Professional Documents
Culture Documents
Aws Networking Fundamentals
Aws Networking Fundamentals
Tom Adamski
Specialist Solutions Architect, AWS
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Traditional Network
WAN
VPN VPN
Fiber
Applications Applications
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Network
WAN
VPN (AWS Direct Connect) VPN
Fiber
(VPC Peering)
Applications Applications
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is an Amazon Virtual Private Cloud (VPC)?
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Creating an Internet-connected VPC: Steps
IGW
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Choosing an IP address range
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CIDR notation review
172.31.0.0/16
1010 1100 0001 1111 0000 0000 0000 0000
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Choosing an IP address range for your VPC
172.31.0.0/16
Recommended:
Recommended:
/16
RFC1918 range
(65,536 addresses)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IPv6 in Amazon VPC – Dual-stack
172.31.0.0/16
2001:db8:1234:1a00::/56
Amazon Global Unicast
Associate an /56 IPv6 CIDR
Addresses (GUA) –
(Automatically allocated)
Internet Routable
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Subnets
VPC Subnet
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC subnets and Availability Zones
172.31.0.0/16
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Expand your existing Amazon VPC
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
172.31.0.0/16
VPC CIDR 172.31.0.0/16
Instance A Instance B
172.31.1.11/24 172.31.2.22/24
Subnet Subnet
Instance C Instance D
172.31.3.33/24 172.31.4.44/24
Subnet Subnet
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
172.31.0.0/16
VPC CIDR 172.31.0.0/16
Instance A Instance B
172.31.1.11/24 172.31.2.22/24
Subnet Subnet
Instance C Instance D
172.31.3.33/24 172.31.4.44/24
Subnet Subnet
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
172.31.0.0/16
VPC CIDR 172.31.0.0/16 172.21.0.0/16
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC subnet recommendations
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IGW Route to the Internet
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Routing in your VPC
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Traffic destined for my VPC
stays in my VPC
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Internet gateway
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Everything that isn’t destined for the VPC:
send to the Internet
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Network security in your VPC:
Security groups
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups follow application structure ffic
tra /0
eb .0
w 0.0
w
l lo 0.
A on
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups example: Web servers
Rule descriptions
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups example: Backends
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Network - Progress
WAN
VPN (AWS Direct Connect) VPN
Fiber
(VPC Peering)
Applications Applications
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Beyond Internet connectivity
VPC Subnet
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Restricting Internet access:
Routing by subnet
VPC Subnet
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Routing by subnet
public subnet
private subnet
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Outbound-only internet access: NAT gateway
0.0.0.0/0
0.0.0.0/0
NAT gateway
private subnet public subnet
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Inter-VPC connectivity:
VPC peering
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Example VPC peering use:
Shared services VPC
D
10.2.0.0/16
• Common/core services C E
• Authentication/directory 192.168.0.0/16 10.3.0.0/16
• Monitoring
• Logging A
• Remote administration 172.16.0.0/16
• Scanning
B F
10.0.0.0/16 172.17.0.0/16
G
10.4.0.0/16
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Establish a VPC peering: Initiate request
Initiate peering
request
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Establish a VPC peering: Accept request
Initiate peering
request
Step 2
Accept peering
request
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Establish a VPC peering: Create a route
Initiate peering
request
Step 2
Accept peering
request
Step 3
Traffic destined for the peered VPC
should go to the peering
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups across peered VPCs
172.31.0.0/16 10.55.0.0/16
VPC Peering
ALLOW
Orange Security Group Blue Security Group
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Inter-Region VPC Peering
VPC A VPC B
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Some notes…
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Network - Progress
WAN
VPN (AWS Direct Connect) VPN
Fiber
(VPC Peering)
Applications Applications
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Connecting to on-premises networks:
AWS Virtual Private Network
and AWS Direct Connect
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Extend an on-premises network into your VPC
VPN
AWS Direct
Connect
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS VPN basics
172.31.0.0/16 192.168.0.0/16
Virtual
Private Customer
Gateway Gateway
192.168/16
Direct Connect
Location
(London)
VGW VGW Private
“Association” Virtual Interface
“Attachment”
Direct Connect
Gateway
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Direct Connect Gateway
EU-WEST-1
172.31.0.0/16
192.168.0.0/16
Direct Connect
Location
(London)
VGW VGW Private
“Association” Virtual Interface
“Attachment”
Direct Connect
Gateway
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Direct Connect Gateway
EU-WEST-1
172.31.0.0/16
VGW
Direct Connect
VGW
Location
“Association”
(London)
Private
Virtual Interface
VGW “Attachment”
EU-CENTRAL-1
“Association”
172.16.0.0/16
VGW
Direct Connect
Gateway
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Direct Connect Gateway
Direct Connect
Location
EU-WEST-1 (London)
172.31.0.0/16
VGW
VGW
EU-CENTRAL-1 Virtual Interface
“Association”
172.16.0.0/16
“Attachment”
VGW
Direct Connect
Gateway
Direct Connect
Location
(Frankfurt)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Direct Connect Gateway—traffic flows
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Direct Connect Gateway—traffic flows
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS VPN and AWS Direct Connect
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Network - Progress
WAN
VPN (AWS Direct Connect) VPN
Fiber
(VPC Peering)
Applications Applications
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Services
VPC VPC
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Services in your VPC
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Example: Amazon RDS Database in your VPC
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Example: Application Load Balancer in your VPC
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Services outside your VPC
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Endpoints for AWS Services
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon S3 and your VPC
Your applications
Your data
S3 bucket
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Gateway VPC Endpoints
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Endpoints: Amazon S3 and DynamoDB
S3 bucket
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM policy for VPC Endpoints
S3 bucket
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS PrivateLink for AWS Services
Private IP:
172.31.1.6
Private IP:
172.31.2.10
EC2 APIs
vpce-….ec2.eu-west-1.vpce.amazonaws.com
ec2.eu-west-1.amazonaws.com
vpce-…eu-west-1a.ec2.eu-west-1.vpce.amazonaws.com
vpce-…eu-west-1b.ec2.eu-west-1.vpce.amazonaws.com
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS PrivateLink for Customer & Partner Applications
Share services privately and securely between
VPCs, AWS accounts, and on-premises networks
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Flow Logs
172.31.1.0/24
• Visibility into effects of
AZ A security group rules
• Troubleshooting network
connectivity
• Ability to analyze traffic
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Flow Logs: Setup
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Flow Logs data in CloudWatch Logs
Who’s this?
# dig +short -x 109.236.86.32
internetpolice.co.
UDP Port 27015
REJECT
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The VPC Network
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Network Security
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Connectivity
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
On-Instance Networking Improvements
C5
C4
• Elastic
C3 Network
• EBS Adapter
CC1 optimized
• 25 Gbps
• Enhanced by default
• <50-µs
networking
• 10 Gbps latency
C1 • 20x PPS
• <100-µs
• 1 Gbps latency
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Instance Bandwidth Limits
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Time Sync Service
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank You!
Tom Adamski
Specialist Solutions Architect
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.