a day in the life of a billion packets (cpn401) | aws re:invent 2013

© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.

A Day in the Life of a Billion Packets

Eric Brandwine, AWS Security

November 14, 2013

We have the cloud

EBS

RDS ElastiCache Redshift

AWS Cloud

EC2 Elastic Load

Balancing

Customers have Data centers

Whiteboard Engineering

EBS

RDS ElastiCache Redshift

AWS Cloud

EC2 Elastic Load

Balancing

EC2 as it was

10.44.12.4 10.44.12.5

10.44.92.17 10.44.12.27

10.108.6.4

Amazon EC2

Why that doesn’t work 192.168.0.0/16

Routing Table

• 192.168.0.0/16: stay here

• 10.44.12.4/32: AWS

• 10.44.92.17/32: AWS

• 10.108.6.4/32: AWS

10.44.0.0/16

10.44.12.4 10.44.12.5

10.44.92.17 10.44.12.27

10.108.6.4

Amazon EC2

Requirements

• Customer Selected IP Addresses

• Route Aggregation for External Connectivity

• Conformance with Existing Network Designs

Virtual Private Cloud

172.31.0.0/18

192.168.0.0/16

Routing Table

• 192.168.0.0/16: stay here

• 172.31.0.0/18: AWS

172.31.1.0/24 172.31.2.0/24

172.31.1.7

172.31.1.8

172.31.1.9

172.31.2.12

172.31.2.51

This is just virtual networking!

• Subnet ~= VLAN

• VPC ~= VRF (Virtual Routing and Forwarding)

• But…

Scaling Challenges

• VLAN ID space is constrained – 12 bits => 4096 total VLANs

• VRF support is constrained – Large routers => 1-2 thousand VRFs

• Fixed ratio of VLANs:VRFs

Router and capacity dimensions

Big Router

Data Plane

Control

Plane

Big Router

Data Plane

Control

Plane

An Example

• Average Router Configuration Line: 50 chars

• Config per VPC: 10 lines

• Subnets per VPC: 4

• Config per Subnet: 5 lines

• Total VPCs: 2,000

• Config size: 3MB

Silos of Capacity

A

C

B

F E

D

G

A A A

A

B

C

B B

B B

C

D

F F F

D

D

B

G G

/4 /4

/40 /40

0

0

0

0

1 3 2 4 1 3 2

C

G G

3 2 7

D D D

9 9 10

F F F F F

18 15 40

B B B B B

B B B B B

B B B B B

B B

Implementation Requirements

• Scale to millions of environments the size of

Amazon.com

• Any server, anywhere in a region can host an

instance attached to any Subnet in any VPC

Concepts

Server 192.168.0.3

Server 192.168.0.4

…

Server 192.168.1.3

Server 192.168.1.4

…

10.0.0.2

10.0.0.3

10.0.0.4

10.0.0.4

10.0.0.2

10.0.0.5

10.0.0.3

Mapping Service

Server:

Physical host in an

Amazon datacenter

Instance:

Amazon EC2

instance owned by a

customer

VPC:

Amazon Virtual

Private Cloud

owned by a

customer

VPC ID:

Identifier for a VPC

such as vpc-

1a2b3c4d

Mapping Service:

Distributed lookup

service. Maps VPC

+ Instance IP to

server

L2 - Ethernet

10.0.0.2

10.0.0.3

L2 Src: MAC(10.0.0.2)

L2 Dst: ff:ff:ff:ff:ff:ff

ARP Who has

10.0.0.3?

The switch floods the

ARP request out all

ports

Ethernet Switch

L2 Src: MAC(10.0.0.3)

L2 Dst: MAC(10.0.0.2)

ARP 10.0.0.3 is at

MAC(10.0.0.3)

The switch snoops the

ARP response and

learns the port for

MAC(10.0.0.3).

