VPC - Module 2 Part 2 - AWSome Day 2017
-
Upload
amazon-web-services -
Category
Technology
-
view
394 -
download
4
Transcript of VPC - Module 2 Part 2 - AWSome Day 2017
![Page 1: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/1.jpg)
Your private network in AWS
VPC
![Page 2: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/2.jpg)
EC2 Instance
![Page 3: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/3.jpg)
172.31.0.128
172.31.0.129
172.31.1.24
172.31.1.27
54.4.5.6
54.2.3.4
![Page 4: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/4.jpg)
Creating an Internet-connected VPC: steps
Choosing an address range
Setting up subnets in Availability Zones
Creating a route to the Internet
Authorizing traffic to/from the VPC
![Page 5: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/5.jpg)
Choosing an IP address range
![Page 6: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/6.jpg)
What is an Internet Protocol address?
An IP address is FOUR numbers (octets*) separated by the period symbol.
192.168.90.0
![Page 7: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/7.jpg)
What is an Internet Protocol address range?
From 192.168.90.0 to (and including) 192.168.90.255
How many IP address can we use?
192.168.90.0 plus another 255 IP addresses = 256 IP addresses.
![Page 8: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/8.jpg)
What is an Internet Protocol address range?
From 192.0.0.0 to (and including) 192.0.0.255256 IP addresses
From 192.0.0.0 to (and including) 192.0.255.255256 * 256 = 65,536
From 192.0.0.0 to (and including) 192.255.255.255256 * 256 * 256 = 16,777,216
![Page 9: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/9.jpg)
Classless inter-domain routing [CIDR notation]
An IP address range is the starting 4 octets (IP address) plus a value after a slash.
i.e 192.168.90.0/24
What is that value and what does it mean?
![Page 10: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/10.jpg)
Binary
128 64 32 16 84 2 1
0 0 0 0 00 0 0
0 1 0 1 10 1 0
1 1 1 1 11 1 1
0 0 0 0 01 1 1
The number 0 represented in binaryThe number 90 represented in binaryThe number 255 represented in binaryThe number 7 represented in binary
![Page 11: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/11.jpg)
IP addresses172.31.0.010101100.00011111.00000000.00000000
172.31.0.25510101100.00011111.00000000.11111111
172.31.0.0 to 172.31.255.255
From 172.31.0.0/255.255.255.255 to and including 172.31.255.255/255.255.255.255
172.31.0.0/255.255.0.0172.31.0.0/(8).(8).(0).(0)
172.31.0.0/16 gives you 65,536 IP addresses to pick from.
![Page 12: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/12.jpg)
Choosing an IP address range for your VPC
172.31.0.0/16
Recommended: RFC1918 range
Avoid ranges that overlap with other networks to which you might connect.
![Page 13: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/13.jpg)
Subnets
![Page 14: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/14.jpg)
VPC subnets and Availability Zones
172.31.0.0/16
Availability Zone Availability Zone Availability ZoneVPC subnet VPC subnet VPC subnet
172.31.0.0/24 172.31.1.0/24 172.31.2.0/24
eu-west-1a eu-west-1b eu-west-1c
![Page 15: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/15.jpg)
Route to the Internet
![Page 16: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/16.jpg)
Routing in your VPC
• Route tables contain rules for which packets go where
• Your VPC has a default route table• … but you can assign different route
tables to different subnets
![Page 17: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/17.jpg)
Traffic destined for my VPC stays in my VPC
![Page 18: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/18.jpg)
Internet Gateway
Send packets here if you want them to reach the Internet
![Page 19: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/19.jpg)
Everything that isn’t destined for the VPC:Send to the Internet
![Page 20: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/20.jpg)
Network security in VPC:Network ACLs / Security Groups
![Page 21: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/21.jpg)
Network ACLs: Stateless firewalls
English translation: Allow all traffic in
Can be applied on a subnet basis
![Page 22: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/22.jpg)
“MyWebServers” Security Group
“MyBackends” Security Group
Allow w
eb traffic
on 0.0.0.0/0
Allow only “MyWebServers”
Security Groups follow application structure
![Page 23: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/23.jpg)
Security Groups example: web servers
In English: Hosts in this group are reachable from the Internet on port 80 (HTTP)
![Page 24: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/24.jpg)
Security Groups example: backends
In English: Only instances in the MyWebServers Security Group can reach instances in this Security Group
![Page 25: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/25.jpg)
Security Groups in VPC: additional notes
• Follow the Principle of Least Privilege• VPC allows creation of egress as well as ingress
Security Group rules• Many application architectures lend themselves to a 1:1
relationship between Security Groups (who can reach me) and IAM roles (what I can do).
