Networking in AWS

© 2019, Amazon Web Services, Inc. or its Affiliates.

 Agenda

• Amazon VPC – Virtual Private Cloud

• VPC Building Blocks
• VPC Security
• VPC Connectivity Options
• Connect your Data Center to AWS
• Traffic Distribution

© 2019, Amazon Web Services, Inc. or its Affiliates.

 Amazon VPC

© 2019, Amazon Web Services, Inc. or its Affiliates.

 Amazon VPC - Virtual Private Cloud

Provision a logically isolated section of the AWS Cloud where you can launch
AWS resources in a virtual network that you define.

Bring your own network

IP Addresses Subnets Network Topology Routing Rules Security Rules

© 2019, Amazon Web Services, Inc. or its Affiliates.

 Amazon Virtual Private Cloud (VPC)

AWS Cloud

VPC

Amazon EC2 AWS Lambda Amazon RDS Amazon Redshift Amazon Amazon Simple Storage
DynamoDB Service (S3)

Your Network goes here

© 2019, Amazon Web Services, Inc. or its Affiliates.

 VPC Building Blocks

© 2019, Amazon Web Services, Inc. or its Affiliates.

 How to segment my networks inside a VPC?
VPC Subnets

VPC 10.0.0.0/16

Availability Zone A Availability Zone B

• You can add one or more subnets Subnet A1 Subnet B1

in each Availability Zone 10.0.0.0/24 10.0.2.0/24

• AZs provides fault isolations
• Subnets are allocated as a subset Subnet A2 Subnet B2

of the VPC CIDR range 10.0.1.0/24 10.0.3.0/24

© 2019, Amazon Web Services, Inc. or its Affiliates.

 How to direct traffic out of my Subnets?
Subnets and Route Tables VPC

• Each subnet can have a unique Route Internet gateway

Table
Public subnet
• Route Tables direct traffic out of the
VPC, towards: VPC

• Internet Gateway Route table

Public subnet
• Virtual Private Gateway
• VPC Endpoints Router

• Direct Connect Private subnet

Route table

• VPC Peering Corporate data center

• AWS Transit Gateway Route table

• Subnets are named “Public Subnets”

when connected to an Internet Gateway
© 2019, Amazon Web Services, Inc. or its Affiliates.
 How to connect my VPC to the Internet?
Internet Gateway
Internet

VPC

• Horizontally scaled, redundant, Internet gateway

highly available VPC component

• Connect your VPC Subnets to the Public subnet

Internet Private IP: 10.0.0.1

Public IP: 198.51.100.2
• Must be referenced on the Route EC2
Instance
Table Route table

• Performs NAT between Public and Private subnet

Private IP Addresses
Private IP: 10.1.1.1
EC2
Instance
Route table

© 2019, Amazon Web Services, Inc. or its Affiliates.

 How does my instance get an IP address?
Elastic IP Address
Internet

VPC

Internet gateway
• Static, Public IPv4 address,
associated with your AWS account Public subnet

• Can be associated with an Private IP: 10.0.0.1 Private IP: 10.0.0.2

instance or network interface EC2

Elastic IP: 198.51.100.2
EC2
Elastic IP: 198.51.100.2

Instance Instance
• Can be remapped to another
instance in your account Private subnet

• Useful for redundancy when Load

Balancers are not an option EC2
Private IP: 10.1.1.1

Instance

© 2019, Amazon Web Services, Inc. or its Affiliates.

 Can I have outbound only Internet access?
NAT Gateway
Internet

• Enable outbound connection to VPC

the internet Internet gateway

• No incoming connection - useful

for OS/packages updates, public Public subnet

web services access

• Fully managed by AWS EC2 NAT
Instance gateway
• Highly available
• Up to 10Gbps bandwidth Private subnet

• Supports TCP, UDP, and ICMP

Private IP: 10.1.1.1
protocols EC2
Instance
• Network ACLs apply to NAT Route table

gateway’s traffic
© 2019, Amazon Web Services, Inc. or its Affiliates.
 Can I have one account owning the VPC, and other using it?
Shared VPC
• VPC Owner can create and edit VPC

VPC Components Subnet Beta

• VPC Participants can launch

resources in their assigned AWS Account Beta
AWS Account Alpha
VPC Owner

Subnets VPC Participant EC2 Instance Lambda function

Create/Modify/Delete:
Subnets
• Each participant pays for their Route Tables
Network ACL
own resources and data transfer Subnet Gama VPC Peering
VPC Endpoints
costs Internet Gateways
NAT Gateways
Virtual Private Gateways
• Based on AWS Resource Access AWS Account Gama
EC2 Instance Lambda function
Transit Gateway
VPC Participant attachment
Manager, under AWS
Organizations

© 2019, Amazon Web Services, Inc. or its Affiliates.

 VPC Security

© 2019, Amazon Web Services, Inc. or its Affiliates.

