Exploring The Fundamentals of AWS Networking SVC205

SVC205
Exploring the fundamentals of AWS

networking
Neeraj Verma
Principal Solutions Architect
Amazon Web Services
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Introductory - 200
“These sessions provide an overview of AWS services and features,
and they assume that attendees are new to the topic. These
sessions highlight basic use cases, features, functions, and
benefits."
SUMMIT
SUMMIT
AWS Global Accelerator
AWS Region
Internet
Amazon S3 Amazon AWS Lambda Amazon SQS Amazon SNS

AWS IoT
NLB DynamoDB Amazon S3
AWS PrivateLink VPC

service provider VPC Flow Logs Amazon
EIP – 10.1.0.11 : 54.23.12.43 CloudWatch
EIP – 10.1.1.11 : 54.19.12.23
AWS PrivateLink-
enabled services AWS VPCE Internet gateway On premises
PrivateLink Availability Zone 1 Availability Zone 2
Destination Target Transit GW

10.1.0.0/16 Local
Public subnet Public subnet
0.0.0.0/0 Internet gateway
S3.prefix.list VPCE-123 Intra or
On premises VGW
Instance A Instance
NAT-GW B inter VPC-B
10.1.0.11/24
NAT 10.1.1.11/24
VPC-B PCX-123 Region
Other routes TGW VPC
AWS Direct
Private subnet Private subnet
peering Connect
Destination Target DXGW
10.1.0.0/16 Local Instance C Instance D
0.0.0.0/0 NAT-GWB
Instance 10.1.2.11/24 10.1.3.11/24 On premises
S3.prefix.list VPCE-123
On premises VGW
VPC-B PCX-123
VGW
Other routes TGW
VPC CIDR 10.1.0.0/16 + Expand + IPv6 VPN
SUMMIT
That was the agenda
for this session
SUMMIT
SUMMIT
What is a VPC?
SUMMIT
VPC concepts and fundamentals
IP addressing Creating Routing in DNS in-VPC Security

subnets a VPC with Amazon
Route 53
SUMMIT
Choosing an
IP address range
SUMMIT
Choosing an IP address range for your VPC
Avoid ranges that overlap with

other networks to which you might
connect
172.31.0.0/16
Recommended: RFC1918
range
SUMMIT
Creating subnets in a VPC
SUMMIT
VPC subnets and Availability Zones
172.31.0.0/16
eu-west-1a eu-west-1b eu-west-1c
172.31.0.0/24 172.31.1.0/24 172.31.2.0/24
VPC subnet VPC subnet VPC subnet
Availability Zone Availability Zone Availability Zone
SUMMIT
IPv6 in your VPC
• Can have a dual-stack VPC by adding an IPv6 CIDR
• Fixed sizes for VPC and subnets
• /56 VPC (4,722,366,482,869,645,213,696 addresses)
• /64 subnets (18,446,744,073,709,551,616 addresses)
SUMMIT
VPC subnets and Availability Zones
172.31.0.0/16 + Expand
2600:1f16:14d:6300::/56
eu-west-1a eu-west-1b eu-west-1c
172.31.0.0/24 172.31.1.0/24 172.31.2.0/24

2600:1f16:14d:6300::/64 2600:1f16:14d:6301::/64 2600:1f16:14d:6302::/64
SUMMIT
Routing in a VPC
SUMMIT
Route tables
172.31.0.0/16
172.31.0.0/24 172.31.1.0/24 172.31.2.0/24
SUMMIT
Traffic destined for my VPC
stays in my VPC
SUMMIT
DNS in a VPC
SUMMIT
VPC DNS options
Have EC2 auto-assign DNS

host names to instances Use Amazon DNS server
SUMMIT
Amazon Route 53 private hosted zones
example.demohostedzone.org →Hosted
Private Zone
172.31.0.99
SUMMIT
Amazon Route 53 Resolver for hybrid clouds
Conditional forwarding
rules
Route 53 Resolver
endpoints
SUMMIT
Security groups Network access Flow logs
control list
Network security
SUMMIT
Security groups follow application structure
Internet gateway
Web Web Web Web
“MyWebServers” security group
Allow only “MyWebServers”
App App App
“MyBackends” security group
SUMMIT
Security groups example: Web servers
Allow HTTP traffic

