(ARC205) Creating Your Virtual Data Center: VPC Fundamentals and Connectivity Options | AWS...

Object Storage

CDN

User

Web

DNS

http://www.example.com

Internet Gateway

Internal

User

VPN Gateway

Router / Firewall

Corporate Data Center

http://internal-app

Web

VPN over

the Internet

Active Directory

Network configuration

Encryption

Backup appliances

Your on-premises apps

Users and access rules

Your private network

HSM appliance

Cloud backups

Your cloud apps

AWS Direct Connect

Corporate data centers

Web

Server

Application

Server

DB

Server

Data Volume

EC2 Web

Server

EC2

Application

Server

EC2 DB

Server

Amazon Elastic Block

Store (EBS) Data Volume

Data Mirroring /

Replication

Amazon Elastic

Compute Cloud

(EC2) instances are

stopped. Instances

can be restarted if

primary application

goes down.

Smaller EC2

instance for DB

but can be

stopped and

restarted as a

larger EC2

instance.

Amazon Route 53

User


Repoint DNS in an

Outage

Route table Elastic network

interface

Amazon VPC RouterInternet

gateway

Customer

gateway

Virtual

private

gateway

VPN

connectionSubnet

Elastic IP

Availability Zone A Availability Zone B

VPC CIDR: 10.1.0.0 /16

Subnet

Availability Zone A

Subnet

Availability Zone B

10.1.1.0/24 10.1.10.0/24

VPC CIDR: 10.1.0.0 /16

Subnet

Availability Zone A

Subnet

Availability Zone B

10.1.1.0/24 10.1.10.0/24

Internet

Gateway

VPC CIDR: 10.1.0.0 /16

InternetAWS Public

API Endpoints

Subnet

Availability Zone A

Subnet

Availability Zone B

10.1.1.0/24 10.1.10.0/24

VPC CIDR: 10.1.0.0 /16

Internal

User

VPN Gateway

Customer Gateway


VPN over

the Internet

• By default, every subnet

can talk to every other

subnet

• Enabled by a virtual router

that sits in a star topology

between all subnets

• VPC DHCP service hands

out a .1 default gateway to

each instance coming up in

a subnet (in a /24 subnet)

Public Subnet

Availability Zone A

Private Subnet

Public Subnet

Availability Zone B

Private Subnet

Instance A

10.1.1.11 /24

Instance C

10.1.3.33 /24

Instance B

10.1.2.22 /24

Instance D

10.1.4.44 /24

VPC CIDR: 10.1.0.0 /16

.1

.1 .1

.1

Subnet

Availability Zone A

Subnet

Availability Zone B

10.1.1.0/24 10.1.10.0/24

Internet

Gateway

VPC CIDR: 10.1.0.0 /16

InternetAWS Public

API Endpoints

Route Table

Destination Target

10.1.0.0/16 local

0.0.0.0/0 igw

Subnet

Availability Zone A

Subnet

Availability Zone B

10.1.1.0/24 10.1.10.0/24

VPC CIDR: 10.1.0.0 /16

Internal User

VPN Gateway

Customer Gateway


VPN over

the Internet


Subnet: 10.1.1.0/24

Internet

Gateway

VPC CIDR: 10.1.0.0 /16

InternetAWS Public

API Endpoints

Route Table

Destination Target

10.1.0.0/16 local

0.0.0.0/0 igw

Subnet: 10.1.10.0/24

EIP EIP


Subnet: 10.1.1.0/24

Internet

Gateway

VPC CIDR: 10.1.0.0 /16

InternetAWS Public

API Endpoints

Route Table

Destination Target

10.1.0.0/16 local

0.0.0.0/0 igw

Subnet: 10.1.10.0/24

ENI

(eth0)ENI

(eth0)