L2 Src: MAC(10.0.0.2)

L2 Dst: MAC(10.0.0.3)

L3 Src: 10.0.0.2

L3 Dst: 10.0.0.3

ICMP/TCP/UDP/…

L2 - VPC

Server 192.168.0.3

Server 192.168.0.4

…

Server 192.168.1.3

Server 192.168.1.4

10.0.0.3

10.0.0.4

10.0.0.4

10.0.0.2

10.0.0.5

10.0.0.3

Mapping Service

L2 Src: MAC(10.0.0.2)


ARP Who has

10.0.0.3?

L2 Src: MAC(10.0.0.3)

L2 Dst: MAC(10.0.0.2)

ARP 10.0.0.3 is at

MAC(10.0.0.3)

Src: 192.168.0.3

Dst: Mapping Service

Query:

Orange 10.0.0.3

Src: Mapping Service

Dst: 192.168.0.3

Reply:

Host: 192.168.1.4

MAC: MAC(10.0.0.3)

10.0.0.2

L2 - VPC

Server 192.168.0.3

Server 192.168.0.4

…

Server 192.168.1.3

Server 192.168.1.4

10.0.0.3

10.0.0.4

10.0.0.4

10.0.0.2

10.0.0.5

10.0.0.3

Mapping Service

10.0.0.2

…

L2 Src: MAC(10.0.0.2)

L2 Dst: MAC(10.0.0.3)

L3 Src: 10.0.0.2

L3 Dst: 10.0.0.3

ICMP/TCP/UDP/…

VPC: Orange

Src: 192.168.0.3

Dst: 192.168.1.4

Src: 192.168.1.4


Validate:

Orange 10.0.0.2 is at

192.168.0.3


Dst: 192.168.1.4

Mapping valid:


192.168.0.3

VPC Isolation

Server 192.168.0.3

Server 192.168.0.4

…

Server 192.168.1.3

Server 192.168.1.4

10.0.0.3

10.0.0.4

10.0.0.4

10.0.0.2

10.0.0.5

10.0.0.3

Mapping Service

10.0.0.2

Src: 192.168.0.4


Query:

Grey 10.0.0.3

L2 Src: MAC(10.0.0.4)


ARP Who has

10.0.0.3?

VPC Isolation

Server 192.168.0.3

Server 192.168.0.4

…

Server 192.168.1.3

Server 192.168.1.4

10.0.0.3

10.0.0.4

10.0.0.4

10.0.0.2

10.0.0.5

10.0.0.3

Mapping Service

10.0.0.2

Src: 192.168.0.4


Query:

Orange 10.0.0.3

L2 Src: MAC(10.0.0.4)


ARP Who has

10.0.0.3?

192.168.0.4 is not

hosting any instances

in VPC Orange.

Mapping Denied

Alarm Raised

VPC Isolation

Server 192.168.0.3

Server 192.168.0.4

…

Server 192.168.1.3

Server 192.168.1.4

10.0.0.3

10.0.0.4

10.0.0.4

10.0.0.2

10.0.0.5

10.0.0.3

Mapping Service

10.0.0.2

…

L2 Src: MAC(10.0.0.4)

L2 Dst: MAC(10.0.0.3)

L3 Src: 10.0.0.4

L3 Dst: 10.0.0.3

ICMP/TCP/UDP/…

VPC: Orange

Src: 192.168.0.4

Dst: 192.168.1.4

Src: 192.168.1.4


Validate:


192.168.0.4


Dst: 192.168.1.4

Mapping invalid!

192.168.1.4 does not

deliver the packet to

the instance.

Alarm Raised.

L3 – IP Routing

10.0.0.2

10.0.1.3

L2 Src: MAC(10.0.0.2)


ARP Who has

10.0.0.1?

