Professional Documents
Culture Documents
Exploring The Fundamentals of AWS Networking SVC205
Exploring The Fundamentals of AWS Networking SVC205
Exploring The Fundamentals of AWS Networking SVC205
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Introductory - 200
“These sessions provide an overview of AWS services and features,
and they assume that attendees are new to the topic. These
sessions highlight basic use cases, features, functions, and
benefits."
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Global Accelerator
AWS Region
Internet
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is a VPC?
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC concepts and fundamentals
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Choosing an
IP address range
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Choosing an IP address range for your VPC
172.31.0.0/16
Recommended: RFC1918
range
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Creating subnets in a VPC
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC subnets and Availability Zones
172.31.0.0/16
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IPv6 in your VPC
• Can have a dual-stack VPC by adding an IPv6 CIDR
• Fixed sizes for VPC and subnets
• /56 VPC (4,722,366,482,869,645,213,696 addresses)
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC subnets and Availability Zones
172.31.0.0/16 + Expand
2600:1f16:14d:6300::/56
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Routing in a VPC
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Route tables
172.31.0.0/16
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Traffic destined for my VPC
stays in my VPC
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
DNS in a VPC
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC DNS options
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Route 53 private hosted zones
example.demohostedzone.org →Hosted
Private Zone
172.31.0.99
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Route 53 Resolver for hybrid clouds
Conditional forwarding
rules
Route 53 Resolver
endpoints
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups Network access Flow logs
control list
Network security
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups follow application structure
Internet gateway
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups example: Web servers
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups example: Backends
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups Network access Flow logs
control list
Network security
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups vs. NACLs
Security group Network ACL
Operates at instance level Operates at subnet level
Supports allow rules only Supports allow and deny rules
Is stateful: Return traffic is automatically allowed Is stateless: Return traffic must be explicitly allowed
regardless of any rules by rules
All rules evaluated before deciding whether to allow Rules evaluated in order when deciding whether to
traffic allow traffic
Applies only to instances explicitly associated with the Automatically applies to all instances launched into
security group associated subnets
Doesn’t filter traffic to or from link-local addresses (169.254.0.0/16) or AWS-reserved IPv4 addresses; these
are first four IPv4 addresses of the subnet (including the Amazon VPC DNS server)
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups Network access Flow logs
control list
Network security
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Flow Logs
• Visibility
• Troubleshooting
• Analyze traffic
AZ 1 AZ 2
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Flow Logs format
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Connecting your VPC
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Internet connectivity or not
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Let’s take a closer look
AWS Region Internet
Internet gateway
Availability Zone 1 Availability Zone 2
Destination Target
10.1.0.0/16 Local
Public subnet Public subnet
0.0.0.0/0 Internet gateway
Instance A Instance
NAT-GW B
10.1.0.11/24
NAT 10.1.1.11/24
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC peering
10.2.0.0/16 10.3.0.0/16
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Establish a VPC peering: Initiate request
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Establish a VPC peering: Accept request
Step 2
Accept peering
request
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Establish a VPC peering: Create routes
Step 2
Accept peering
request
Step 3, 4
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC peering AWS Transit
Gateway
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Before AWS Transit Gateway…
VPN VPC peering VPC peering VPC peering AWS Direct Connect
connection gateway
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
With AWS Transit Gateway…
AWS Direct
Connect Gateway
AWS Transit
Amazon VPC Gateway Amazon VPC
VPN
connection
Customer
gateway
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
With AWS Transit Gateway…
A B Destination
B
Target
Local
0.0.0.0/0 TGW
On premises
C
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Attachment Association Propagation
The connection from an The route table used to The route table where
Amazon VPC, VPN, and DX GW route packets coming from the attachment’s routes
to a Transit Gateway an attachment are installed
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Destination Target
10.1.0.0/16 Local
0.0.0.0/0 TGW
Llama
10.1.0.0/16 AWS Transit Gateway route table (s)
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Propagation turned off, you can still statically
configure routes
Llama
10.1.0.0/16 AWS Transit Gateway route table (s)
10.8.0.0/16 10.9.0.0/16
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Transit Gateways per Maximum burstable
account/Transit Gateway bandwidth per attachment
attachments per Amazon VPC
5 50 Gbps
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Maximum bandwidth
per VPN connection
* 1.25 Gbps
*With ECMP, you can distribute traffic over multiple tunnels,
e.g., 8 tunnels = 10 Gbps
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
!!!
10,000 5,000
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cross-Region connectivity?
