Professional Documents
Culture Documents
REPEAT 2 AWS Networking Fundamentals NET201-R2
REPEAT 2 AWS Networking Fundamentals NET201-R2
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS global infrastructure
AWS Region
US-EAST-1
Availability Zone (AZ)
US-EAST-1
Instance Instance
Instance Instance
US-EAST-1
VPC
Instance Instance
Instance Instance
US-EAST-1
VPC
Instance Instance
Instance Instance
Amazon Virtual Private Cloud (Amazon VPC)
Availability Zone Availability Zone
US-EAST-1A US-EAST-1B
VPC
Subnets
Availability Zone Availability Zone
US-EAST-1A US-EAST-1B
VPC
VPC
Instance Instance
Instance Instance
Gateways, endpoints & peering
Availability Zone Availability Zone
US-EAST-1A US-EAST-1B
VPC
Instance Instance
Instance Instance
Example web application
Availability Zone Availability Zone
US-EAST-1A US-EAST-1B
VPC
ELB
Web Server
Security Group
App Server
Security Group
Application Application
Server Server
IP addressing
Availability Zone Availability Zone
US-EAST-1A US-EAST-1B
VPC
• RFC1918
• 192.168.0.0 /16
• 172.16.0.0 /12
• 10.0.0.0 /8
• How much ?
• /16
• /28
Where to use IPv4 addresses ?
Availability Zone Availability Zone
US-EAST-1A US-EAST-1B
VPC
Subnet Subnet
172.31. 172.31.
Subnet Subnet
172.31. 172.31.
IPv6 basics
IPv6: Colon-Separated Hextet Notation + CIDR
2001:0db8:0ec2:0000:0000:0000:0000:0001/64 0000:0000:0000:0000:0000:0000:0000:0001/128
2001:db8:ec2:0:0:0:0:1/64 0:0:0:0:0:0:0:1/128
2001:db8:ec2::1/64 ::1/128
Unicast Addresses
Loopback Address ::1
Link Local Address (LLA) fe80::/10 (fe80::/64 in practice)
Global Unicast Address (GUA) 2600:1f16:14d:6300::/64
VPC
Subnet Subnet
172.31. 172.31.
2600:1f16:14d:6300::/64 2600:1f16:14d:6301::/64
Subnet Subnet
172.31. 172.31.
2600:1f16:14d:6328::/64 2600:1f16:14d:6329::/64
2600:1f16:14d:6300::/56
The “5 Things” required for Internet traffic
1. Public IP Address
2. Internet Gateway Attached to a VPC
3. Route to an Internet Gateway
4. NACL Allow Rule
5. Security Group Allow Rule
Public IP addresses for your instances
• Auto-assign public IP addresses
VPC
Subnet Subnet
Subnet Subnet
Gateways, endpoints & peering
Customer Gateway VPN Gateway NAT Gateway Internet Gateway AWS Transit Gateway Endpoints Peering connection
Internet access
Internet access
Different routes for different subnets
Public subnet
Private subnet
Public & private subnets
Private subnet Public subnet
Network Address Translation (NAT) Gateway
Private subnet Public subnet
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Network security
• Network ACLs
• Security Groups
• VPC Flow Logs
• Amazon VPC Traffic Mirroring
Network ACLs
Availability Zone Availability Zone
US-EAST-1A US-EAST-1B
VPC
Application Application
Server Server
Security groups – Inbound
Availability Zone Availability Zone
US-EAST-1A US-EAST-1B
VPC
Web Server
Security Group
sg-0f004ca5495132527
Web Server Web Server
App Server
Security Group
sg-090a960aee374b3cd
Application Application
Server Server
Security groups – Outbound
Availability Zone Availability Zone
US-EAST-1A US-EAST-1B
VPC
Web Server
Security Group
sg-0f004ca5495132527
Web Server Web Server
App Server
Security Group
sg-090a960aee374b3cd
Application Application
Server Server
VPC flow logs
• Amazon CloudWatch Logs or Amazon S3
Filter 1
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
High availability & scale
Web Server
Elastic Load Balancing
Web Server
Web Server
Elastic Load Balancing
Elastic Load Balancing (ELB) distributes incoming application or network Web Server
IP Target
Listener
Health check
Forward /img/*
Target Group
Target
default
Web Server
Elastic Load Balancing
Web Server
Health check
Example web application
Availability Zone Availability Zone
US-EAST-1A US-EAST-1B
VPC
ELB
Web Server
Security Group
App Server
Security Group
Application Application
Server Server
Example web application – Final
Availability Zone Availability Zone
US-EAST-1A US-EAST-1B
VPC
ELB
Web Server
Security Group
App Server
Security Group
Application Application
Server Server
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Connecting between VPCs
