AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud
-
Upload
amazon-web-services -
Category
Technology
-
view
685 -
download
2
Transcript of AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud
![Page 1: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/1.jpg)
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Kevin Miller, EC2 Networking
May 21, 2015
Deep Dive: Virtual Private Cloud
![Page 2: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/2.jpg)
Related Presentations – Videos online
https://www.youtube.com/user/AmazonWebServices
ARC205 – VPC Fundamentals and Connectivity
ARC401 – Black Belt Networking for Cloud Ninja• Application centric, network monitoring, management, floating IPs
ARC403 – From One to Many: Evolving VPC Design
SDD302 – A Tale of One Thousand Instances• Example of EC2-Classic customer adopting VPC
SDD419 – Amazon EC2 Networking Deep Dive• Network performance, placement groups, enhanced networking
![Page 3: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/3.jpg)
aws vpc –-expert-mode
![Page 4: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/4.jpg)
Topics today
![Page 5: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/5.jpg)
Virtual networking options
EC2-Classic
Simple to get started –
all instances have
Internet connectivity,
auto-assigned private
and public IP addresses
Inbound security groups
Default VPC
The best of both
Get started using the
EC2-Classic
experience
If and when needed,
begin using any VPC
feature you require
VPC
Advanced virtual
networking services:
ENIs and multiple IPs
routing tables
egress security groups
network ACLs
private connectivity
Enhanced networking
And more to come...
![Page 6: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/6.jpg)
Virtual networking options
EC2-Classic
Simple to get started –
all instances have
Internet connectivity,
auto-assigned private
and public IP addresses
Inbound security groups
Default VPC
The best of both
Get started using the
EC2-Classic
experience
If and when needed,
begin using any VPC
feature you require
VPC
Advanced virtual
networking services:
ENIs and multiple IPs
routing tables
egress security groups
network ACLs
private connectivity
Enhanced networking
And more to come...
All accounts created after
12/4/2013 support VPC
only and have a default
VPC in each region
![Page 7: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/7.jpg)
Confirming your default VPC
describe-account-attributes
VPC only
![Page 8: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/8.jpg)
Routing and private connections
![Page 9: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/9.jpg)
Implementing a hybrid architecture
Corporate Data Center
![Page 10: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/10.jpg)
Create VPC
Corporate Data Center
aws ec2 create-vpc --cidr 10.10.0.0/16aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.1.0/24 --a us-west-2aaws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.2.0/24 --a us-west-2b
![Page 11: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/11.jpg)
Create VPN connection
Corporate Data Center
aws ec2 create-vpn-gateway --type ipsec.1aws ec2 attach-vpn-gateway --vpn vgw-f9da06e7 --vpc vpc-c15180a4aws ec2 create-customer-gateway --type ipsec.1 --public 54.64.1.2 --bgp 6500aws ec2 create-vpn-connection --vpn vgw-f9da06e7 --cust cgw-f4d905ea --t ipsec.1
![Page 12: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/12.jpg)
Launch instances
Corporate Data Center
aws ec2 run-instances --image ami-d636bde6 --sub subnet-d83d91bd --count 3aws ec2 run-instances --image ami-d636bde6 --sub subnet-b734f6c0 --count 3
![Page 13: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/13.jpg)
Using AWS Direct Connect
Corporate Data Center
aws directconnect create-connection --loc EqSE2 --b 1Gbps --conn My_Firstaws directconnect create-private-virtual-interface --conn dxcon-fgp13h2s --new virtualInterfaceName=Foo, vlan=10, asn=60, authKey=testing, amazonAddress=192.168.0.1/24, customerAddress=192.168.0.2/24,virtualGatewayId=vgw-f9da06e7
![Page 14: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/14.jpg)
Configuring route table
Corporate Data Center
192.168.0.0/16
aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id vgw-f9da06e7
Each VPC has a single
routing table at creation time,
used by all subnets
![Page 15: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/15.jpg)
Remote connectivity best practices
Corporate Data Center
Availability Zone Availability Zone
Each VPN connection
consists of 2 IPSec
tunnels. Use BGP for
failure recovery.