from anywhere
SUMMIT
Security groups example: Backends
Allow application traffic

from web servers only
SUMMIT
control list
Network security
SUMMIT
Security groups vs. NACLs
Security group Network ACL
Operates at instance level Operates at subnet level
Supports allow rules only Supports allow and deny rules
Is stateful: Return traffic is automatically allowed Is stateless: Return traffic must be explicitly allowed
regardless of any rules by rules
All rules evaluated before deciding whether to allow Rules evaluated in order when deciding whether to
traffic allow traffic
Applies only to instances explicitly associated with the Automatically applies to all instances launched into
security group associated subnets
Doesn’t filter traffic to or from link-local addresses (169.254.0.0/16) or AWS-reserved IPv4 addresses; these
are first four IPv4 addresses of the subnet (including the Amazon VPC DNS server)
SUMMIT
control list
Network security
SUMMIT
VPC Flow Logs
• Visibility
• Troubleshooting
• Analyze traffic
AZ 1 AZ 2
VPC Flow Logs
SUMMIT Amazon S3 Amazon CloudWatch Logs

VPC Flow Logs: Setup
VPC traffic metadata

captured in Amazon S3
or Amazon CloudWatch Logs
SUMMIT
VPC Flow Logs format
SUMMIT
SUMMIT
Connecting your VPC
Internet Connecting to your

connectivity Connecting to other
VPCs on-premises network
or not
SUMMIT
Internet connectivity or not
SUMMIT
Let’s take a closer look
AWS Region Internet

AWS IoT
DynamoDB
EIP – 10.1.0.11 : 54.23.12.43

EIP – 10.1.1.11 : 54.19.12.23
Internet gateway
Availability Zone 1 Availability Zone 2
Destination Target
10.1.0.0/16 Local
Instance A Instance
NAT-GW B
10.1.0.11/24
NAT 10.1.1.11/24

Destination Target
0.0.0.0/0 NAT-GWB
Instance 10.1.2.11/24 10.1.3.11/24
VPC CIDR 10.1.0.0/16 + Expand + IPv6

SUMMIT
VPC peering AWS Transit
Gateway
Connecting to other VPCs
SUMMIT
VPC peering
• Full private IP connectivity between

two VPCs 10.0.0.0/16 10.1.0.0/16
• Can peer VPCs across regions

• VPCs can be in different accounts
• VPC CIDR ranges must not overlap
10.2.0.0/16 10.3.0.0/16
SUMMIT
Establish a VPC peering: Initiate request
172.31.0.0/16 Step 1 10.55.0.0/16

Initiate peering
request
SUMMIT
Establish a VPC peering: Accept request
172.31.0.0/16 Step 1 10.55.0.0/16

Initiate peering
request
Step 2
Accept peering
request
SUMMIT
Establish a VPC peering: Create routes
172.31.0.0/16 Step 1 10.55.0.0/16

InitiateTraffic
peeringdestined for the peered VPC should go to the
request peering, repeat for other VPC
Step 2
Accept peering
request
Step 3, 4
SUMMIT
VPC peering AWS Transit
Gateway
Connecting to other VPCs

and beyond…
SUMMIT
Before AWS Transit Gateway…
Customer VPN connection Amazon VPC VPC peering Amazon VPC

gateway
VPN VPC peering VPC peering VPC peering AWS Direct Connect
connection gateway
VPN connection Amazon VPC VPC peering Amazon VPC
SUMMIT
With AWS Transit Gateway…
AWS Direct
Connect Gateway
Amazon VPC Amazon VPC
AWS Transit
Amazon VPC Gateway Amazon VPC
VPN
connection
Customer
gateway
SUMMIT
With AWS Transit Gateway…
A B Destination
B
Target
Local
0.0.0.0/0 TGW
TGW route table (s) 1 2

VPC A: Attachment 1
RT1
VPC B: Attachment 2
VPC C: Attachment 3
RT2
On premises: VPN 4
3 AWS 4
Transit
Gateway
On premises
C
SUMMIT
Attachment Association Propagation
The connection from an The route table used to The route table where
Amazon VPC, VPN, and DX GW route packets coming from the attachment’s routes
to a Transit Gateway an attachment are installed
SUMMIT
Destination Target
10.1.0.0/16 Local
0.0.0.0/0 TGW
Llama
10.1.0.0/16 AWS Transit Gateway route table (s)
X Associations Propagations Routes

Llama from X Llama from X 10.1.0.0/16 via X
Pegasus RT1 Pegasus from Y
Y Pegasus from Y 10.2.0.0/16 via Y
10.2.0.0/16 Barry from Z Barry from Z 10.3.0.0/16 via Z
Z AWS
Transit
Gateway
Barry
Destination Target
10.3.0.0/16 10.1.0.0/16 Local
10.0.0.0/8 TGW
SUMMIT
Llama
10.8.0.0/16 10.9.0.0/16