AWS Cloud
VPC VPC
VPC
VPC peering – same region
AWS Cloud
VPC VPC
VPC
VPC peering – same region
AWS Cloud
VPC VPC
Peering
VPC
VPC peering – same region
AWS Cloud
VPC
Peering
VPC
VPC peering – same region
AWS Cloud
Peering
VPC VPC
Peering Peering
VPC
VPC peering – same region
AWS Cloud
Peering
VPC VPC
Peering Peering
VPC
VPC peering – same region
AWS Cloud
Peering
VPC VPC
Peering Peering
VPC
VPC peering – same region
AWS Cloud
Peering
VPC VPC
Peering
VPC
VPC peering – same region
AWS Cloud
Peering
VPC VPC
Peering
VPC
VPC peering – different region
VPC peering – different account
VPC peering – things to know
• Can reference security groups from the peer VPC in the same region
VPC 10.0.0.0/16
Corporate Data Center
172.16.0.0/16
Virtual Private
Gateway
AWS site-to-site VPN – CGW
VPC 10.0.0.0/16
Corporate Data Center
172.16.0.0/16
I don’t…
VPC 10.0.0.0/16 I know how to get to
172.16.0.0/16 Corporate Data Center
172.16.0.0/16
VPC 10.0.0.0/16
Corporate Data Center
172.16.0.0/16
VPC 10.0.0.0/16
Corporate Data Center
1 Tunnel always preferred 172.16.0.0/16
AWS
Customer Customer
Router
Router Router
Direct Connect
Location
AWS Direct Connect – Interface types
Region
VPC
10.1.0.0/16
AWS
Customer Customer
Router
Router Router
Region
Direct Connect
VPC
10.2.0.0/16 Location
Direct
Connect
Gateway
Route propagation
• Enable propagation on the Route Table
• Automatically populates with anything the VGW learns via BGP
DX or S2S VPN
AWS Direct Connect – Public VIF
Amazon DynamoDB
Corporate Data Center
Amazon Simple Storage Public Virtual 172.16.0.0/16
Service (Amazon S3) Interface
Amazon CloudWatch
AWS
Customer Customer
Router
Router Router
Direct Connect
VPC
10.2.0.0/16 Location
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Interconnecting VPCs at scale – VPC peering
AWS Cloud
Peering
VPC VPC
Peering Peering
VPC
Interconnecting VPCs at scale – VPC peering
AWS Cloud
VPC
Peering VPC
Peering VPC
Peering Peering
Multiple VPCs access models – AWS Transit Gateway
AWS Cloud
VPC
Corporate Data Center
VPN Attachment 172.16.0.0/16
VPC
Region
Direct Connect
VPC
10.2.0.0/16 Location
AWS
Transit
Gateway DX
Gateway
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Route 53 Resolver
• VPC+2 Resolver VPC 10.0.0.0/16
• enableDnsHostnames
Instance
• enableDnsSupport
10.0.0.2
Route 53 Resolver
example.demohostedzone.org
Private Hosted→
172.31.0.99 Zone
Associating private hosted zones to multiple VPCs
Instance Instance
10.0.0.2 10.1.0.2
Route 53 Resolver Route 53 Resolver
VPC 10.0.0.0/16
Corporate Data Center
172.16.0.0/16
Route 53
Resolver
Inbound ENI
Server
10.0.0.2
Route 53 Resolver
PRIVATE HOSTED
ZONE: example.aws
Resolving on-premise domains from AWS – Route 53
Resolver
VPC 10.0.0.0/16
Corporate Data Center
172.16.0.0/16
Route 53
Resolver
Instance Outbound ENI
Server
10.0.0.2
Route 53 Resolver
PRIVATE ZONE:
example.internal
RESOLVER RULE:
FORWARD: example.internal
TO: Server
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Other AWS services in your VPC
• Amazon Relational Database Service (Amazon RDS)
Availability Zone Availability Zone
US-EAST-1A US-EAST-1B
VPC
Subnet Subnet
Instance Instance
SERVICE VPC
Subnet Subnet
P S
Amazon RDS Amazon RDS
instance instance
Other AWS services in your VPC
• Amazon Relational Database Service (Amazon RDS)
Availability Zone Availability Zone
US-EAST-1A US-EAST-1B
VPC
Subnet Subnet
Instance Instance
SERVICE VPC
Subnet Subnet
P S
Amazon RDS Amazon RDS
instance instance
Other AWS services in your VPC
• Amazon WorkSpaces
Availability Zone Availability Zone
US-EAST-1A US-EAST-1B
VPC
Subnet Subnet
Instance Instance
SERVICE VPC
Subnet Subnet
Streaming
Gateway
Other AWS services in your VPC
• Amazon WorkSpaces
Availability Zone Availability Zone
US-EAST-1A US-EAST-1B
VPC
Subnet Subnet
Instance Instance
SERVICE VPC
Subnet Subnet
Streaming
Gateway
Other AWS services in your VPC
• AWS Lambda
• VPC-2-VPC NAT (V2N) Availability Zone Availability Zone
US-EAST-1A US-EAST-1B
VPC
Subnet Subnet
Instance Instance
VPC
Amazon S3
