aws networking fundamentals - aws-de …aws-de-media.s3.amazonaws.com/images/aws_summit... · ©...

Tom Adamski

Specialist Solutions Architect, AWS

AWS Networking Fundamentals

Traditional Network

VPN VPN

Applications Applications

VPN VPN

(VPC Peering)

(AWS Direct Connect)

AWS Network

What is an Amazon Virtual Private Cloud (VPC)?

“A virtual network that closely resembles a

traditional network that you'd operate in your own

data center” Instance

Availability Zone

Instance

Availability Zone

Creat ing an Internet-connected VPC: Steps

Choosing an address range

Create subnets in Availability Zones

Creating a route to the Internet

Authorizing traffic to/from

the VPC

Choosing an IP address range

CIDR range example:

172.31.0.0/161010 1100 0001 1111 0000 0000 0000 0000

CIDR notation review

Choosing an IP address range for your VPC

172.31.0.0/16Recommended: RFC1918 range

Recommended: /16

(65,536 addresses)

Avoid ranges that overlap with other networks to which you might connect.

IPv6 in Amazon VPC – Dual-stack

172.31.0.0/16

Amazon Global Unicast Addresses (GUA) –Internet Routable

Associate an /56 IPv6 CIDR(Automatically allocated)

2001:db8:1234:1a00::/56

SubnetsVPC Subnet

VPC subnets and Availability Zones

172.31.0.0/16

Availability Zone Availability Zone Availability ZoneVPC subnet VPC subnet VPC subnet

172.31.0.0/24 172.31.1.0/24 172.31.2.0/24

eu-west-1a eu-west-1b eu-west-1c

Expand your existing Amazon VPC

Availability Zone A Availability Zone B

Instance C172.31.3.33/24

Instance A172.31.1.11/24

Instance B172.31.2.22/24

Instance D172.31.4.44/24

Subnet Subnet

VPC CIDR 172.31.0.0/16172.31.0.0/16

Instance C172.31.3.33/24

Instance A172.31.1.11/24

Instance B172.31.2.22/24

Instance D172.31.4.44/24

Subnet Subnet

Availability Zone C

172.31.0.0/16VPC CIDR 172.31.0.0/16

Instance C172.31.3.33/24

Instance A172.31.1.11/24

Instance B172.31.2.22/24

Instance D172.31.4.44/24

Subnet Subnet

Availability Zone C

Instance E172.21.1.11/24

Instance F172.21.2.22/24

Subnet

172.31.0.0/16

172.21.0.0/16

VPC CIDR 172.31.0.0/16 172.21.0.0/16

VPC subnet recommendations

• /16 VPC (65,536 addresses)

• Expand your VPC when necessary

• At least /24 subnets (251 addresses)

• Use multiple Availability Zones per VPC through multiple subnets

Route to the InternetIGW

Routing in your VPC

• Route tables contain rules for which packets go where

• Your VPC has a default (main) route table

• But, you can assign different route tables to different subnets

Traffic destined for my VPC stays in my VPC

Internet gateway

Send packets here if you want them to reach the Internet

Everything that isn’t destined for the VPC:send to the Internet

Network security in your VPC:Security groups

“MyWebServers” Security Group

“MyBackends” Security Group

Allow web traffic

on 0.0.0.0/0

Allow only “MyWebServers”

Security groups follow application structure

Security groups example: Web servers

Allow all HTTP traffic

Rule descriptions

Security groups example: Backends

Allow application traffic from web servers only

VPN VPN

(VPC Peering)

AWS Network - Progress

Beyond Internet connectivity

RestrictingInternet access

Connecting to your corporate network

Connecting to other VPCs

VPC Subnet

Restricting Internet access:Routing by subnet

VPC Subnet

Routing by subnet

public subnet

private subnet

Has route to Internet

Has no route to Internet

Outbound-only internet access: NAT gateway

private subnet public subnet

0.0.0.0/0

Public IP: 54.161.0.39

NAT gateway

Inter-VPC connectivity:VPC peering

Example VPC peering use:Shared services VPC

• Common/core services• Authentication/directory• Monitoring• Logging• Remote administration• Scanning

D10.2.0.0/16

172.16.0.0/16

E10.3.0.0/16

C192.168.0.0/16

F172.17.0.0/16

B10.0.0.0/16

G10.4.0.0/16

Establish a VPC peering: Initiate request

172.31.0.0/16 10.55.0.0/16Step 1

Initiate peering request

Establish a VPC peering: Accept request

172.31.0.0/16 10.55.0.0/16Step 1

Step 2

Accept peering request

Establish a VPC peering: Create a route

172.31.0.0/16 10.55.0.0/16Step 1

Step 2

Accept peering request

Step 3Traffic destined for the peered VPC should go to the peering

Security groups across peered VPCs

VPC Peering

172.31.0.0/16 10.55.0.0/16

Orange Security Group Blue Security Group

Inter-Region VPC Peering

eu-west-1 (Ireland) us-east-1 (N.Virginia)

VPC A VPC B

Some notes…

Inter-Region VPC Peering encrypts with no single point of failure or bandwidth bottleneck

Traffic using Inter-Region VPC Peering always stays on the global AWS backbone

VPN VPN

(VPC Peering)