Pegasus
Y Pegasus from Y Pegasus from Y 10.2.0.0/16 via Y
10.2.0.0/16 RT1 Barry from Z Barry from Z 10.3.0.0/16 via Z
10.8.0.0/16 via X
Z AWS 10.9.0.0/16 via X
Transit
Gateway
Barry
10.3.0.0/16
SUMMIT
Propagation turned off, you can still statically
configure routes
Llama
10.8.0.0/16 10.9.0.0/16

Pegasus
Y Pegasus from Y Pegasus from Y 10.2.0.0/16 via Y
10.2.0.0/16 RT1 Barry from Z Barry from Z 10.3.0.0/16 via Z
10.8.0.0/16 via X
Z AWS
10.9.0.0/16 via X
Transit
Gateway
Barry
10.3.0.0/16
SUMMIT
Transit Gateways per Maximum burstable
account/Transit Gateway bandwidth per attachment
attachments per Amazon VPC
5 50 Gbps
SUMMIT
Maximum bandwidth
per VPN connection
* 1.25 Gbps
*With ECMP, you can distribute traffic over multiple tunnels,
e.g., 8 tunnels = 10 Gbps
SUMMIT
!!!
Routes per AWS Number of AWS Transit Gateway

Transit Gateway attachments per Region per account
10,000 5,000
SUMMIT
Cross-Region connectivity?
AWS Transit Gateway is a Region-level construct
today
SUMMIT
AWS Transit Gateway detailed instructions:
https://amzn.to/2SkI4zV
SUMMIT
AWS VPN AWS Direct Connect
Connecting to
on-premises networks
SUMMIT
IPsec tunnel 1 – primary
On premises
IPsec tunnel 2 – secondary
The internet
Virtual private IPsec tunnel over Customer gateway

gateway the internet
SUMMIT
IPsec tunnel 1 – primary
On premises
IPsec tunnel 2 – secondary
The internet
IPsec tunnel over Customer gateway

AWS Transit
the internet
Gateway
SUMMIT
NEW
Migrate site-to-site VPN to
AWS Transit Gateway
https://amzn.to/2vwPcj7
SUMMIT
The
Amazon S3 Amazon
internet
DynamoDB
Client VPN Client

endpoint
Attachment to TLS-based tunnel User with

On premises
Amazon VPC over the internet OpenVPN client
SUMMIT
AWS VPN AWS Direct Connect
Connecting to
on-premises networks
SUMMIT
AWS Direct Connect: What’s that?
AWS Region
Public VIF
Cross connect
Service provider
Private VIF network On premises
VGW Customer or 192.168.0.0/16
10.0.0.0/16 AWS cage partner cage
AWS Direct Connect location
SUMMIT
AWS Direct Connect: What’s that?
AWS Region
Public VIF
Cross connect
Service provider
Private VIF network On premises
10.0.0.0/16 AWS cage partner cage
Private VIF
VGW
10.2.0.0/16
SUMMIT
AWS Direct Connect gateway
One private VIF → many VPCs
AWS Region
Cross connect
Private VIF
Service provider
network On premises
10.0.0.0/16 AWS cage
AWS Direct partner cage
Connect gateway
VGW
10.2.0.0/16
SUMMIT
One private VIF → many VPCs across Regions
AWS Region 1
Cross connect
Private VIF
Service provider
network On premises
10.0.0.0/16 AWS cage
Connect gateway
AWS Region 2
VGW
10.2.0.0/16
SUMMIT
One private VIF → many VPCs across accounts
AWS Account 1
Cross connect
Private VIF
Service provider
network On premises
10.0.0.0/16 AWS cage
Connect gateway
AWS Account 2
VGW
10.2.0.0/16
Multi-account DX gateway
SUMMIT
One transit VIF → many VPCs
AWS Account 1
AWS Transit
Gateway
Cross connect
Transit VIF
Service provider
network On premises
Customer or 192.168.0.0/16
10.0.0.0/16 AWS cage
Connect gateway
AWS Account 2
10.2.0.0/16
Transit VIF with DX gateway
SUMMIT
AWS Transit Gateway with AWS Direct Connect
https://amzn.to/2VDnnEt
SUMMIT
New partner connection speeds
1, 2, 5, or 10 Gbps of capacity
https://amzn.to/2YtGNue
SUMMIT
SUMMIT
…more AWS networking
VPC sharing VPC endpoints and AWS Global