Instance Instance
Route Table
Private subnet (Main) Private subnet
DynamoDB
Instance Instance
Gateway VPC endpoints
US-EAST-1
VPC
Amazon S3
Instance Instance
Route Table
Private subnet (Main) Private subnet
DynamoDB
Instance Instance
Gateway VPC endpoints
US-EAST-1
VPC
Amazon S3
Instance Instance
Route Table
Private subnet (Main) Private subnet
DynamoDB
Instance Instance
Gateway VPC endpoints
US-EAST-1
VPC
Amazon S3
Instance Instance
Route Table
Private subnet (Main) Private subnet
DynamoDB
Instance Instance
Gateway VPC endpoints
US-EAST-1
VPC
Amazon S3
Instance Instance
Route Table
Private subnet (Main) Private subnet
DynamoDB
Instance Instance
Gateway VPC endpoints
US-EAST-1
VPC
Amazon S3
Instance
Route Table
Private subnet (Main) Private subnet
Gateway
VPC Endpoint
DynamoDB
Instance
Gateway VPC endpoints
US-EAST-1
VPC
Amazon S3
Instance
Route Table
Private subnet (Main) Private subnet
DynamoDB
Instance
Gateway VPC endpoints
US-EAST-1
VPC
Amazon S3
Instance
Route Table
Private subnet (Main) Private subnet
DynamoDB
Instance
Gateway VPC endpoints
US-EAST-1
VPC
Amazon S3
Instance
Route Table
Private subnet (Main) Private subnet
DynamoDB
Instance
Interface VPC endpoints (AWS PrivateLink)
US-EAST-1
Amazon CloudWatch
Amazon Kinesis
Private subnet Private subnet Data Streams
sqs.us-east-1.amazonaws.com ?
Amazon CloudWatch
52.94.242.77
Instance Instance AWS CodeCommit
Amazon Kinesis
Private subnet Private subnet Data Streams
sqs.us-east-1.amazonaws.com ?
Amazon CloudWatch
52.94.242.77
Instance Instance AWS CodeCommit
Amazon Kinesis
Private subnet Private subnet Data Streams
Amazon CloudWatch
Amazon Kinesis
Private subnet Private subnet Data Streams
sqs.us-east-1.amazonaws.com ?
Amazon CloudWatch
172.31.1.5 / 172.31.2.7
Instance Instance AWS CodeCommit
Amazon Kinesis
Private subnet Private subnet Data Streams
Instance Instance
Availability Zone
US-EAST-1B
Corporate Data Center
172.16.0.0/16
VPC (10.50.0.0/16)
Private subnet
Instance
Private subnet DX
Network or
Load VPN
Balancer
Endpoint policies
• A VPC endpoint policy is an AWS Identity and Access Management (IAM) resource
policy that you attach to an endpoint
• An endpoint policy does not override or replace IAM user policies or service-
specific policies (such as S3 bucket policies)
Example for S3
• IAM policy at VPC endpoint: You may only access the “Data” bucket
• IAM policy at S3 bucket: Access to this bucket is only allowed from VPCE-X
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Your VPC Availability Zone
US-EAST-1A
IGW
Availability Zone
US-EAST-1B
VPC VPC
NAT-GW NAT-GW Amazon S3
VPCE
Public subnet Public subnet
ELB
VPC
PEERING Web Server Web Server
VPN
CGW
ENI’s
P S D
VPC+2
Route 53 Resolver X VIF
G
PRIVATE VGW AWS Transit Gateway W
HOSTED
ZONES VPN
LAMBDA WORKSPACES CGW
Security IGW VPC Flow Logs
Availability Zone Availability Zone
US-EAST-1A US-EAST-1B
VPC VPC
NAT-GW NAT-GW Amazon S3
VPCE
Public subnet Public subnet
ELB
Web Server
VPC Security Group
PEERING Web Server Web Server
PrivateLink VPC
Private subnet Private subnet
App Server
Security Group
Application Application
Server Server
AWS Transit
Gateway
Related sessions
Tuesday
• NET317-R Connectivity to AWS and hybrid AWS network architectures
• NET320-R1 The right AWS network architecture for the right reason
Wednesday
• NET305-R1 Advanced VPC design and new capabilities for Amazon VPC
• NET203-L Leadership session: Networking
Thursday
• NET339 Innovation and operation of the AWS global network infrastructure
• NET322-R1 Shared VPC: Simplify your AWS Cloud scale network with VPC sharing
Learn networking with AWS Training and Certification
Resources created by the experts at AWS to help you build and validate networking skills
Visit aws.amazon.com/training/paths-specialty
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you!
Alan Halachmi Steve Seymour
Director, Public Sector WW Tech Leader, Networking
AWS Solutions Architecture AWS Solutions Architecture
Amazon Web Services Amazon Web Services
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.