Post on 23-Jul-2015
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Kevin Miller, EC2 Networking
May 21, 2015
Deep Dive: Virtual Private Cloud
Related Presentations – Videos online
https://www.youtube.com/user/AmazonWebServices
ARC205 – VPC Fundamentals and Connectivity
ARC401 – Black Belt Networking for Cloud Ninja• Application centric, network monitoring, management, floating IPs
ARC403 – From One to Many: Evolving VPC Design
SDD302 – A Tale of One Thousand Instances• Example of EC2-Classic customer adopting VPC
SDD419 – Amazon EC2 Networking Deep Dive• Network performance, placement groups, enhanced networking
aws vpc –-expert-mode
Topics today
Virtual networking options
EC2-Classic
Simple to get started –
all instances have
Internet connectivity,
auto-assigned private
and public IP addresses
Inbound security groups
Default VPC
The best of both
Get started using the
EC2-Classic
experience
If and when needed,
begin using any VPC
feature you require
VPC
Advanced virtual
networking services:
ENIs and multiple IPs
routing tables
egress security groups
network ACLs
private connectivity
Enhanced networking
And more to come...
Virtual networking options
EC2-Classic
Simple to get started –
all instances have
Internet connectivity,
auto-assigned private
and public IP addresses
Inbound security groups
Default VPC
The best of both
Get started using the
EC2-Classic
experience
If and when needed,
begin using any VPC
feature you require
VPC
Advanced virtual
networking services:
ENIs and multiple IPs
routing tables
egress security groups
network ACLs
private connectivity
Enhanced networking
And more to come...
All accounts created after
12/4/2013 support VPC
only and have a default
VPC in each region
Confirming your default VPC
describe-account-attributes
VPC only
Routing and private connections
Implementing a hybrid architecture
Corporate Data Center
Create VPC
Corporate Data Center
aws ec2 create-vpc --cidr 10.10.0.0/16aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.1.0/24 --a us-west-2aaws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.2.0/24 --a us-west-2b
Create VPN connection
Corporate Data Center
aws ec2 create-vpn-gateway --type ipsec.1aws ec2 attach-vpn-gateway --vpn vgw-f9da06e7 --vpc vpc-c15180a4aws ec2 create-customer-gateway --type ipsec.1 --public 54.64.1.2 --bgp 6500aws ec2 create-vpn-connection --vpn vgw-f9da06e7 --cust cgw-f4d905ea --t ipsec.1
Launch instances
Corporate Data Center
aws ec2 run-instances --image ami-d636bde6 --sub subnet-d83d91bd --count 3aws ec2 run-instances --image ami-d636bde6 --sub subnet-b734f6c0 --count 3
Using AWS Direct Connect
Corporate Data Center
aws directconnect create-connection --loc EqSE2 --b 1Gbps --conn My_Firstaws directconnect create-private-virtual-interface --conn dxcon-fgp13h2s --new virtualInterfaceName=Foo, vlan=10, asn=60, authKey=testing, amazonAddress=192.168.0.1/24, customerAddress=192.168.0.2/24,virtualGatewayId=vgw-f9da06e7
Configuring route table
Corporate Data Center
192.168.0.0/16
aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id vgw-f9da06e7
Each VPC has a single
routing table at creation time,
used by all subnets
Remote connectivity best practices
Corporate Data Center
Availability Zone Availability Zone
Each VPN connection
consists of 2 IPSec
tunnels. Use BGP for
failure recovery.