AWS PrivateLink Accelerator
SUMMIT
Before
Amazon VPC sharing
SUMMIT
Dev Prod 1 Prod2
Barry Pegasus Llama

10.1.0.0/16 10.2.0.0/16 10.3.0.0/16
Amazon EC2 Amazon RDS Amazon Redshift
Sue Steve Iguana

10.4.0.0/16 10.5.0.0/16 10.6.0.0/16
Amazon EC2 AWS Lambda Amazon EC2
Test Prod 3 Prod 4

SUMMIT
After
Amazon VPC sharing
SUMMIT
Dev Prod 1 Prod2
Barry Pegasus Llama

10.1.0.0/16 10.2.0.0/16 10.3.0.0/16
Sue Steve Iguana

10.4.0.0/16 10.5.0.0/16 10.6.0.0/16
Test Prod 3 Prod 4

SUMMIT
Dev Prod 1 Prod2
Owner Owner Participant
Barry Pegasus Llama

10.1.0.0/16 10.2.0.0/16 10.3.0.0/16
Participant Participant Participant
Sue Steve Iguana

10.4.0.0/16 10.5.0.0/16 10.6.0.0/16
Test Prod 3 Prod 4

SUMMIT
Amazon VPC owner Amazon VPC participant
Responsible for creating, managing, and Responsible for the creation, management, and
deleting all VPC-level entities deletion of their resources, including Amazon
EC2 instances, Amazon RDS databases, and load
balancers
Amazon VPC owners cannot modify or However, they cannot modify any Amazon VPC-
delete participant resources level entities, including route tables, network
ACLs, or subnets (or view/modify resources
belonging to other participants)
SUMMIT
Why use Amazon VPC sharing?
Preserve IP space Interconnectivity

Use fewer IPv4 CIDRs No VPC peering required
Separation of duties Billing and security

A central team can create and Continue to enjoy segregation
manage your Amazon VPC with multiple accounts
Same AZ cost for data transfer is nil!
SUMMIT
Amazon VPC sharing details
https://amzn.to/2Aovw2Z
SUMMIT
Gateway VPC Interface VPC AWS PrivateLink
endpoints endpoints
VPC endpoints
SUMMIT
AWS Region
Internet
Amazon S3 Amazon
DynamoDB
VPCE =
EIP – 10.1.0.11 : 54.23.12.43 Virtual private endpoint
EIP – 10.1.1.11 : 54.19.12.23 (Type: Gateway)
VPCE Internet gateway

Destination Target
10.1.0.0/16 Local
Instance A Instance
NAT-GW B
10.1.0.11/24
NAT 10.1.1.11/24

Destination Target
0.0.0.0/0 NAT-GWB
Instance 10.1.2.11/24 10.1.3.11/24
DDB.prefix.list VPCE-123

SUMMIT
endpoints endpoints
VPC endpoints
SUMMIT
AWS Region
Amazon API Gateway AWS Config AWS Secrets Manager

AWS CloudFormation
Amazon CloudWatch
Amazon EC2 API
Elastic Load Balancing API
AWS Security Token Service
AWS Service Catalog
22+ services now
Amazon CloudWatch Events AWS Key Management Service Amazon SNS supported over AWS
Amazon CloudWatch Logs Amazon Kinesis Data Streams AWS Systems Manager
AWS CodeBuild Amazon SageMaker Runtime + More PrivateLink
AWS PrivateLink can

reach public services,
Destination Target
privately from your VPC
10.1.0.0/16 Local
Instance A Instance B No routes needed!

10.1.0.11/24
NAT NAT-GW
10.1.1.11/24 (almost)
ec2.eu-west-1.amazonaws.com
ec2.eu-west-1.amazonaws.com
Private subnet ENI1:
ENI1:10.1.0.15
10.1.0.15 Private subnet
Destination Target ENI2:
ENI2:10.1.1.23
10.1.1.23
10.1.2.11/24 10.1.3.11/24