Connecting to on-premises networks:AWS Virtual Private Network

and AWS Direct Connect

Extend an on-premises network into your VPC

AWS Direct Connect

AWS VPN basics

Virtual Private

Gateway

Two IPSec tunnels

172.31.0.0/16

192.168/16

Customer Gateway

192.168.0.0/16

Your networking deviceTraffic destined for the VPN/Direct Connect via the VGW

AWS Direct Connect Gateway

EU-WEST-1172.31.0.0/16

VGW PrivateVirtual Interface

“Attachment”

Direct Connect Location(London)

VGW“Association”

192.168.0.0/16

Direct Connect Gateway

EU-WEST-1172.31.0.0/16

VGW PrivateVirtual Interface

“Attachment”

192.168.0.0/16

EU-WEST-1172.31.0.0/16

PrivateVirtual Interface

“Attachment”

EU-CENTRAL-1172.16.0.0/16

EU-WEST-1172.31.0.0/16

VGWVirtual Interface

“Attachment”

EU-CENTRAL-1172.16.0.0/16

Direct Connect Location

(Frankfurt)

Virtual Interface“Attachment”

Direct Connect Gateway—traffic flows

VGW Virtual Interface“Attachment”

VGWVGW

“Association”

Direct Connect Gateway—traffic flows

VGW Virtual Interface“Attachment”

VGWVGW

“Association”

AWS VPN and AWS Direct Connect

• Both allow secure connections between your network and your VPC

• VPN is a pair of IPSec tunnels over the Internet

• AWS Direct Connect is a dedicated line with lower per-GB data transfer rates

• For highest availability: Use both

VPN VPN

(VPC Peering)

AWS Services

Inside of the VPC Outside of the VPC

VPC VPC

AWS Services in your VPC

Example: Amazon RDS Database in your VPC

Example: Application Load Balancer in your VPC

AWS Services outside your VPC

VPC Endpoints for AWS Services

Amazon S3 and your VPC

S3 bucket

Your applications

Your data

Gateway VPC Endpo int s

VPC Endpoints: Amazon S3 and DynamoDB

S3 bucket

Route S3-bound traffic to the VPC endpoint

IAM policy for VPC Endpoints

S3 bucket

IAM policy at VPC endpoint: restrict actions of VPC in Amazon

S3 or Amazon DynamoDB

IAM policy at S3 bucket: make accessible from

VPC endpoint only

I n te r face VPC Endpo int s

AWS PrivateLink for AWS Services

EC2 APIs

Private IP: 172.31.1.6

Private IP: 172.31.2.10

vpce-….ec2.eu-west-1.vpce.amazonaws.comvpce-…eu-west-1a.ec2.eu-west-1.vpce.amazonaws.comvpce-…eu-west-1b.ec2.eu-west-1.vpce.amazonaws.com

ec2.eu-west-1.amazonaws.com

AWS PrivateLink for Customer & Partner Applications

Powered by Network Load Balancer

Secure endpointwithin Client VPC

Integrated with AWS Marketplace

Share services privately and securely betweenVPCs, AWS accounts, and on-premises networks

Available in all public AWS regions, except CN-NORTH-1

VPC Flow Logs: VPC traffic metadata in Amazon

CloudWatch Logs

VPC Flow Logs

• Visibility into effects of security group rules

• Troubleshooting network connectivity

• Ability to analyze traffic

172.31.1.0/24AZ A

VPC Flow Logs: Setup

VPC traffic metadata captured in Amazon CloudWatch Logs

VPC Flow Logs data in CloudWatch Logs

Who’s this?# dig +short -x 109.236.86.32 internetpolice.co.

REJECT

UDP Port 27015

The VPC Network

VPC Network Security

VPC Connectivity

• 1 Gbps

• 10 Gbps

• Enhanced networking

• 20x PPS• <100-µs

latency

• EBS optimized by default

• Elastic Network Adapter

• 25 Gbps• <50-µs

latency

On-Instance Networking Improvements

25 Gbpsto Amazon S3

25 Gbpswithin region

Instance Bandwidth Limits

25 Gbpswithin placement group

5 Gbpsfor other sources

Amazon Time Sync Service

Highly reliable service with a redundant array of satellite and atomic clock

sources

Thank You!

Tom Adamski

Specialist Solutions Architect

aws networking fundamentals - aws-de …aws-de-media.s3.amazonaws.com/images/aws_summit... · ©...

Documents

aws webcast - aws 101 - journey to the aws cloud:...

cphotography by tomasz adamski

george adamski flying saucers farewell

i.n. g.a.€¦ · i.n.g.a. 3 - 2013 3 david adamski...

inside the space ships by george adamski

2018 aws summit berlin sponsorship...

george adamski ufo contactee

inside the spaceships - george adamski

preliminary notes on the adamski scout ship...

deploying a containerized web application with aws cloud...

pushing the boundaries 1600-get–your-legacy-business-apps...

hitbsecconf 2012 - lucas adamski - firefox os and you

cosmic philosophy by george adamski

cloud devsecops and compliance considerations leveraging...

cosmic philosophy - george adamski

gray barker's book of adamski

jen adamski-torres - empowering retailers: eliminating the...

inside the space ships - george adamski

differentiate for success -...

reactive microservices architecture on...