AWS Transit Gateway is a Region-level construct
today
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Transit Gateway detailed instructions:
https://amzn.to/2SkI4zV
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS VPN AWS Direct Connect
Connecting to
on-premises networks
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IPsec tunnel 1 – primary
On premises
IPsec tunnel 2 – secondary
The internet
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IPsec tunnel 1 – primary
On premises
IPsec tunnel 2 – secondary
The internet
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
NEW
Migrate site-to-site VPN to
AWS Transit Gateway
https://amzn.to/2vwPcj7
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The
Amazon S3 Amazon
internet
DynamoDB
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS VPN AWS Direct Connect
Connecting to
on-premises networks
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Direct Connect: What’s that?
AWS Region
Public VIF
Cross connect
Service provider
Private VIF network On premises
VGW Customer or 192.168.0.0/16
10.0.0.0/16 AWS cage partner cage
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Direct Connect: What’s that?
AWS Region
Public VIF
Cross connect
Service provider
Private VIF network On premises
VGW Customer or 192.168.0.0/16
10.0.0.0/16 AWS cage partner cage
Private VIF
VGW
10.2.0.0/16
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Direct Connect gateway
One private VIF → many VPCs
AWS Region
Cross connect
Private VIF
Service provider
network On premises
VGW Customer or 192.168.0.0/16
10.0.0.0/16 AWS cage
AWS Direct partner cage
Connect gateway
VGW
10.2.0.0/16
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Direct Connect gateway
One private VIF → many VPCs across Regions
AWS Region 1
Cross connect
Private VIF
Service provider
network On premises
VGW Customer or 192.168.0.0/16
10.0.0.0/16 AWS cage
AWS Direct partner cage
Connect gateway
AWS Region 2
AWS Direct Connect location
VGW
10.2.0.0/16
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Direct Connect gateway
One private VIF → many VPCs across accounts
AWS Account 1
Cross connect
Private VIF
Service provider
network On premises
VGW Customer or 192.168.0.0/16
10.0.0.0/16 AWS cage
AWS Direct partner cage
Connect gateway
AWS Account 2
AWS Direct Connect location
VGW
10.2.0.0/16
Multi-account DX gateway
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Direct Connect gateway
One transit VIF → many VPCs
AWS Account 1
AWS Transit
Gateway
Cross connect
Transit VIF
Service provider
network On premises
Customer or 192.168.0.0/16
10.0.0.0/16 AWS cage
AWS Direct partner cage
Connect gateway
AWS Account 2
AWS Direct Connect location
10.2.0.0/16
Transit VIF with DX gateway
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Transit Gateway with AWS Direct Connect
https://amzn.to/2VDnnEt
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
New partner connection speeds
1, 2, 5, or 10 Gbps of capacity
https://amzn.to/2YtGNue
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
…more AWS networking
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Before
Amazon VPC sharing
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Dev Prod 1 Prod2
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Dev Prod 1 Prod2
Amazon VPC owners cannot modify or However, they cannot modify any Amazon VPC-
delete participant resources level entities, including route tables, network
ACLs, or subnets (or view/modify resources
belonging to other participants)
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why use Amazon VPC sharing?
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon VPC sharing details
https://amzn.to/2Aovw2Z
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Gateway VPC Interface VPC AWS PrivateLink
endpoints endpoints
VPC endpoints
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Region
Internet
Amazon S3 Amazon
DynamoDB
VPCE =
EIP – 10.1.0.11 : 54.23.12.43 Virtual private endpoint
EIP – 10.1.1.11 : 54.19.12.23 (Type: Gateway)
Destination Target
10.1.0.0/16 Local
Public subnet Public subnet
0.0.0.0/0 Internet gateway
S3.prefix.list VPCE-123
Instance A Instance
NAT-GW B
10.1.0.11/24
NAT 10.1.1.11/24
VPC endpoints
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Region
Type: Gateway
Type: Interface
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Gateway VPC Interface VPC AWS PrivateLink
endpoints endpoints
VPC endpoints
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
And now AWS PrivateLink
for service providers
AWS
PrivateLink
NLB
Customer VPC
Service provider VPC
SUMMIT
VPC endpoint: vpce-2222.foo.amazon.com
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Global Accelerator
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Before
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Region 1 AWS Region 2
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
After
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
3.10.3.125 3.10.3.125
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS global network Client state Static anycast IPs
Traffic routed through AWS Global Applications can keep state, with AWS Global Accelerator uses static
Accelerator traverses AWS global connections routed to IP addresses as a fixed entry point to
network (instead of the public the same endpoint, after your applications, which are anycast
internet) initial connection from AWS edge locations
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Global Accelerator
https://amzn.to/2FI3y89
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Global Accelerator
AWS Region
Internet
SUMMIT
© 2019, Amazo n Web Services, Inc. or its affiliates. All rights reserved.