Internet-based users to connect to Frame workload virtual machines (VMs) in a private networks. To support the new FRP8 protocol, the SGA was upgraded from SGA 2.X to SGA 3.X. Some of the differences in the two SGA versions are highlighted here.
For this blog, I will use a feature (Frame networking, private network with SGA) that automates the deployment of an SGA in order to explore the set of resources created. A generalized architecture of what is created is shown below.
Creating a Frame account
To create a SGA-based private account, a Frame administrator needs to select the “Frame Managed Networking” and the “Private network with SGA” radio buttons on the account creation page. Other information like cloud provider, data center, and network information is entered to create a private environment consistent with the rest of the enterprise network.
In the example below, I chose:
- AWS Montreal for my demo environment
- Two SGAs to show how load balancing will work
- A CIDR block for my workstation network that would not overlap with the rest of my private network (10.100.0.0/18)
- A smaller non-overlapping CIDR block for my SGA network (10.254.254.0/24) since the number of machines in this VPC would be much smaller.
Since FRP8 is an Early Access feature, it is not enabled by default on new Frame accounts. To enable FRP8, go to the account Dashboard > Settings > Session Settings and enable FRP8.
Successful FRP8 enablement can be verified by starting a session in the Sandbox and enabling "Session stats" which should show UDP and FRP8 as being in use.
What’s under the hood
Now that I have created a Frame-managed SGA/Private network account running FRP8, we can explore what was created inside my AWS account.
The first thing that was created was a couple of Virtual Private Clouds (VPCs) with the requested network CIDR blocks.
The workload VPC is named with the Frame Vendor ID (in this case 48082) which is a unique ID within Frame Platform and the SGA VPC is named with the SGA ID (in this case, 1906) which identifies the SGA implementation inside Frame Platform. These two VPC’s are peered within AWS to allow for the free flow of private network traffic between them.
Next, Frame creates subnets inside the VPCs. In this case, Frame creates three subnets per VPC to provide the flexibility and availability within the VPC.
NAT and Load balancer
The two VPCs will both need internet access:
- The SGA will need inbound traffic from the Frame end users.
- The Workload VPC needs outbound connections to Frame Platform.
Consequently, Internet Gateways are attached to both VPCs and a NAT GW will be attached to the Workload VPC.
For the SGAs, an AWS Load Balancer is provisioned to create a high availability SGA service.
The final steps are to route the traffic appropriately and assign security groups to the SGA and workload VMs.
In the workload VPC, the workload VMs are on “private networks” with outbound Internet traffic routed through the NAT Gateway while the traffic to the SGA VMs go out over the peering connection.
The NAT Gateway subnet will go directly to the Internet Gateway.
And the SGA subnet will have a route to the Internet via the NAT Gateway and a route to the workloads in the Workload VPC via the peering connection.
Security groups are set on the workload VMs to allow all traffic using specific TCP and UDP ports from the SGA subnet.
The SGA security group allows TCP port 8888 traffic from specific Frame Platform IP addresses; all traffic from the workload VPC subnets; and specific TCP and UDP ports from the Internet.
Automating the deployment of SGAs with FRP8 provides Frame administrators with the ability to quickly set up public access to private IP address spaces that utilizes the FRP8, based on the industry-standard streaming collaboration protocol WebRTC. As long as non-overlapping IP space is used, this configuration can be quickly integrated into the corporate private network via the installation of traditional VPN/private route tables.