![Page 16: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/16.jpg)
Remote connectivity best practices
Corporate Data Center
Availability Zone Availability Zone
A pair of VPN
connections (4 IPSec
tunnels total) protects
against failure of your
customer gateway
![Page 17: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/17.jpg)
Remote connectivity best practices
Corporate Data Center
Availability Zone Availability Zone
Redundant AWS Direct
Connect connections
with VPN backup
![Page 18: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/18.jpg)
VPC with private and public connectivity
Corporate Data Center
192.168.0.0/16
aws ec2 create-internet-gatewayaws ec2 attach-internet-gateway --internet igw-5a1ae13f --vpc vpc-c15180a4aws ec2 delete-route --ro rtb-ef36e58a --dest 0.0.0.0/0aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13faws ec2 create-route --ro rtb-ef36e58a --dest 192.168.0.0/16 --gateway-id vgw-f9da06e7
![Page 19: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/19.jpg)
Automatic route propagation from VGW
Corporate Data Center
192.168.0.0/16
aws ec2 delete-route --ro rtb-ef36e58a --dest 192.168.0.0/16aws ec2 enable-vgw-route-propagation --ro rtb-ef36e58a --gateway-id vgw-f9da06e7
Used to automatically update routing
table(s) with routes present in the VGW
![Page 20: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/20.jpg)
Isolating connectivity by subnet
Corporate
192.168.0.0/16
aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.3.0/24 --a us-west-2baws ec2 create-route-table --vpc vpc-c15180a4aws ec2 associate-route-table --ro rtb-fc61b299 --subnet subnet-60975a17aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
Subnet with connectivity only
to other instances and the
Internet via the IGW
![Page 21: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/21.jpg)
Software VPN for VPC-to-VPC connectivity
# VPC Aaws ec2 modify-network-interface-attribute --net eni-f832afcc --no-source-dest-checkaws ec2 create-route --ro rtb-ef36e58a --dest 10.20.0.0/16 --instance-id i-f832afcc# VPC Baws ec2 modify-network-interface-attribute --net eni-9c1b693a --no-source-dest-checkaws ec2 create-route --ro rtb-67a2b31c --dest 10.10.0.0/16 –-instance-id i-9c1b693a
![Page 22: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/22.jpg)
Software VPN for VPC-to-VPC connectivity
Software VPN
between these
instances
![Page 23: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/23.jpg)
Software VPN for VPC-to-VPC connectivity
Enabling communication
between instances in these
subnets; adding routes to the
default routing table
![Page 24: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/24.jpg)
Software firewall to the Internet
Routing all traffic from subnets
to the Internet via a firewall is
conceptually similar
# Default routing table directs traffic to the NAT/firewall instanceaws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --instance-id i-f832afcc
# Routing table for 10.10.3.0/24 directs to the Internetaws ec2 create-route --ro rtb-67a2b31c --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
![Page 25: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/25.jpg)
VPC Peering
![Page 26: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/26.jpg)
Shared services VPC using VPC peering
Common/core services
• Authentication/directory
• Monitoring
• Logging
• Remote administration
• Scanning
![Page 27: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/27.jpg)
Provides infrastructure zoning
Dev: VPC B
Test: VPC C
Production: VPC D
![Page 28: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/28.jpg)
VPC peering for VPC-to-VPC connectivity
aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87VPC A> aws ec2 create-route --ro rtb-ef36e58a --des 10.20.0.0/16 --vpc-peer pcx-ee56be87VPC B> aws ec2 create-route --ro rtb-67a2b31c --des 10.10.0.0/16 --vpc-peer pcx-ee56be87
VPC A - 10.10.0.0/16
vpc-c15180a4
VPC B - 10.20.0.0/16
vpc-062dfc63
![Page 29: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/29.jpg)
VPC peering across accounts
aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63--peer-owner 472752909333
# In owner account 472752909333aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87
VPC A - 10.10.0.0/16
vpc-c15180a4
VPC B - 10.20.0.0/16
vpc-062dfc63
Account ID 472752909333
![Page 30: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/30.jpg)
VPC peering – Additional considerations
Security groups – use IP prefixes to allow access
No “transit” capability for VPN, AWS Direct Connect, or 3rd VPCs
• Example: Cannot access VPC C from VPC A via VPC B
• Workaround: Create a direct peering from VPC A to VPC C
Peer VPC address ranges cannot overlap
• But, you can peer with 2+ VPCs that themselves overlap
• Use subnets/routing tables to pick the VPC to use
![Page 31: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/31.jpg)
VPC peering with software firewall
VPC A - 10.10.0.0/16 VPC B - 10.20.0.0/16
# Default routing table directs Peer traffic to the NAT/firewall instanceaws ec2 create-route --ro rtb-ef36e58a --dest 10.20.0.0/16 --instance-id i-f832afcc
# Routing table for 10.10.3.0/24 directs to the Peeringaws ec2 create-route --ro rtb-67a2b31c --dest 10.20.0.0/16 --vpc-peer pcx-ee56be87
![Page 32: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/32.jpg)
Enhanced Networking
![Page 33: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/33.jpg)
Latency: Packets per second
Instance 1 Instance 2
...........
![Page 34: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/34.jpg)
Packet processing in Amazon EC2:
VIF
Virtualization layer
eth
0
eth
1
Instance Virtual NICs
Physical NIC
![Page 35: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/35.jpg)
Packet processing in Amazon EC2:
SR-IOV
eth
0
Instance
VF Driver
eth
1
VF
Virtualization layer
Physical NIC
![Page 36: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/36.jpg)
Inter-instance latency
![Page 37: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/37.jpg)
SR-IOV: Is this thing on?
It may already be!
For many newer AMIs, enhanced networking is
already on:
Newest Amazon Linux AMIs
Windows Server 2012 R2 AMI
No need to configure
![Page 38: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/38.jpg)
SRIOV: Is this thing on? (Linux)
No Yes!
[ec2-user@ip-10-0-3-70 ~]$ ethtool -i eth0
driver: vif
version:
firmware-version:
bus-info: vif-0
…
[ec2-user@ip-10-0-3-70 ~]$ ethtool -i eth0
driver: ixgbevf
version: 2.14.2+amzn
firmware-version: N/A
bus-info: 0000:00:03.0
…
![Page 39: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/39.jpg)
SRIOV: Is this thing on? (Windows)
No Yes!
![Page 40: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/40.jpg)
AMI/instance support for SR-IOV
C3, C4, I2, D2, R3 instance families: 23 types
HVM virtualization type
Required kernel version
• Linux: 2.6.32+
• Windows: Server 2008 R2+
Appropriate VF driver
• Linux: ixgbevf 2.14.2+ module
• Windows: Intel® 82599 Virtual Function driver
![Page 41: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/41.jpg)
Walkthrough: Enabling enhanced networking
(Amazon Linux)
amzn-ami-hvm-2012.03.1.x86_64-ebs
hvm
![Page 42: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/42.jpg)
Walkthrough: Enabling enhanced networking
(Amazon Linux)
--attribute sriovNetSupport
InstanceId i-37c5d1d9
Not yet!
