a case study in virtual private cloud...amazon.com aws cloud configuration for virtual private cloud...
TRANSCRIPT
A Case Study in Virtual Private Cloud
Gerry Miller
Chief Technologist
Cloudticity
What is Virtual Private Cloud?
Your datacenter connected to dynamic private resources in a public cloud
Application Architecture
Content Management System
Web Service Proxy
Web Browser
Database Server
CMS People ServicesMarketing Staging
Services Server
Service Bus
Data ProxyServices
Marketing App
Outside Services
Oracle
Postalsoft
Email Marketing
Salesforce.com
VPC Architecture
DEV Web Server192.168.92.88 (internal)
184.xxx.xxx.xxx (external)
QA Web Server192.168.92.92 (internal)
184.xxx.xxx.xxx (external)
Domain Controller192.168.92.218
DEV SQL Server192.168.92.237
QA SQL Server192.168.92.197
DEV Enterprise Service Bus192.168.92.147
QA Enterprise Service Bus192.168.92.188
Internet Users
Amazon Internet Gateway
Amazon VPN Gateway
AW
S Inte
rnal C
on
nectio
ns
Corp VPN Device212.14.xx.xx
Corp Firewall
Amazon Firewall
Internet
Internal192.168.92.128/25
External192.168.92.0/25
Amazon.com AWS Cloud Configuration for Virtual Private Cloud connected to corporate network via VPN
Routes traffic for
192.168.92.0/24
subnet
Co
rpo
rate
Ne
two
rk
XMPie (DEV, QA, PROD)
Oracle DEV
Oracle QA
Oracle PROD
PostalSoft DEV
All external traffic
routed to Internet
(must include 80, 443,
DNS, NTP, etc.)
outbound-initiated
only
Port 50000
bidirectional
Ports 80, 443, and
full SMB access to
UNC locations on
XMPie servers
(unidirectional
from VPC)
Port 50001
bidirectional
Port 50002
bidirectional
Ports 21, 80, 443
from VPC to
server
(unidirectional)
VPC Subnets
DEV Web Server192.168.92.88 (internal)
184.xxx.xxx.xxx (external)
QA Web Server192.168.92.92 (internal)
184.xxx.xxx.xxx (external)
Domain Controller192.168.92.218
DEV SQL Server192.168.92.237
QA SQL Server192.168.92.197
DEV Enterprise Service Bus192.168.92.147
QA Enterprise Service Bus192.168.92.188
Internet Users
Amazon Internet Gateway
Amazon VPN Gateway
AW
S Inte
rnal C
on
nectio
ns
Corp VPN Device212.14.xx.xx
Corp Firewall
Amazon Firewall
Internet
Internal192.168.92.128/25
External192.168.92.0/25
Amazon.com AWS Cloud Configuration for Virtual Private Cloud connected to corporate network via VPN
Routes traffic for
192.168.92.0/24
subnet
Co
rpo
rate
Ne
two
rk
XMPie (DEV, QA, PROD)
Oracle DEV
Oracle QA
Oracle PROD
PostalSoft DEV
All external traffic
routed to Internet
(must include 80, 443,
DNS, NTP, etc.)
outbound-initiated
only
Port 50000
bidirectional
Ports 80, 443, and
full SMB access to
UNC locations on
XMPie servers
(unidirectional
from VPC)
Port 50001
bidirectional
Port 50002
bidirectional
Ports 21, 80, 443
from VPC to
server
(unidirectional)
VPC Architecture
DEV Web Server192.168.92.88 (internal)
184.xxx.xxx.xxx (external)
QA Web Server192.168.92.92 (internal)
184.xxx.xxx.xxx (external)
Domain Controller192.168.92.218
DEV SQL Server192.168.92.237
QA SQL Server192.168.92.197
DEV Enterprise Service Bus192.168.92.147
QA Enterprise Service Bus192.168.92.188
Internet Users
Amazon Internet Gateway
Amazon VPN Gateway
AW
S Inte
rnal C
on
nectio
ns
Corp VPN Device212.14.xx.xx
Corp Firewall
Amazon Firewall
Internet
Internal192.168.92.128/25
External192.168.92.0/25
Amazon.com AWS Cloud Configuration for Virtual Private Cloud connected to corporate network via VPN
Routes traffic for
192.168.92.0/24
subnet
Co
rpo
rate
Ne
two
rk
XMPie (DEV, QA, PROD)
Oracle DEV
Oracle QA
Oracle PROD
PostalSoft DEV
All external traffic
routed to Internet
(must include 80, 443,
DNS, NTP, etc.)