VPC CIDR: 10.1.0.0 /16

VPC Subnet with ACL VPC Subnet with ACL

VPC Subnet with ACL


Subnet: 10.1.1.0/24

VPC CIDR: 10.1.0.0 /16

Subnet: 10.1.10.0/24

Security Group

Route

Table

Route

Table

Internet

Gateway

Virtual Private

Gateway

Virtual Router

VPC 10.1.0.0/16

VPC Public Subnet VPC Private Subnet

NAT Instance

Public: 54.200.129.18

Private: 10.1.1.11 /24

Web Server

Public: 54.200.129.29

Private: 10.1.1.12 /24

Database Server

Private: 10.1.10.3 /24

Database Server

Private: 10.1.10.4 /24

Database Server

Private: 10.1.10.5 /24

Route Table

Destination Target

10.1.0.0/16 local

0.0.0.0/0 igw

AWS Public

API Endpoints

VPC 10.1.0.0/16

VPN or Direct Connect

Route Table

Destination Target

10.1.0.0/16 local

172.16.0.0/8 vgw

0.0.0.0/0 NAT

IGW VGW

CGW

Examples of “high blast radius” VPC API calls that should be

restricted:AttachInternetGateway

AssociateRouteTable

CreateRoute

DeleteCustomerGateway

DeleteInternetGateway

DeleteNetworkAcl

DeleteNetworkAclEntry

DeleteRoute

DeleteRouteTable

DeleteDhcpOptions

ReplaceNetworkAclAssociation

DisassociateRouteTable

• Consider future AWS region expansion

• Consider future connectivity to your internal networks

• Consider applications your VPC will host

• Consider subnet design

• VPC can be /16 down to /28

• CIDR cannot be modified after creation

• Overlapping IP spaces = future headache

VPC Subnet

Elastic Network

interface

Security Group

Network ACL

Instance

VPC Subnet with NACL

• ProblemIf my instance fails or I need to upgrade it, I need to push traffic to

another instance with the same public and private IP addresses

and same network interface

• SolutionDeploy your application in VPC and use an ENI on eth1 that can

be moved between instances and retain same MAC, public, and

private IP addresses

• Pros

– Since we are moving the ENI, DNS will not need to be updated

– Fallback is as easy as moving the ENI back to the original

instance

– Anything pointing to the public or private IP on the instance will

not need to be updated

– ENIs can be moved across instances in a subnet Virtual Private Cloud

EC2 EC2

Availability Zone

VPC Subnet

Amazon Route 53

ENI (eth1)

• Tagging strategy should be part of early design

• Project code, cost center, environment, version, team,

business unit

• Tag resources right after creation

• Tags supported for resource permissions

• AWS Billing also supports tags

• Tight IAM controls on the creation and editing of tags

Use Amazon EC2 run resource permissions to control:

• What AMI can be launched

• What VPC or subnet can be targeted

• What security groups must be in place

• Which VPCs allow peering

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_IAM.html

For more policy examples:

http://blogs.aws.amazon.com/securi

ty/post/Tx2KPWZJJ4S26H6/Demys

tifying-EC2-Resource-Level-

Permissions

http://blogs.aws.amazon.com/security/post/Tx2KPWZJJ4S26H6/Demystifying-EC2-Resource-Level-Permissions

