VPC - Flying Blind on a Rocket Cycle

Matthew Boeckman - VP of DevOps at Craftsy.com@matthewboeckmanhttp://enginerds.craftsy.com

Who is Craftsy

● Instructor led training videos for passionate hobbyists● #19 on Forbes’ Most Promising Companies 2014

VPC - Why

VPC is mature network topology for AWS

VPC - Why

Network ACL’s allow for true edge blocking

VPC - Why

Instances can be members of multiple Security Groups

SG membership can change post-instance launch

Site to Site VPN connectivity enables extension of your network to AWS

VPC - Why

Three things

Keep it simple

Get there now

Keep it simple

*disclaimer

Our stack in ec2-classic

What we hate about ec2-classic

● inflexible security groups● per-IP maintenance of SG’s across regions● ALLOW TCP 22 FROM 0.0.0.0/0● no edge● no edge

● no edge●no edge

Our stack in VPC

routing

Private subnets can only route traffic destined for the internet to a

NAT instance (eni-0…). Public subnets route to the IGW. Routes

can be automatically propagated from VPN connections.

NAT instances

HOW BIG?!

● we chose m1-medium… because…. it seems big enough?

sure. ● failover

Site to Site VPN

● AWS docs on this are perfect - check if your firewall is on the supported list. If so, one click configuration for your firewall

● A VPN connection - includes two tunnels, connected to two different IP’s at VPC. THESE UNDERGO MAINTENANCE - PRACTICE FAILOVER

Cross region VPN

http://aws.amazon.com/articles/5472675506466066

http://fortycloud.com/interconnecting-two-aws-vpc-regions/

AWS has no product offering here. You can easily VPN two VPC’s in

the same region but not, you know, in different regions.

reservations!

Instance reservations purchased in EC2

classic DO NOT MAGICALLY MOVE TO

VPC

Do. Not. Forget. This. Step.

seriously?

VPC - flying blind

netcat, tcpdump and patience

be the packet

host a

host b

SG

SGACL

ACL

outout,in

out,in

out,in

in

out

out,in

out,in

out,inin

LIMITS

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html

ACL’s ARE NOT STATEFUL

ALLOW tcp 80 src 10.85.0.0/16

ALLOW tcp 443 src 10.85.1.0/24

ALLOW tcp established any

DENY ALL

SNS, Redshift, Route53, RDS

SNS - has no legs in VPC. Systems subscribing to SNS topics from private subnets need an HTTP proxy in a public subnet for SNS to reach them.

Redshift/RDS- has legs in VPC - migrate your redshift or rds instances to VPC (yay!)

Route53 - no support for “views” in VPC.

migration time best time

- use AWS support or account teams

- start with subnets and basic nat, vpn

- dev environments, soak

- preprod, soak

cloned production

shut it down

thank you

QUESTIONS!

Matthew Boeckman

@matthewboeckman

http://enginerds.craftsy.com

(deck will be there & slideshare)