SUMMIT
VPC endpoints
Type: Gateway
Type: Interface
SUMMIT
endpoints endpoints
VPC endpoints
SUMMIT
And now AWS PrivateLink
for service providers
Application, e.g., SaaS
AWS
PrivateLink
NLB
Customer VPC
Service provider VPC
SUMMIT
VPC endpoint: vpce-2222.foo.amazon.com
SUMMIT
Before
SUMMIT
AWS Region 1 AWS Region 2
SUMMIT
After
SUMMIT
3.10.3.125 3.10.3.125
AWS Region 1 AWS Region 2
SUMMIT
AWS global network Client state Static anycast IPs
Traffic routed through AWS Global Applications can keep state, with AWS Global Accelerator uses static
Accelerator traverses AWS global connections routed to IP addresses as a fixed entry point to
network (instead of the public the same endpoint, after your applications, which are anycast
internet) initial connection from AWS edge locations
SUMMIT
https://amzn.to/2FI3y89
SUMMIT
SUMMIT
AWS Region
Internet

AWS IoT
NLB DynamoDB Amazon S3
AWS PrivateLink VPC

service provider VPC Flow Logs Amazon
EIP – 10.1.0.11 : 54.23.12.43 CloudWatch
EIP – 10.1.1.11 : 54.19.12.23
AWS PrivateLink-
enabled services AWS On premises
VPCE Internet gateway
PrivateLink Availability Zone 1 Availability Zone 2
Destination Target Transit GW

10.1.0.0/16 Local
S3.prefix.list VPCE-123 Intra or
On premises VGW
Instance A Instance
NAT-GW B inter VPC-B
10.1.0.11/24
NAT 10.1.1.11/24
VPC-B PCX-123 Region
Other routes TGW VPC
AWS Direct
peering Connect
Destination Target DXGW
0.0.0.0/0 NAT-GWB
Instance 10.1.2.11/24 10.1.3.11/24 On premises
On premises VGW
VPC-B PCX-123
VGW
Other routes TGW
VPC CIDR 10.1.0.0/16 + Expand + IPv6 VPN
SUMMIT
Thank you!
Neeraj Verma
@rajverma
SUMMIT
© 2019, Amazo n Web Services, Inc. or its affiliates. All rights reserved.

Exploring The Fundamentals of AWS Networking SVC205

Uploaded by

Copyright:

Available Formats

You might also like

Exploring The Fundamentals of AWS Networking SVC205

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Exploring The Fundamentals of AWS Networking SVC205

Uploaded by

Copyright:

Available Formats

SVC205

Exploring the fundamentals of AWS

Amazon S3 Amazon AWS Lambda Amazon SQS Amazon SNS

AWS PrivateLink VPC

Destination Target Transit GW

IP addressing Creating Routing in DNS in-VPC Security

Avoid ranges that overlap with

eu-west-1a eu-west-1b eu-west-1c

172.31.0.0/24 172.31.1.0/24 172.31.2.0/24

VPC subnet VPC subnet VPC subnet

Availability Zone Availability Zone Availability Zone

• /64 subnets (18,446,744,073,709,551,616 addresses)

eu-west-1a eu-west-1b eu-west-1c

172.31.0.0/24 172.31.1.0/24 172.31.2.0/24

VPC subnet VPC subnet VPC subnet

Availability Zone Availability Zone Availability Zone

172.31.0.0/24 172.31.1.0/24 172.31.2.0/24

VPC subnet VPC subnet VPC subnet

Availability Zone Availability Zone Availability Zone

Have EC2 auto-assign DNS

Web Web Web Web

“MyWebServers” security group

Allow only “MyWebServers”

App App App

“MyBackends” security group

Allow HTTP traffic

Allow application traffic

VPC Flow Logs

SUMMIT Amazon S3 Amazon CloudWatch Logs

VPC traffic metadata

or Amazon CloudWatch Logs

Internet Connecting to your

Amazon S3 Amazon AWS Lambda Amazon SQS Amazon SNS

EIP – 10.1.0.11 : 54.23.12.43

Private subnet Private subnet

VPC CIDR 10.1.0.0/16 + Expand + IPv6

Connecting to other VPCs

• Full private IP connectivity between

• Can peer VPCs across regions

172.31.0.0/16 Step 1 10.55.0.0/16

172.31.0.0/16 Step 1 10.55.0.0/16

172.31.0.0/16 Step 1 10.55.0.0/16

Connecting to other VPCs

Customer VPN connection Amazon VPC VPC peering Amazon VPC

VPN connection Amazon VPC VPC peering Amazon VPC

Amazon VPC Amazon VPC

TGW route table (s) 1 2

X Associations Propagations Routes

X Associations Propagations Routes

X Associations Propagations Routes

Routes per AWS Number of AWS Transit Gateway

Virtual private IPsec tunnel over Customer gateway

IPsec tunnel over Customer gateway

Client VPN Client

Attachment to TLS-based tunnel User with

AWS Direct Connect location

AWS Direct Connect location