VPC Design and New Capabilitie 1729106471 180510173437

VPC Design and New Capabilities
for Amazon VPC
Tom Adamski
Specialist Solutions Architect, AWS
Steve Seymour
Principal Specialist Solutions Architect, AWS
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Traditional Network
WAN
VPN VPN
Fiber
Applications Applications
AWS Network
What is an Amazon Virtual Private Cloud (VPC)?
“A virtual network that

closely resembles a
traditional network that
you'd operate in your own
data center” Instance Instance
Availability Zone Availability Zone
Creating an Internet-connected VPC: Steps
IGW
Choosing an Create subnets in Creating a route Authorizing

address range Availability Zones to the Internet traffic to/from
the VPC
Choosing an IP address range
CIDR notation review
CIDR range example:
172.31.0.0/16
1010 1100 0001 1111 0000 0000 0000 0000
Choosing an IP address range for your VPC
Avoid ranges that overlap with

other networks to which you
might connect.
172.31.0.0/16
Recommended:
Recommended:
/16
RFC1918 range
(65,536 addresses)
IPv6 in Amazon VPC – Dual-stack
172.31.0.0/16
2001:db8:1234:1a00::/56
Amazon Global Unicast
Associate an /56 IPv6 CIDR
Addresses (GUA) –
(Automatically allocated)
Internet Routable
Subnets
VPC Subnet
VPC subnets and Availability Zones
172.31.0.0/16
eu-west-1a eu-west-1b eu-west-1c
172.31.0.0/24 172.31.1.0/24 172.31.2.0/24
VPC subnet VPC subnet VPC subnet

Availability Zone Availability Zone Availability Zone
Expand your existing Amazon VPC
172.31.0.0/16
VPC CIDR 172.31.0.0/16
Instance A Instance B
172.31.1.11/24 172.31.2.22/24
Subnet Subnet
Instance C Instance D
172.31.3.33/24 172.31.4.44/24
Subnet Subnet
Availability Zone A Availability Zone B
172.31.0.0/16
VPC CIDR 172.31.0.0/16
Instance A Instance B
172.31.1.11/24 172.31.2.22/24
Subnet Subnet
Instance C Instance D
172.31.3.33/24 172.31.4.44/24
Subnet Subnet
Availability Zone A Availability Zone B Availability Zone C
172.31.0.0/16
VPC CIDR 172.31.0.0/16 172.21.0.0/16
Instance A Instance B Instance E 172.21.0.0/16

172.31.1.11/24 172.31.2.22/24 172.21.1.11/24
Subnet Subnet Subnet
Instance C Instance D Instance F

172.31.3.33/24 172.31.4.44/24 172.21.2.22/24
Subnet Subnet Subnet
Availability Zone A Availability Zone B Availability Zone C
VPC subnet recommendations
• /16 VPC (65,536 addresses)

• Expand your VPC when necessary
• At least /24 subnets (251 addresses)
• Use multiple Availability Zones per VPC through multiple
subnets
IGW Route to the Internet
Routing in your VPC
• Route tables contain rules for which packets go where

• Your VPC has a default (main) route table
• But, you can assign different route tables to different
subnets
Traffic destined for my VPC
stays in my VPC
Internet gateway
Send packets here if you want

them to reach the Internet
Everything that isn’t destined for the VPC:
send to the Internet
Network security in your VPC:
Security groups
Security groups follow application structure
“MyWebServers” Security Group
Allow only “MyWebServers”
“MyBackends” Security Group
Security groups example: Web servers
Allow all HTTP traffic
Rule descriptions
Security groups example: Backends
Allow application traffic

from web servers only
AWS Network - Progress
Beyond Internet connectivity
VPC Subnet
Restricting Connecting to other Connecting to your