outbound-initiated
only
Port 50000
bidirectional
Ports 80, 443, and
full SMB access to
UNC locations on
XMPie servers
(unidirectional
from VPC)
Port 50001
bidirectional
Port 50002
bidirectional
Ports 21, 80, 443
from VPC to
server
(unidirectional)
VPC Connection to Datacenter
DEV Web Server192.168.92.88 (internal)
184.xxx.xxx.xxx (external)
QA Web Server192.168.92.92 (internal)
184.xxx.xxx.xxx (external)
Domain Controller192.168.92.218
DEV SQL Server192.168.92.237
QA SQL Server192.168.92.197
DEV Enterprise Service Bus192.168.92.147
QA Enterprise Service Bus192.168.92.188
Internet Users
Amazon Internet Gateway
Amazon VPN Gateway
AW
S Inte
rnal C
on
nectio
ns
Corp VPN Device212.14.xx.xx
Corp Firewall
Amazon Firewall
Internet
Internal192.168.92.128/25
External192.168.92.0/25
Amazon.com AWS Cloud Configuration for Virtual Private Cloud connected to corporate network via VPN
Routes traffic for
192.168.92.0/24
subnet
Co
rpo
rate
Ne
two
rk
XMPie (DEV, QA, PROD)
Oracle DEV
Oracle QA
Oracle PROD
PostalSoft DEV
All external traffic
routed to Internet
(must include 80, 443,
DNS, NTP, etc.)
outbound-initiated
only
Port 50000
bidirectional
Ports 80, 443, and
full SMB access to
UNC locations on
XMPie servers
(unidirectional
from VPC)
Port 50001
bidirectional
Port 50002
bidirectional
Ports 21, 80, 443
from VPC to
server
(unidirectional)
VPC Architecture
DEV Web Server192.168.92.88 (internal)
184.xxx.xxx.xxx (external)
QA Web Server192.168.92.92 (internal)
184.xxx.xxx.xxx (external)
Domain Controller192.168.92.218
DEV SQL Server192.168.92.237
QA SQL Server192.168.92.197
DEV Enterprise Service Bus192.168.92.147
QA Enterprise Service Bus192.168.92.188
Internet Users
Amazon Internet Gateway
Amazon VPN Gateway
AW
S Inte
rnal C
on
nectio
ns
Corp VPN Device212.14.xx.xx
Corp Firewall
Amazon Firewall
Internet
Internal192.168.92.128/25
External192.168.92.0/25
Amazon.com AWS Cloud Configuration for Virtual Private Cloud connected to corporate network via VPN
Routes traffic for
192.168.92.0/24
subnet
Co
rpo
rate
Ne
two
rk
XMPie (DEV, QA, PROD)
Oracle DEV
Oracle QA
Oracle PROD
PostalSoft DEV
All external traffic
routed to Internet
(must include 80, 443,
DNS, NTP, etc.)
outbound-initiated
only
Port 50000
bidirectional
Ports 80, 443, and
full SMB access to
UNC locations on
XMPie servers
(unidirectional
from VPC)
Port 50001
bidirectional
Port 50002
bidirectional
Ports 21, 80, 443
from VPC to
server
(unidirectional)
VPC Using Internal Resources
DEV Web Server192.168.92.88 (internal)
184.xxx.xxx.xxx (external)
QA Web Server192.168.92.92 (internal)
184.xxx.xxx.xxx (external)
Domain Controller192.168.92.218
DEV SQL Server192.168.92.237
QA SQL Server192.168.92.197
DEV Enterprise Service Bus192.168.92.147
QA Enterprise Service Bus192.168.92.188
Internet Users
Amazon Internet Gateway
Amazon VPN Gateway
AW
S Inte
rnal C
on
nectio
ns
Corp VPN Device212.14.xx.xx
Corp Firewall
Amazon Firewall
Internet
Internal192.168.92.128/25
External192.168.92.0/25
Amazon.com AWS Cloud Configuration for Virtual Private Cloud connected to corporate network via VPN
Routes traffic for
192.168.92.0/24
subnet
Co
rpo
rate
Ne
two
rk
XMPie (DEV, QA, PROD)
Oracle DEV
Oracle QA
Oracle PROD
PostalSoft DEV
All external traffic
routed to Internet
(must include 80, 443,
DNS, NTP, etc.)