 Can I filter traffic reaching my instances?
VPC

Security Groups
Internet gateway

HTTPS
(TCP 443)

• Virtual stateful firewall Security group “Web ELB”

• Inbound and Outbound customer

defined rules Elastic Load Balancing (ELB)

• Instance/Interface level inspection “Web ELB”

HTTP
(TCP 80)
• Micro segmentation Security group “Web Tier”

• Mandatory, all instances have

an associated Security Group Web Server Web Server

Amazon EC2
• Can be cross referenced “Web Tier”
MySQL
• Works across VPC Peering (TCP 3306)
Security group “DB Tier”
• Only supports allow rules
• Implicit deny all at the end
MySQL DB
© 2019, Amazon Web Services, Inc. or its Affiliates. Amazon Aurora
 Can I filter traffic on a subnet level? 0.0.0.0/0

Network Access Control List HTTPS

(TCP 443)

NACL “External Access”

Public subnet
• Inbound and Outbound
• Subnet level inspection Network
access
• Optional level of security control list Amazon EC2

• By default, allow all traffic

10.0.0.0/16
• Stateless MySQL
(TCP 3306)

• IP and TCP/UDP port based NACL “Database Access”

• Supports allow and deny rules Private subnet

• Deny all at the end Other IPs

Other Ports
Network
access
control list MySQL DB
Amazon Aurora

© 2019, Amazon Web Services, Inc. or its Affiliates.

 VPC Connectivity Options

© 2019, Amazon Web Services, Inc. or its Affiliates.

 How to connect privately to public AWS Services?
VPC Endpoints Amazon
VPC PrivateLink

• Connect your VPC to: VPC VPC

• Supported AWS services Internet gateway

• VPC endpoint services Network Load Balancer

(NLB)
powered by PrivateLink Public subnet

• Doesn’t require public IPs or VPC Endpoint Service

Internet connectivity EC2

Instance
VPC Endpoint
• Traffic does not leave the AWS
Amazon
network. Private subnet
Simple Storage Service
(S3)
• Horizontally scaled, redundant,
and highly available EC2 VPC Endpoint

• Robust access control Instance

AWS
Key Management Service

© 2019, Amazon Web Services, Inc. or its Affiliates.

 How to connect directly to other VPCs?
VPC Peering
• Scalable and high available
VPC VPC
• Inter-account peering
Public subnet Public subnet
• Same or different AWS Regions VPC Peering

• Bi-directional traffic EC2 EC2

• Remote Security groups can be Instance

Route table
Instance
Route table

referenced
• Routing policy with Route Tables Private subnet Private subnet

• Not all subnets need to

connect to each other EC2
Instance
EC2
Instance

• No transitive routing, requires full- Route table Route table

mesh to interconnect multiple VPCs

• No support for overlapping IP
addresses
© 2019, Amazon Web Services, Inc. or its Affiliates.
 How to connect multiple VPCs together?
AWS Transit Gateway
AWS Cloud

• Connect thousands of VPC across VPC VPC VPC

accounts …

• Connect your VPCs and on-

premises through a single
gateway
• Centralize VPN and AWS Direct Routing Domain A Routing Domain B

Connect connections
• Control segmentations and data AWS Transit Gateway Route table Route table

flow with Routing Tables

• Hub and Spoke design VPC Shared Services VPC

• Up to 50 Gbps per VPC

connection (burst)
© 2019, Amazon Web Services, Inc. or its Affiliates.
 Connect Your Data Center to AWS

© 2019, Amazon Web Services, Inc. or its Affiliates.

 How to connect my Datacenter to AWS over the Internet?
AWS Virtual Private Network
AWS Cloud

VPC
• One VGW (Virtual Private
Availability Zone 1 Availability Zone 2
Gateway) per VPC
• Redundant IPSec VPN Tunnels
• Terminating in different AZs
VGW (Virtual Private Gateway)
• IPSec
• AES 256-bit encryption VPN Connection

• SHA-2 hashing
• Scalable Internet
Corporate
• BGP or Static Routing data center
Customer
gateway

© 2019, Amazon Web Services, Inc. or its Affiliates.

 How to connect my Datacenter to AWS over dedicated circuits?
AWS Direct Connect
AWS Cloud

• Dedicated network connection

from your premises to AWS
Direct Connect
• Dedicated Connection (1/10 Gbps, Location

Multiple VIFs) AWS DX Device

• AWS Partner Hosted Connection

(50 Mbps to 10 Gbps, Single VIF)
• Consistent Network Performance AWS Direct Connect

• More consistent network Corporate

data center
experience Customer
gateway
• Reduced egress data charges
• Connect to 90+ Direct Connection
Locations across the globe
© 2019, Amazon Web Services, Inc. or its Affiliates.
 How to add redundancy to my dedicated circuits?
AWS Direct Connect
AWS Cloud

• For redundancy, DX can deployed

with single or multiples:
Direct Connect Direct Connect
• Circuits Location Location

• Providers AWS DX Device AWS DX Device AWS DX Device AWS DX Device

• Customer Gateways
• Direct Connect Locations Corporate
data center
Corporate
data center

• Customer data centers Customer

gateway
Customer
gateway

• BGP Routing for redundancy

• AWS VPN can also be used as
backup path
AWS Direct Connect

© 2019, Amazon Web Services, Inc. or its Affiliates.