Internet access VPCs corporate network
Restricting Internet access:
Routing by subnet
VPC Subnet
Routing by subnet
Has route to Internet
public subnet
Has no route to Internet
private subnet
Outbound-only internet access: NAT gateway
Public IP: 54.161.0.39
0.0.0.0/0
0.0.0.0/0
NAT gateway
private subnet public subnet
Inter-VPC connectivity:
VPC peering
Example VPC peering use:
Shared services VPC
• Common/core services
• Authentication/directory
• Monitoring
• Logging
• Remote administration
• Scanning
Establish a VPC peering: Initiate request
172.31.0.0/16 Step 1 10.55.0.0/16
Initiate peering
request
Establish a VPC peering: Accept request
172.31.0.0/16 Step 1 10.55.0.0/16
Initiate peering
request
Step 2
Accept peering
request
Establish a VPC peering: Create a route
172.31.0.0/16 Step 1 10.55.0.0/16
Initiate peering
request
Step 2
Accept peering
request
Step 3
Traffic destined for the peered VPC
should go to the peering
Security groups across peered VPCs
172.31.0.0/16 10.55.0.0/16
VPC Peering
ALLOW
Orange Security Group Blue Security Group
Inter-Region VPC Peering
eu-west-1 (Ireland) us-east-1 (N.Virginia)
VPC A VPC B
Some notes…
Inter-Region VPC Peering encrypts with no single point of

failure or bandwidth bottleneck
Traffic using Inter-Region VPC Peering always stays on the

global AWS backbone
Connecting to on-premises networks:
AWS Virtual Private Network
and AWS Direct Connect
Extend an on-premises network into your VPC
VPN
AWS Direct
Connect
AWS VPN basics
172.31.0.0/16 192.168.0.0/16
Virtual
Private Customer
Gateway Gateway
192.168/16
Two IPSec tunnels
Traffic destined for

Your networking the VPN/Direct
device
Connect via the VGW
AWS Direct Connect Gateway
EU-WEST-1
172.31.0.0/16
192.168.0.0/16
Direct Connect
Location
(London)
VGW VGW Private
“Association” Virtual Interface
“Attachment”
Direct Connect
Gateway
EU-WEST-1
172.31.0.0/16
VGW
Direct Connect
VGW
“Association”
Location
(London)
Private
Virtual Interface
VGW “Attachment”
EU-CENTRAL-1
“Association”
172.16.0.0/16
VGW
Direct Connect
Gateway
Direct Connect
Location
EU-WEST-1 (London)
172.31.0.0/16
VGW
VGW Virtual Interface

“Association” “Attachment”
VGW
EU-CENTRAL-1 Virtual Interface
“Association”
172.16.0.0/16
“Attachment”
VGW
Direct Connect
Gateway
Direct Connect
Location
(Frankfurt)
Direct Connect Gateway—traffic flows
Direct Connect Location
VGW VGW Virtual Interface


VGW “Association” “Attachment”
Direct Connect Gateway—traffic flows
VGW VGW Virtual Interface


VGW “Association” “Attachment”
AWS VPN and AWS Direct Connect
• Both allow secure connections between

your network and your VPC
• VPN is a pair of IPSec tunnels over the
Internet
• AWS Direct Connect is a dedicated line with
lower per-GB data transfer rates
• For highest availability: Use both
AWS Services
VPC VPC
Inside of the VPC Outside of the VPC
AWS Services in your VPC
Example: Amazon RDS Database in your VPC
Example: Application Load Balancer in your VPC
AWS Services outside your VPC
VPC Endpoints for AWS Services
Amazon S3 and your VPC
Your applications
Your data
S3 bucket
Gateway VPC Endpoints
VPC Endpoints: Amazon S3 and DynamoDB
Route S3-bound traffic

to the VPC endpoint
S3 bucket
IAM policy for VPC Endpoints
IAM policy at VPC endpoint:

restrict actions of VPC in Amazon
S3 or Amazon DynamoDB
S3 bucket
IAM policy at S3 bucket:

make accessible from
VPC endpoint only
Interface VPC Endpoints
AWS PrivateLink for AWS Services
Private IP:
172.31.1.6
Private IP:
172.31.2.10
EC2 APIs
vpce-….ec2.eu-west-1.vpce.amazonaws.com
ec2.eu-west-1.amazonaws.com
vpce-…eu-west-1a.ec2.eu-west-1.vpce.amazonaws.com
vpce-…eu-west-1b.ec2.eu-west-1.vpce.amazonaws.com
AWS PrivateLink for Customer & Partner Applications
Share services privately and securely between
VPCs, AWS accounts, and on-premises networks
Powered by Network Secure endpoint Integrated with

