Professional Documents
Culture Documents
VPC Design and New Capabilitie 1729106471 180510173437
VPC Design and New Capabilitie 1729106471 180510173437
Tom Adamski
Specialist Solutions Architect, AWS
Steve Seymour
Principal Specialist Solutions Architect, AWS
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Traditional Network
WAN
VPN VPN
Fiber
Applications Applications
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Network
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is an Amazon Virtual Private Cloud (VPC)?
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Creating an Internet-connected VPC: Steps
IGW
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Choosing an IP address range
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CIDR notation review
172.31.0.0/16
1010 1100 0001 1111 0000 0000 0000 0000
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Choosing an IP address range for your VPC
172.31.0.0/16
Recommended:
Recommended:
/16
RFC1918 range
(65,536 addresses)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IPv6 in Amazon VPC – Dual-stack
172.31.0.0/16
2001:db8:1234:1a00::/56
Amazon Global Unicast
Associate an /56 IPv6 CIDR
Addresses (GUA) –
(Automatically allocated)
Internet Routable
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Subnets
VPC Subnet
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC subnets and Availability Zones
172.31.0.0/16
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Expand your existing Amazon VPC
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
172.31.0.0/16
VPC CIDR 172.31.0.0/16
Instance A Instance B
172.31.1.11/24 172.31.2.22/24
Subnet Subnet
Instance C Instance D
172.31.3.33/24 172.31.4.44/24
Subnet Subnet
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
172.31.0.0/16
VPC CIDR 172.31.0.0/16
Instance A Instance B
172.31.1.11/24 172.31.2.22/24
Subnet Subnet
Instance C Instance D
172.31.3.33/24 172.31.4.44/24
Subnet Subnet
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
172.31.0.0/16
VPC CIDR 172.31.0.0/16 172.21.0.0/16
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC subnet recommendations
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IGW Route to the Internet
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Routing in your VPC
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Traffic destined for my VPC
stays in my VPC
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Internet gateway
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Everything that isn’t destined for the VPC:
send to the Internet
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Network security in your VPC:
Security groups
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups follow application structure
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups example: Web servers
Rule descriptions
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups example: Backends
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Network - Progress
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Beyond Internet connectivity
VPC Subnet
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Restricting Internet access:
Routing by subnet
VPC Subnet
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Routing by subnet
public subnet
private subnet
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Outbound-only internet access: NAT gateway
0.0.0.0/0
0.0.0.0/0
NAT gateway
private subnet public subnet
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Inter-VPC connectivity:
VPC peering
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Example VPC peering use:
Shared services VPC
• Common/core services
• Authentication/directory
• Monitoring
• Logging
• Remote administration
• Scanning
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Establish a VPC peering: Initiate request
Initiate peering
request
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Establish a VPC peering: Accept request
Initiate peering
request
Step 2
Accept peering
request
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Establish a VPC peering: Create a route
Initiate peering
request
Step 2
Accept peering
request
Step 3
Traffic destined for the peered VPC
should go to the peering
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups across peered VPCs
172.31.0.0/16 10.55.0.0/16
VPC Peering
ALLOW
Orange Security Group Blue Security Group
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Inter-Region VPC Peering
VPC A VPC B
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Some notes…
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Network - Progress
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Connecting to on-premises networks:
AWS Virtual Private Network
and AWS Direct Connect
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Extend an on-premises network into your VPC
VPN
AWS Direct
Connect
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS VPN basics
172.31.0.0/16 192.168.0.0/16
Virtual
Private Customer
Gateway Gateway
192.168/16
Direct Connect
Location
(London)
VGW VGW Private
“Association” Virtual Interface
“Attachment”
Direct Connect
Gateway
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Direct Connect Gateway
EU-WEST-1
172.31.0.0/16
VGW
Direct Connect
VGW
“Association”
Location
(London)
Private
Virtual Interface
VGW “Attachment”
EU-CENTRAL-1
“Association”
172.16.0.0/16
VGW
Direct Connect
Gateway
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Direct Connect Gateway
Direct Connect
Location
EU-WEST-1 (London)
172.31.0.0/16
VGW
VGW
EU-CENTRAL-1 Virtual Interface
“Association”
172.16.0.0/16
“Attachment”
VGW
Direct Connect
Gateway
Direct Connect
Location
(Frankfurt)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Direct Connect Gateway—traffic flows
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Direct Connect Gateway—traffic flows
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS VPN and AWS Direct Connect
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Network - Progress
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Services
VPC VPC
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Services in your VPC
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Example: Amazon RDS Database in your VPC
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Example: Application Load Balancer in your VPC
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Services outside your VPC
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Endpoints for AWS Services
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon S3 and your VPC
Your applications
Your data
S3 bucket
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Gateway VPC Endpoints
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Endpoints: Amazon S3 and DynamoDB
S3 bucket
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM policy for VPC Endpoints
S3 bucket
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS PrivateLink for AWS Services
Private IP:
172.31.1.6
Private IP:
172.31.2.10
EC2 APIs
vpce-….ec2.eu-west-1.vpce.amazonaws.com
ec2.eu-west-1.amazonaws.com
vpce-…eu-west-1a.ec2.eu-west-1.vpce.amazonaws.com
vpce-…eu-west-1b.ec2.eu-west-1.vpce.amazonaws.com
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS PrivateLink for Customer & Partner Applications
Share services privately and securely between
VPCs, AWS accounts, and on-premises networks
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Flow Logs
172.31.1.0/24
• Visibility into effects of
AZ A security group rules
• Troubleshooting network
connectivity
• Ability to analyze traffic
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Flow Logs: Setup
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Flow Logs data in CloudWatch Logs
Who’s this?
# dig +short -x 109.236.86.32
internetpolice.co.
UDP Port 27015
REJECT
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The VPC Network
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Network Security
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Connectivity
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
On-Instance Networking Improvements
C5
C4
• Elastic
C3 Network
• EBS Adapter
CC1 optimized
• 25 Gbps
• Enhanced by default
networking • <50-µs
• 10 Gbps latency
C1 • 20x PPS
• <100-µs
• 1 Gbps latency
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Instance Bandwidth Limits
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Time Sync Service
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank You!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.