Remote connectivity best practices
Corporate Data Center
Availability Zone Availability Zone
A pair of VPN
connections (4 IPSec
tunnels total) protects
against failure of your
customer gateway
Remote connectivity best practices
Corporate Data Center
Availability Zone Availability Zone
Redundant AWS Direct
Connect connections
with VPN backup
VPC with private and public connectivity
Corporate Data Center
192.168.0.0/16
aws ec2 create-internet-gatewayaws ec2 attach-internet-gateway --internet igw-5a1ae13f --vpc vpc-c15180a4aws ec2 delete-route --ro rtb-ef36e58a --dest 0.0.0.0/0aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13faws ec2 create-route --ro rtb-ef36e58a --dest 192.168.0.0/16 --gateway-id vgw-f9da06e7
Automatic route propagation from VGW
Corporate Data Center
192.168.0.0/16
aws ec2 delete-route --ro rtb-ef36e58a --dest 192.168.0.0/16aws ec2 enable-vgw-route-propagation --ro rtb-ef36e58a --gateway-id vgw-f9da06e7
Used to automatically update routing
table(s) with routes present in the VGW
Isolating connectivity by subnet
Corporate
192.168.0.0/16
aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.3.0/24 --a us-west-2baws ec2 create-route-table --vpc vpc-c15180a4aws ec2 associate-route-table --ro rtb-fc61b299 --subnet subnet-60975a17aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
Subnet with connectivity only
to other instances and the
Internet via the IGW
Software VPN for VPC-to-VPC connectivity
# VPC Aaws ec2 modify-network-interface-attribute --net eni-f832afcc --no-source-dest-checkaws ec2 create-route --ro rtb-ef36e58a --dest 10.20.0.0/16 --instance-id i-f832afcc# VPC Baws ec2 modify-network-interface-attribute --net eni-9c1b693a --no-source-dest-checkaws ec2 create-route --ro rtb-67a2b31c --dest 10.10.0.0/16 –-instance-id i-9c1b693a
Software VPN for VPC-to-VPC connectivity
Software VPN
between these
instances
Software VPN for VPC-to-VPC connectivity
Enabling communication
between instances in these
subnets; adding routes to the
default routing table
Software firewall to the Internet
Routing all traffic from subnets
to the Internet via a firewall is
conceptually similar
# Default routing table directs traffic to the NAT/firewall instanceaws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --instance-id i-f832afcc
# Routing table for 10.10.3.0/24 directs to the Internetaws ec2 create-route --ro rtb-67a2b31c --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
VPC Peering
Shared services VPC using VPC peering
Common/core services
• Authentication/directory
• Monitoring
• Logging
• Remote administration
• Scanning
Provides infrastructure zoning
Dev: VPC B
Test: VPC C
Production: VPC D
VPC peering for VPC-to-VPC connectivity
aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87VPC A> aws ec2 create-route --ro rtb-ef36e58a --des 10.20.0.0/16 --vpc-peer pcx-ee56be87VPC B> aws ec2 create-route --ro rtb-67a2b31c --des 10.10.0.0/16 --vpc-peer pcx-ee56be87
VPC A - 10.10.0.0/16
vpc-c15180a4
VPC B - 10.20.0.0/16
vpc-062dfc63
VPC peering across accounts
aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63--peer-owner 472752909333
# In owner account 472752909333aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87
VPC A - 10.10.0.0/16
vpc-c15180a4
VPC B - 10.20.0.0/16
vpc-062dfc63
Account ID 472752909333
VPC peering – Additional considerations
Security groups – use IP prefixes to allow access
No “transit” capability for VPN, AWS Direct Connect, or 3rd VPCs
• Example: Cannot access VPC C from VPC A via VPC B
• Workaround: Create a direct peering from VPC A to VPC C
Peer VPC address ranges cannot overlap
• But, you can peer with 2+ VPCs that themselves overlap
• Use subnets/routing tables to pick the VPC to use
VPC peering with software firewall
VPC A - 10.10.0.0/16 VPC B - 10.20.0.0/16
# Default routing table directs Peer traffic to the NAT/firewall instanceaws ec2 create-route --ro rtb-ef36e58a --dest 10.20.0.0/16 --instance-id i-f832afcc
# Routing table for 10.10.3.0/24 directs to the Peeringaws ec2 create-route --ro rtb-67a2b31c --dest 10.20.0.0/16 --vpc-peer pcx-ee56be87
Enhanced Networking
Latency: Packets per second
Instance 1 Instance 2
...........
Packet processing in Amazon EC2:
VIF
Virtualization layer
eth
0
eth
1
Instance Virtual NICs
Physical NIC
Packet processing in Amazon EC2:
SR-IOV
eth
0
Instance
VF Driver
eth
1
VF
Virtualization layer
Physical NIC
Inter-instance latency
SR-IOV: Is this thing on?
It may already be!
For many newer AMIs, enhanced networking is
already on:
Newest Amazon Linux AMIs
Windows Server 2012 R2 AMI
No need to configure
SRIOV: Is this thing on? (Linux)
No Yes!
[ec2-user@ip-10-0-3-70 ~]$ ethtool -i eth0
driver: vif
version:
firmware-version:
bus-info: vif-0
…
[ec2-user@ip-10-0-3-70 ~]$ ethtool -i eth0
driver: ixgbevf
version: 2.14.2+amzn
firmware-version: N/A
bus-info: 0000:00:03.0
…
SRIOV: Is this thing on? (Windows)
No Yes!