![Page 26: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/26.jpg)
Connectivity options for VPCs
![Page 27: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/27.jpg)
Beyond Internet connectivity
Restricting Internet access Connecting to your corporate network
Connecting to other VPCs
![Page 28: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/28.jpg)
Restricting Internet access:Routing by subnet
![Page 29: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/29.jpg)
Routing by subnet
VPC subnet
VPC subnet
Has route to Internet
Has no route to Internet
![Page 30: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/30.jpg)
Outbound-only Internet access: NAT Gateway
VPC subnet VPC subnet
0.0.
0.0/
0
0.0.0.0/0
Public IP: 54.161.0.39
NAT Gateway
![Page 31: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/31.jpg)
Inter-VPC connectivity:VPC peering
![Page 32: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/32.jpg)
Example VPC peering use: shared services VPCCommon/core services
• Authentication/directory• Monitoring• Logging• Remote administration• Scanning
![Page 33: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/33.jpg)
Security Groups across peered VPCs
VPC Peering
172.31.0.0/16 10.55.0.0/16
Orange Security Group Blue Security Group
ALLOW
![Page 34: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/34.jpg)
Establish a VPC peering: initiate request
172.31.0.0/16 10.55.0.0/16
Step 1
Initiate peering request
![Page 35: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/35.jpg)
Establish a VPC peering: accept request
172.31.0.0/16 10.55.0.0/16
Step 1
Initiate peering request
Step 2
Accept peering request
![Page 36: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/36.jpg)
Establish a VPC peering: create route
172.31.0.0/16 10.55.0.0/16Step 1
Initiate peering request
Step 2
Accept peering request
Step 3
Create routes
In English: Traffic destined for the peered VPC should go to the peering
![Page 37: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/37.jpg)
Connecting to on-premises networks:Virtual Private Network & Direct Connect
![Page 38: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/38.jpg)
Extend an on-Premises network into your VPC
VPN
Direct Connect
![Page 39: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/39.jpg)
AWS VPN basics
Customer Gateway
Virtual Gateway
Two IPSec tunnels
192.168.0.0/16 172.31.0.0/16
192.168/16
Your networking device
![Page 40: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/40.jpg)
VPN and Amazon Direct Connect
• Both allow secure connections between your network and your VPC
• VPN is a pair of IPSec tunnels over the Internet
• DirectConnect is a dedicated line with lower per-GB data transfer rates
• For highest availability: Use both
![Page 41: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/41.jpg)
VPC and the rest of AWS
![Page 42: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/42.jpg)
AWS services in your VPC
![Page 43: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/43.jpg)
Example: Amazon RDS database in your VPC
10.10.0.0/16
10.10.1.0/24AZ A
10.10.2.0/24AZ B
Reachable via DNS Name: mydb-cluster-1 ….us-west-2.rds.amazonaws.com
![Page 44: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/44.jpg)
VPC Endpoints for S3
![Page 45: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/45.jpg)
S3 and your VPC
10.10.0.0/16
10.10.1.0/24AZ A
10.10.2.0/24AZ B S3 Bucket
Your applications
Your data
![Page 46: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/46.jpg)
AWS VPC Endpoints for S3
10.10.0.0/16
10.10.1.0/24AZ A
10.10.2.0/24AZ B S3 Bucket
![Page 47: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/47.jpg)
AWS VPC Endpoints for S3
10.10.0.0/16
10.10.1.0/24AZ A
10.10.2.0/24AZ B S3 Bucket
Route S3-bound traffic to the VPCE
![Page 48: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/48.jpg)
IAM Policy for VPC Endpoints
10.10.0.0/16
10.10.1.0/24AZ A
10.10.2.0/24AZ B S3 Bucket
IAM Policy at VPC Endpoint: Restrict actions of VPC in S3
IAM Policy at S3 Bucket: Make accessible from
VPC Endpoint only
![Page 49: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/49.jpg)
DNS in a VPC
![Page 50: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/50.jpg)
VPC Flow Logs: VPC traffic metadata in Amazon CloudWatch Logs
![Page 51: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/51.jpg)
VPC Flow Logs
Visibility into effects of Security Group rulesTroubleshooting network connectivityAbility to analyze traffic
10.10.0.0/16
10.10.1.0/24AZ A
10.10.2.0/24AZ B
![Page 52: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/52.jpg)
VPC Flow Logs: setup
VPC traffic metadata captured in CloudWatch Logs
![Page 53: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/53.jpg)
VPC Flow Logs data in CloudWatch Logs
Who’s this?# dig +short -x 109.236.86.32 internetpolice.co.
REJECT
UDP Port 53 = DNS
![Page 54: VPC - Module 2 Part 2 - AWSome Day 2017](https://reader035.fdocuments.in/reader035/viewer/2022062400/5899a4ab1a28ab30688b5e81/html5/thumbnails/54.jpg)
VPC: your private network in AWS