![Page 43: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/43.jpg)
Walkthrough: Enabling enhanced networking
(Amazon Linux)
[ec2-user@ip-10-0-3-125 ~]$ sudo yum update
OS update
![Page 44: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/44.jpg)
Walkthrough: Enabling enhanced networking
(Amazon Linux)
reboot-instances
Reboot
(OS update)
![Page 45: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/45.jpg)
Walkthrough: Enabling enhanced networking
(Windows)
![Page 46: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/46.jpg)
Walkthrough: Enabling enhanced networking
(Windows)Add to Windows driver store
![Page 47: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/47.jpg)
Walkthrough: Enabling enhanced networking
All EBS-backed instances
stop-instances
Stop the instance
![Page 48: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/48.jpg)
Walkthrough: Enabling enhanced networking
All EBS-backed instances
stop-instances
--sriov-net-support simple
Enable SRIOV
Cannot be undone
![Page 49: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/49.jpg)
Walkthrough: Enabling enhanced networking
All EBS-backed instances
start-instances
Start
![Page 50: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/50.jpg)
Walkthrough: Enabling enhanced networking
All EBS-backed instances
start-instances
--attribute sriovNetSupport
InstanceId i-37c5d1d9
Value simpleWe’re on
![Page 51: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/51.jpg)
VPC Endpoints for Amazon S3
![Page 52: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/52.jpg)
VPC Endpoints for Amazon S3
Highly reliable
Designed for the largest workloads
Use S3 from VPC without an Internet
Gateway or NAT instance
Additional security controls
![Page 53: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/53.jpg)
VPC Endpoints for Amazon S3
‘mypics’
Bucket
Instance VPC
Router
region
VPC Endpoint
vpce-abcd1234
![Page 54: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/54.jpg)
Creating a VPC Endpoint
ec2-create-vpc-endpoint
![Page 55: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/55.jpg)
VPC Endpoints for Amazon S3
‘mypics’
Bucket
Instance VPC
Router
region
VPC Endpoint
vpce-abcd1234
Application resolves mypics.s3.amazonaws.com
DNS responds with the usual IP addresses for Amazon S3
Application connects to the chosen IP address
![Page 56: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/56.jpg)
VPC Endpoints for Amazon S3
‘mypics’
Bucket
Instance VPC
Router
region
VPC Endpoint
vpce-abcd1234
Destination Target
pl-1a2b3c4d vpce-abcd1234
Prefix List
com.amazonaws.us-west-1.s3
![Page 57: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/57.jpg)
VPC Endpoints for Amazon S3
‘mypics’
Bucket
Instance VPC
Router
region
VPC Endpoint
vpce-abcd1234
IAM Policy on VPC Endpoint vpe-abcd1234
Allow access to bucket A
Deny access to other buckets
![Page 58: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/58.jpg)
VPC Endpoint Policy
![Page 59: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/59.jpg)
VPC Endpoints for Amazon S3
‘mypics’
Bucket
Instance VPC
Router
region
VPC Endpoint
vpce-abcd1234
IAM Policy on VPC Endpoint vpe-abcd1234
Allow access to bucket A
Deny access to other buckets
![Page 60: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/60.jpg)
VPC Endpoints for Amazon S3
‘mypics’
Bucket
Instance VPC
Router
region
VPC Endpoint
vpce-abcd1234
IAM Policy on bucket ‘mypics’
Allow access from vpce-abcd1234
Deny all other
![Page 61: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/61.jpg)
S3 Bucket Policy
![Page 62: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/62.jpg)
AWS Summit – Chicago: An exciting, free cloud conference designed to educate and inform new
customers about the AWS platform, best practices and new cloud services.
Details• July 1, 2015
• Chicago, Illinois
• @ McCormick Place
Featuring• New product launches
• 36+ sessions, labs, and bootcamps
• Executive and partner networking
Registration is now open• Come and see what AWS and the cloud can do for you.
![Page 63: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/63.jpg)
CTA Script
- If you are interested in learning more about how to navigate the cloud to grow
your business - then attend the AWS Summit Chicago, July 1st.
- Register today to learn from technical sessions led by AWS engineers, hear best
practices from AWS customers and partners, and participate in some of the 30+
paid sessions and labs.
- Simply go to
https://aws.amazon.com/summits/chicago/?trkcampaign=summit_chicago_bootc
amps&trk=Webinar_slide
to register today.
- Registration is FREE.
TRACKING CODE:
- Listed above.
![Page 64: AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud](https://reader034.fdocuments.in/reader034/viewer/2022042701/55b11505bb61eb271e8b45fd/html5/thumbnails/64.jpg)
Thank You!!