Ethernet Switch

L2 Src: MAC(10.0.0.1)

L2 Dst: MAC(10.0.0.2)

ARP 10.0.0.1 is at

MAC(10.0.0.1)

L2 Src: MAC(10.0.0.2)

L2 Dst: MAC(10.0.0.1)

L3 Src: 10.0.0.2

L3 Dst: 10.0.1.3

ICMP/TCP/UDP/…

Router Ethernet Switch

L2 Src: MAC(10.0.1.1)

L2 Dst: MAC(10.0.1.3)

L3 Src: 10.0.0.2

L3 Dst: 10.0.1.3

ICMP/TCP/UDP/…

L3 - VPC

Server 192.168.0.3

Server 192.168.0.4

…

Server 192.168.1.3

Server 192.168.1.4

10.0.1.3

10.0.0.4

10.0.0.4

10.0.0.2

10.0.0.5

10.0.0.3

Mapping Service

L2 Src: MAC(10.0.0.2)


ARP Who has

10.0.0.1?

L2 Src: MAC(10.0.0.1)

L2 Dst: MAC(10.0.0.2)

ARP 10.0.0.1 is at

MAC(10.0.0.1)

Src: 192.168.0.3


Query:

Orange 10.0.0.1


Dst: 192.168.0.3

Reply:

Host: Gateway

MAC: MAC(10.0.0.1)

10.0.0.2

L3 - VPC

Server 192.168.0.3

Server 192.168.0.4

…

Server 192.168.1.3

Server 192.168.1.4

10.0.1.3

10.0.0.4

10.0.0.4

10.0.0.2

10.0.0.5

10.0.0.3

Mapping Service

Src: 192.168.0.3


Query:

Orange 10.0.1.3


Dst: 192.168.0.3

Reply:

Host: 192.168.1.4

MAC: MAC(10.0.1.3)

10.0.0.2

L2 Src: MAC(10.0.0.2)

L2 Dst: MAC(10.0.0.1)

L3 Src: 10.0.0.2

L3 Dst: 10.0.1.3

ICMP/TCP/UDP/…

VPC: Orange

Src: 192.168.0.3

Dst: 192.168.1.4

Src: 192.168.1.4


Validate:


192.168.0.3


Dst: 192.168.1.4

Mapping valid:


192.168.0.3

L2 Src: MAC(10.0.1.1)

L2 Dst: MAC(10.0.1.3)

L3 Src: 10.0.0.2

L3 Dst: 10.0.1.3

ICMP/TCP/UDP/…

Caching

Server 192.168.0.3

Server 192.168.0.4

…

Server 192.168.1.3

Server 192.168.1.4

…

10.0.0.2

10.0.0.3

10.0.0.4

10.0.0.4

10.0.0.2

10.0.0.5

10.0.0.3

Mapping Service

L2 Src: MAC(10.0.1.1)

L2 Dst: MAC(10.0.1.3)

L3 Src: 10.0.0.2

L3 Dst: 10.0.1.3

ICMP/TCP/UDP/…

VPC Pricing

Cost per VPC: $0.00

Cost per Subnet: $0.00

Upcharge per Instance: $0.00

Nov 10, 2010

VPC as a Platform

172.31.0.0/18

172.31.1.0/24 172.31.2.0/24

172.31.1.7

172.31.1.8

172.31.2.12

172.31.2.51

VPC as a Platform

• VPN and Direct Connect

• Security Group Egress Filtering

• Network ACLs

• Routing Tables

• Elastic Network Interfaces (ENIs)

• Multiple IPs

Simple Complex

Limited Flexible

EC2 VPC

Default VPC

172.31.0.0/18

172.31.1.0/24 172.31.2.0/24

172.31.1.7

172.31.1.8

172.31.1.9

172.31.2.12

172.31.2.51

Simple Complex

Limited Flexible

EC2 - VPC

Other VPC Sessions

ARC202: High Availability Application Architectures in Amazon VPC

ARC401: From One to Many: Evolving VPC Design

CPN208: Selecting the Best VPC Network Architecture (single VPC vs. multiple VPCs)

CPN301: Amazon EC2 to Amazon VPC: A case study (this is the migration story)

Please give us your feedback on this

presentation

As a thank you, we will select prize

winners daily for completed surveys!

CPN401

a day in the life of a billion packets (cpn401) | aws re:invent 2013

Technology