Load Balancer within Client VPC AWS Marketplace
Available in all public AWS regions, except CN-NORTH-1

VPC Flow Logs:
VPC traffic metadata in Amazon
CloudWatch Logs
VPC Flow Logs
172.31.1.0/24
• Visibility into effects of
AZ A security group rules
• Troubleshooting network
connectivity
• Ability to analyze traffic
VPC Flow Logs: Setup
VPC traffic metadata captured in

Amazon CloudWatch Logs
VPC Flow Logs data in CloudWatch Logs
Who’s this?
# dig +short -x 109.236.86.32
internetpolice.co.
UDP Port 27015
REJECT
The VPC Network
VPC Network Security
VPC Connectivity
On-Instance Networking Improvements
C5
C4
• Elastic
C3 Network
• EBS Adapter
CC1 optimized
• 25 Gbps
• Enhanced by default
networking • <50-µs
• 10 Gbps latency
C1 • 20x PPS
• <100-µs
• 1 Gbps latency
Instance Bandwidth Limits
25 Gbps 25 Gbps 25 Gbps 5 Gbps

within placement group within region to Amazon S3 for other sources
Amazon Time Sync Service
Highly reliable service with a redundant

array of satellite and atomic clock
sources
Thank You!
Tom Adamski Steve Seymour

Specialist Solutions Architect Principal Specialist Solutions Architect

VPC Design and New Capabilitie 1729106471 180510173437

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

VPC Design and New Capabilitie 1729106471 180510173437

Uploaded by

Copyright:

Available Formats

VPC Design and New Capabilities

for Amazon VPC

“A virtual network that

Availability Zone Availability Zone

Choosing an Create subnets in Creating a route Authorizing

CIDR range example:

Avoid ranges that overlap with

eu-west-1a eu-west-1b eu-west-1c

172.31.0.0/24 172.31.1.0/24 172.31.2.0/24

VPC subnet VPC subnet VPC subnet

Availability Zone A Availability Zone B

Availability Zone A Availability Zone B Availability Zone C

Instance A Instance B Instance E 172.21.0.0/16

Instance C Instance D Instance F

Availability Zone A Availability Zone B Availability Zone C

• /16 VPC (65,536 addresses)

• Route tables contain rules for which packets go where

Send packets here if you want

“MyWebServers” Security Group

Allow only “MyWebServers”

“MyBackends” Security Group

Allow all HTTP traffic

Allow application traffic

Restricting Connecting to other Connecting to your

Has route to Internet

Has no route to Internet

Public IP: 54.161.0.39

172.31.0.0/16 Step 1 10.55.0.0/16

172.31.0.0/16 Step 1 10.55.0.0/16

172.31.0.0/16 Step 1 10.55.0.0/16

eu-west-1 (Ireland) us-east-1 (N.Virginia)

Inter-Region VPC Peering encrypts with no single point of

Traffic using Inter-Region VPC Peering always stays on the

Two IPSec tunnels

Traffic destined for

VGW Virtual Interface

Direct Connect Location

VGW VGW Virtual Interface

VGW Virtual Interface

Direct Connect Location

Direct Connect Location

VGW VGW Virtual Interface

VGW Virtual Interface

Direct Connect Location

• Both allow secure connections between

Inside of the VPC Outside of the VPC

Route S3-bound traffic

IAM policy at VPC endpoint:

IAM policy at S3 bucket:

Powered by Network Secure endpoint Integrated with

Available in all public AWS regions, except CN-NORTH-1

VPC traffic metadata captured in

25 Gbps 25 Gbps 25 Gbps 5 Gbps

Highly reliable service with a redundant

Tom Adamski Steve Seymour

You might also like