Post on 12-Apr-2017
Chris Swan, CTO, @cpswan
AWS VPC
© 2015
Why VPCs?
© 2015
VPCs
Containment of traffic
Layer 3 construct (not a VLAN)
Control over IP addressing
RFC1918
Instance private IP sustained over start/stop
Something to connect into
VPNs
Direct connect
Amazon was filling up the original 10.0.0.0/8 in US-East-1?
© 2015
VPCs are Region bounded
Subnets are Availability Zone (AZ) bounded
© 2015
VPCs are a regional construct
US-East-1
My VPC
172.31.0.0/16
© 2015
Subnets fit into availability zones
US-East-1
US-East-1E
My VPC
172.31.0.0/16
My Pub-1E
172.31.5.0/24
© 2015
Public subnets attach to the Internet via a gateway
US-East-1
US-East-1E
My VPC
172.31.0.0/16
My Pub-1E
172.31.5.0/24
IGW
© 2015
Private subnets aren’t Internet attached
US-East-1
US-East-1E
My VPC
172.31.0.0/16
My Pub-1E
172.31.5.0/24
IGW
My Priv-1E
172.31.6.0/24
© 2015
Private subnets can route out via a NAT VM
US-East-1
US-East-1E
My VPC
172.31.0.0/16
My Pub-1E
172.31.5.0/24
IGW
My Priv-1E
172.31.6.0/24
NAT
© 2015
In region redundancy across AZs
US-East-1
US-East-1E
US-East-1A
My VPC
172.31.0.0/16
My Pub-1E
172.31.5.0/24
IGW
My Priv-1E
172.31.6.0/24
NAT My Pub-1A
172.31.1.0/24
IGW
My Priv-1A
172.31.2.0/24
NAT
© 2015
VPC interconnectivity
© 2015
VPC VPN gateways
US-East-1
US-East-1E
US-East-1A
My VPC
172.31.0.0/16
My Pub-1E
172.31.5.0/24
IGW
My Priv-1E
172.31.6.0/24
NAT My Pub-1A
172.31.1.0/24
IGW
My Priv-1A
172.31.2.0/24
NAT
VPN VPN
© 2015
3rd Party VPN gateways
(e.g. Cohesive Networks VNS3)
US-East-1
US-East-1E
US-East-1A
My VPC
172.31.0.0/16
My Pub-1E
172.31.5.0/24
IGW
My Priv-1E
172.31.6.0/24
VPN My Pub-1A
172.31.1.0/24
IGW
My Priv-1A
172.31.2.0/24
VPN
© 2015
Direct connect
US-East-1
US-East-1E
US-East-1A
My VPC
172.31.0.0/16
My Priv-1E
172.31.6.0/24
My Priv-1A
172.31.2.0/24
DC DC
© 2015
Secured Direct connect
US-East-1
US-East-1E
US-East-1A
My VPC
172.31.0.0/16
My Priv-1E
172.31.6.0/24
My Priv-1A
172.31.2.0/24
DC DC
VPN VPN
© 2015
VPC peering
US-East-1
My VPC
172.31.0.0/16
My other VPC
172.30.0.0/16
© 2015
Addressing
© 2015
VPC addresses
Must be RFC 1918
10.0.0.0
172.16-31.0.0
192.168.0.0
(Bring your own IPs by using overlay networks like VNS3)
Can’t be larger than a /16
Beware of defaults
© 2015
Public IPs
Can be auto assigned
Subnet will default to enabled or disabled
Can be overridden when launching instances
Not persistent
Elastic IPs (EIPs)
Region (not VPC) bounded
Reassignable between instances
Persistent
No tagging or unique identifier
© 2015
Security
© 2015
Security groups
Apply at the instance level
May reference other groups
Can have multiple groups per instance
Act as whitelists of what can get through
Rules evaluated in aggregate
VPC bounded
Stateful
May use IETF protocol numbers in addition to TCP and UDP
e.g. IPsec, GRE
© 2015
ACLs
Apply at the subnet level
Allow and deny (blacklist)
Rules processed in order
Stateless
© 2015
If you want to learn more
On Slideshare (not by me):
AWS Summit London 2014 | From One to Many - Evolving VPC Design (400)
http://is.gd/AWSVPC