AMI/instance support for SR-IOV
C3, C4, I2, D2, R3 instance families: 23 types
HVM virtualization type
Required kernel version
• Linux: 2.6.32+
• Windows: Server 2008 R2+
Appropriate VF driver
• Linux: ixgbevf 2.14.2+ module
• Windows: Intel® 82599 Virtual Function driver
Walkthrough: Enabling enhanced networking
(Amazon Linux)
amzn-ami-hvm-2012.03.1.x86_64-ebs
hvm
Walkthrough: Enabling enhanced networking
(Amazon Linux)
--attribute sriovNetSupport
InstanceId i-37c5d1d9
Not yet!
Walkthrough: Enabling enhanced networking
(Amazon Linux)
[ec2-user@ip-10-0-3-125 ~]$ sudo yum update
OS update
Walkthrough: Enabling enhanced networking
(Amazon Linux)
reboot-instances
Reboot
(OS update)
Walkthrough: Enabling enhanced networking
(Windows)
Walkthrough: Enabling enhanced networking
(Windows)Add to Windows driver store
Walkthrough: Enabling enhanced networking
All EBS-backed instances
stop-instances
Stop the instance
Walkthrough: Enabling enhanced networking
All EBS-backed instances
stop-instances
--sriov-net-support simple
Enable SRIOV
Cannot be undone
Walkthrough: Enabling enhanced networking
All EBS-backed instances
start-instances
Start
Walkthrough: Enabling enhanced networking
All EBS-backed instances
start-instances
--attribute sriovNetSupport
InstanceId i-37c5d1d9
Value simpleWe’re on
VPC Endpoints for Amazon S3
VPC Endpoints for Amazon S3
Highly reliable
Designed for the largest workloads
Use S3 from VPC without an Internet
Gateway or NAT instance
Additional security controls
VPC Endpoints for Amazon S3
‘mypics’
Bucket
Instance VPC
Router
region
VPC Endpoint
vpce-abcd1234
Creating a VPC Endpoint
ec2-create-vpc-endpoint
VPC Endpoints for Amazon S3
‘mypics’
Bucket
Instance VPC
Router
region
VPC Endpoint
vpce-abcd1234
Application resolves mypics.s3.amazonaws.com
DNS responds with the usual IP addresses for Amazon S3
Application connects to the chosen IP address
VPC Endpoints for Amazon S3
‘mypics’
Bucket
Instance VPC
Router
region
VPC Endpoint
vpce-abcd1234
Destination Target
pl-1a2b3c4d vpce-abcd1234
Prefix List
com.amazonaws.us-west-1.s3
VPC Endpoints for Amazon S3
‘mypics’
Bucket
Instance VPC
Router
region
VPC Endpoint
vpce-abcd1234
IAM Policy on VPC Endpoint vpe-abcd1234
Allow access to bucket A
Deny access to other buckets
VPC Endpoint Policy
VPC Endpoints for Amazon S3
‘mypics’
Bucket
Instance VPC
Router
region
VPC Endpoint
vpce-abcd1234
IAM Policy on VPC Endpoint vpe-abcd1234
Allow access to bucket A
Deny access to other buckets
VPC Endpoints for Amazon S3
‘mypics’
Bucket
Instance VPC
Router
region
VPC Endpoint
vpce-abcd1234
IAM Policy on bucket ‘mypics’
Allow access from vpce-abcd1234
Deny all other
S3 Bucket Policy
AWS Summit – Chicago: An exciting, free cloud conference designed to educate and inform new
customers about the AWS platform, best practices and new cloud services.
Details• July 1, 2015
• Chicago, Illinois
• @ McCormick Place
Featuring• New product launches
• 36+ sessions, labs, and bootcamps
• Executive and partner networking
Registration is now open• Come and see what AWS and the cloud can do for you.
CTA Script
- If you are interested in learning more about how to navigate the cloud to grow
your business - then attend the AWS Summit Chicago, July 1st.
- Register today to learn from technical sessions led by AWS engineers, hear best
practices from AWS customers and partners, and participate in some of the 30+
paid sessions and labs.
- Simply go to
https://aws.amazon.com/summits/chicago/?trkcampaign=summit_chicago_bootc
amps&trk=Webinar_slide
to register today.
- Registration is FREE.
TRACKING CODE:
- Listed above.
Thank You!!