outbound-initiated
only
Port 50000
bidirectional
Ports 80, 443, and
full SMB access to
UNC locations on
XMPie servers
(unidirectional
from VPC)
Port 50001
bidirectional
Port 50002
bidirectional
Ports 21, 80, 443
from VPC to
server
(unidirectional)
VPC Architecture
DEV Web Server192.168.92.88 (internal)
184.xxx.xxx.xxx (external)
QA Web Server192.168.92.92 (internal)
184.xxx.xxx.xxx (external)
Domain Controller192.168.92.218
DEV SQL Server192.168.92.237
QA SQL Server192.168.92.197
DEV Enterprise Service Bus192.168.92.147
QA Enterprise Service Bus192.168.92.188
Internet Users
Amazon Internet Gateway
Amazon VPN Gateway
AW
S Inte
rnal C
on
nectio
ns
Corp VPN Device212.14.xx.xx
Corp Firewall
Amazon Firewall
Internet
Internal192.168.92.128/25
External192.168.92.0/25
Amazon.com AWS Cloud Configuration for Virtual Private Cloud connected to corporate network via VPN
Routes traffic for
192.168.92.0/24
subnet
Co
rpo
rate
Ne
two
rk
XMPie (DEV, QA, PROD)
Oracle DEV
Oracle QA
Oracle PROD
PostalSoft DEV
All external traffic
routed to Internet
(must include 80, 443,
DNS, NTP, etc.)
outbound-initiated
only
Port 50000
bidirectional
Ports 80, 443, and
full SMB access to
UNC locations on
XMPie servers
(unidirectional
from VPC)
Port 50001
bidirectional
Port 50002
bidirectional
Ports 21, 80, 443
from VPC to
server
(unidirectional)
Customer Access to System
DEV Web Server192.168.92.88 (internal)
184.xxx.xxx.xxx (external)
QA Web Server192.168.92.92 (internal)
184.xxx.xxx.xxx (external)
Domain Controller192.168.92.218
DEV SQL Server192.168.92.237
QA SQL Server192.168.92.197
DEV Enterprise Service Bus192.168.92.147
QA Enterprise Service Bus192.168.92.188
Internet Users
Amazon Internet Gateway
Amazon VPN Gateway
AW
S Inte
rnal C
on
nectio
ns
Corp VPN Device212.14.xx.xx
Corp Firewall
Amazon Firewall
Internet
Internal192.168.92.128/25
External192.168.92.0/25
Amazon.com AWS Cloud Configuration for Virtual Private Cloud connected to corporate network via VPN
Routes traffic for
192.168.92.0/24
subnet
Co
rpo
rate
Ne
two
rk
XMPie (DEV, QA, PROD)
Oracle DEV
Oracle QA
Oracle PROD
PostalSoft DEV
All external traffic
routed to Internet
(must include 80, 443,
DNS, NTP, etc.)
outbound-initiated
only
Port 50000
bidirectional
Ports 80, 443, and
full SMB access to
UNC locations on
XMPie servers
(unidirectional
from VPC)
Port 50001
bidirectional
Port 50002
bidirectional
Ports 21, 80, 443
from VPC to
server
(unidirectional)
VPC Architecture
DEV Web Server192.168.92.88 (internal)
184.xxx.xxx.xxx (external)
QA Web Server192.168.92.92 (internal)
184.xxx.xxx.xxx (external)
Domain Controller192.168.92.218
DEV SQL Server192.168.92.237
QA SQL Server192.168.92.197
DEV Enterprise Service Bus192.168.92.147
QA Enterprise Service Bus192.168.92.188
Internet Users
Amazon Internet Gateway
Amazon VPN Gateway
AW
S Inte
rnal C
on
nectio
ns
Corp VPN Device212.14.xx.xx
Corp Firewall
Amazon Firewall
Internet
Internal192.168.92.128/25
External192.168.92.0/25
Amazon.com AWS Cloud Configuration for Virtual Private Cloud connected to corporate network via VPN
Routes traffic for
192.168.92.0/24
subnet
Co
rpo
rate
Ne
two
rk
XMPie (DEV, QA, PROD)
Oracle DEV
Oracle QA
Oracle PROD
PostalSoft DEV
All external traffic
routed to Internet
(must include 80, 443,
DNS, NTP, etc.)
outbound-initiated
only
Port 50000
bidirectional
Ports 80, 443, and
full SMB access to
UNC locations on
XMPie servers
(unidirectional
from VPC)
Port 50001
bidirectional
Port 50002
bidirectional
Ports 21, 80, 443
from VPC to
server
(unidirectional)
CorporateInternalFirewall
WindowsFirewall
Corp server auth and ACLs across all internal datacenters
VPC Security Layers
InternetAmazonExternalFirewall
AmazonExernalRouting
Rules
AmazonSecurityGroups
AmazonRouting
ACLsWindowsFirewall
WebServer
Auth & ACLs
AmazonInternalFirewall
AmazonSecurityGroups
WindowsFirewall ESB & DB
ServerAuth & ACLs
AmazonInternalRouting
Rules
AmazonRouting
ACLs
AmazonRouting
ACLs
CorporateVPN
Firewall
AmazonRouting
Rules
Things We Learned