 How to access my VPCs or AWS Public Services over my DX?
AWS Direct Connect
AWS Cloud

VPC 1A VPC 1B Public AWS Services

Private Private Amazon Simple Storage

Virtual Interface Virtual Interface Service (S3)
• VIFs: Virtual Interface Public
Virtual Private Virtual Interface
• Private VIFs Gateways

• Access to VPC IP address

• Public VIFs
• Access to AWS Public IP
Direct Connect
address space Location
AWS DX Device

Corporate
data center AWS Direct Connect
Customer
gateway
© 2019, Amazon Web Services, Inc. or its Affiliates.
 How to connect to multiple AWS Regions/Accounts over DX?
AWS Direct Connect Gateway AWS Cloud

Region 1 Region 2

VPC 1A VPC 1B VPC 2A

• Global resource
Private Private Private
• Connect to multiple VPCs Virtual Interface Virtual Interface Virtual Interface

• VPCs can be on same or different

• Regions
• Accounts (same Payer ID)
AWS Direct Connect
• Enables traffic flow from the VPC to Gateway

the DX connection
Direct Connect
• For VPC to VPC Traffic, Location
AWS DX Device
consider using AWS Transit
Gateway Corporate
data center
Customer
© 2019, Amazon Web Services, Inc. or its Affiliates. gateway
 How to connect at scale across accounts/Regions?
AWS DX Gateway + AWS Cloud

AWS Transit Gateway Region 1 Region 2

VPC 1A VPC 1B VPC 2A

• Transit VIF
• Connects to a AWS Transit
Gateway
• Simplify your network AWS Transit Gateway

architecture and management

overhead AWS Direct Connect
Gateway
• Create a hub-and-spoke model
that spans multiple Direct Connect
Location
• VPCs AWS DX Device

• Regions Corporate
data center
• AWS accounts Customer
© 2019, Amazon Web Services, Inc. or its Affiliates. gateway
 Traffic Distribution

© 2019, Amazon Web Services, Inc. or its Affiliates.

 How to scale my app horizontally inside my VPC?
Elastic Load Balancing VPC

• Distributes incoming application or Internet gateway

network traffic across multiple Elastic Load Balancing

(ELB)
targets
• EC2 instances Auto Scaling Group

• Containers
EC2 EC2 EC2 EC2
• IP address Instance Instance Instance Instance

• Multiple Availability Zones

Elastic Load Balancing
• Scales automatically (ELB)

• Auto Scaling Groups can add or Auto Scaling Group

remove instances as required

• Automatically register to the EC2 EC2 EC2 EC2

Load Balancer Instance Instance Instance Instance

© 2019, Amazon Web Services, Inc. or its Affiliates.

 Elastic Load Balancing
Features Comparison
Feature Application Load Balancer Network Load Balancer
Protocols HTTP, HTTPS TCP
Platforms VPC VPC
Health checks √ √
CloudWatch metrics √ √
Logging √ √
Path-Based Routing √
Host-Based Routing √
Native HTTP/2 √
Configurable idle connection timeout √
SSL offloading √
Server Name Indication (SNI) √
Sticky sessions √
Back-end server encryption √
Static IP √
Elastic IP address √
Preserve Source
© 2019, Amazon IPInc.address
Web Services, or its Affiliates. √
 How to solve my Domain Names to IP Address?
Amazon Route 53
DNS Resolution Request

Amazon Route 53
• AWS DNS service Main
Yes No
• Domain Registration Site
Healthy

• Domain name resolution

Region us-east-1 Region us-west-2
• 100% availability SLA (N. Virginia) (Oregon)

App Version A App Version B App DR

• Health Checks 95% Traffic A/B 5% Traffic
Testing
• DNS Failover
• Latency Based Routing
• Geo Based Routing Elastic Load Balancer Elastic Load Balancer Elastic Load Balancer

• Weighted Round Robin

Web Service Web Service Web Service
• Private DNS for VPC
© 2019, Amazon Web Services, Inc. or its Affiliates.
 Can I improve availability and performance of my global services?
AWS Global Accelerator
Users in US Users in Europe

• Uses AWS Global Network from www.example.com

IP: 198.51.100.2
www.example.com
IP: 198.51.100.2
Edge to Region
AWS Global Accelerator
• Client traffic ingresses via closes AWS Cloud
available Edge location Edge location
Edge location Edge location Edge location
• Route client to closest healthy
endpoint Redundant path

• No DNS switchover required, Region us-east-1 (N. Virginia) Region eu-west-1 (Ireland)

same IP address globally

• Static IP Anycast Elastic Load Balancer Elastic Load Balancer

Service Service

© 2019, Amazon Web Services, Inc. or its Affiliates.

 Questions?

© 2019, Amazon Web Services, Inc. or its Affiliates.