1. Backhaul through your own corporate firewall?

2. Public route with public IP

3. Using NAT

1. Advanced patterns1. Creating an HA NAT

2. Using a proxy layer

Availability Zone A

Private Subnet Private Subnet

AWS

Region

Virtual

Private

Gateway

VPN

Connection

Customer

Data Center

Intranet

App

Intranet

App

Availability Zone B

Amazon

S3

Customer

Border Router

Customer Gateway

Internet

Internet

Route Table

Destination Target

10.1.0.0/16 local

0.0.0.0/0 vgw

• ProblemEC2 instances need access to the Internet

• Solution– Either attach an EIP or have a public IP added at launch

– Create a route from the subnet where you are deploying

your instances to the IGW

• Pros

Your devices can access the Internet and AWS public endpoints

• Notes

Your security group can prohibit inbound traffic from the Internet

so your instances can reach the Internet but cannot be reached

publicly from outside your VPC

Virtual Private Cloud

EC2 / NAT

Availability Zone

VPC Public Subnet

Internet Gateway

Internet

Elastic or Public IP

Amazon S3

bucket

Route Table

Destination Target

10.1.0.0/16 local

0.0.0.0/0 igw

• ProblemEC2 instances in a private subnet need access to the Internet

to call APIs, for downloads, and for updates to software

packages and the OS

• SolutionDeploy a NAT server on an EC2 instance that will provide

Internet access to servers in private subnets

• Pros– Your devices are not publicly addressable but still have

Internet access

– NAT gives instances in private subnet capability to access

AWS services and APIs outside of VPCVirtual Private Cloud

EC2 / NAT

Availability Zone

VPC Public Subnet

VPC Private Subnet

Internet Gateway

Internet

EC2 EC2

Route Table

Destination Target

10.1.0.0/16 local

0.0.0.0/0 NAT

• Redundant IPSEC tunnels

• Supports BGP and static routing

• Redundant customer gateways


Availability ZoneAvailability Zone

VPC Subnet VPC Subnet

Customer Gateway

Customer Network

VPN

Router Virtual Private Gateway




Customer Gateway

Customer Network

New York

VPN

Router Virtual Private Gateway

Customer Gateway

Customer Network

Chicago

VPN

Customer Gateway

Customer Network

Los Angeles

VPN




IPSEC

VPN

Virtual Private Gateway

Router

72.21.209.193Router

72.21.209.225

Tunnel 1 Tunnel 2

Customer Gateway

xxx.xxx.xxx.xxx

Customer Network

IPSEC

VPN




Tunnel 1

Virtual Private Gateway

Router

72.21.209.193Router

72.21.209.225

Customer Gateway

xxx.xxx.xxx.xxx

Customer Network

Customer Gateway

xxx.xxx.xxx.yyy

Tunnel 2Tunnel 2

Tunnel 1

10.1.0.0/16

10.0.0.0/16

• VPCs within same region

Peer

request

Peer

accept

• Same or different accounts

• IP space cannot overlap

• Only one between any two

VPCs

• Alternative to using the Internet to access

AWS cloud services

• Private network connection between AWS

and your data center

• Can reduce costs, increase bandwidth, and

provide a more consistent network

experience than Internet-based connections

• Two different Direct Connect scenarios– Direct Connect from Colo at Direct Connect POP Site

– Direct Connect from remote site

http://aws.amazon.com/directconnect/partners/

http://aws.amazon.com/directconnect/partners/

Direct Connect

Location

Customer

Data Center

Customer

Office

Customer

Office

Customer

Office

Customer

Data Center

Customer

Data CenterAWS Direct Connect

location

AWS Direct Connect private virtual

interface connects to VGW on VPC• 1 PVI per VPC

• 802.1Q VLAN tags isolate traffic

across AWS Direct ConnectPrivate layer 2 circuit or cross-connect

One or multiple (redundant)

Hosted: 50–500 Mbps

Dedicated: 1 Gbps or 10 Gbps

Simplify with AWS Direct Connect

Public-Facing

Web App

AWS

RegionProd QA Dev

Internal

Company Apps

Internal

Company Apps

Internal

Company Apps

PVI1 PVI2 PVI3 PVI4 PVI5

AWS Public

API Endpoints

Please give us your feedback on this session.

Complete session evaluations and earn re:Invent swag.

http://bit.ly/awsevals

http://bit.ly/awsevals

(ARC205) Creating Your Virtual Data Center: VPC Fundamentals and Connectivity Options | AWS...

Technology

Transcript of (ARC205) Creating Your Virtual Data Center: VPC Fundamentals and Connectivity Options | AWS...