(sdd422) amazon vpc deep dive | aws re:invent 2014

November 14, 2014 | Las Vegas, NV

Kevin Miller, Sr. Manager, AWS EC2 Networking

EC2-Classic

Simple to get started –

all instances have

Internet connectivity,

auto-assigned private

and public IP addresses

Inbound security groups

Default VPC

The best of both

Get started using the

EC2-Classic

experience

If and when needed,

begin using any VPC

feature you require

VPC

Advanced virtual

networking services:

ENIs and multiple IPs

routing tables

egress security groups

network ACLs

private connectivity

Enhanced Networking

And more to come...

EC2-Classic

Simple to get started –

all instances have

Internet connectivity,

auto-assigned private

and public IP addresses

Inbound security groups

Default VPC

The best of both

Get started using the

EC2-Classic

experience

If and when needed,

begin using any VPC

feature you require

VPC

Advanced virtual

networking services:

ENIs and multiple IPs

routing tables

egress security groups

network ACLs

private connectivity

Enhanced Networking

And more to come...

All accounts created after

12/4/2013 support VPC

only and have a default

VPC in each region

describe-account-attributes

VPC only

Corporate Data Center

Corporate Data Center

aws ec2 create-vpc --cidr 10.10.0.0/16aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.1.0/24 --a us-west-2aaws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.2.0/24 --a us-west-2b

Corporate Data Center

aws ec2 create-vpn-gateway --type ipsec.1aws ec2 attach-vpn-gateway --vpn vgw-f9da06e7 --vpc vpc-c15180a4aws ec2 create-customer-gateway --type ipsec.1 --public 54.64.1.2 --bgp 6500aws ec2 create-vpn-connection --vpn vgw-f9da06e7 --cust cgw-f4d905ea --t ipsec.1

Corporate Data Center

aws ec2 run-instances --image ami-d636bde6 --sub subnet-d83d91bd --count 3aws ec2 run-instances --image ami-d636bde6 --sub subnet-b734f6c0 --count 3

Corporate Data Center

aws directconnect create-connection --loc EqSE2 --b 1Gbps --conn My_Firstaws directconnect create-private-virtual-interface --conn dxcon-fgp13h2s --new virtualInterfaceName=Foo, vlan=10, asn=60, authKey=testing, amazonAddress=192.168.0.1/24, customerAddress=192.168.0.2/24,virtualGatewayId=vgw-f9da06e7

Corporate Data Center

192.168.0.0/16

aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id vgw-f9da06e7

Each VPC has a single

routing table at creation time,

used by all subnets

corporate data center

Availability Zone Availability Zone

Each VPN connection

consists of 2 IPSec

tunnels. Use BGP for

failure recovery.

corporate data center

Availability Zone Availability Zone

A pair of VPN

connections (4 IPSec

tunnels total) protects

against failure of your

customer gateway.

Corporate Data Center

Availability Zone Availability Zone

Redundant AWS Direct

Connect connections

with VPN backup

Corporate Data Center

192.168.0.0/16

aws ec2 create-internet-gatewayaws ec2 attach-internet-gateway --internet igw-5a1ae13f --vpc vpc-c15180a4aws ec2 delete-route --ro rtb-ef36e58a --dest 0.0.0.0/0aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13faws ec2 create-route --ro rtb-ef36e58a --dest 192.168.0.0/16 --gateway-id vgw-f9da06e7

Corporate Data Center

192.168.0.0/16

aws ec2 delete-route --ro rtb-ef36e58a --dest 192.168.0.0/16aws ec2 enable-vgw-route-propagation --ro rtb-ef36e58a --gateway-id vgw-f9da06e7

Used to automatically update

routing table(s) with routes

present in the VGW

Corporate

192.168.0.0/16

aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.3.0/24 --a us-west-2baws ec2 create-route-table --vpc vpc-c15180a4aws ec2 associate-route-table --ro rtb-fc61b299 --subnet subnet-60975a17aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f

Subnet with connectivity only

to other instances and the

Internet via the IGW

# VPC Aaws ec2 modify-network-interface-attribute --net eni-f832afcc --no-source-dest-checkaws ec2 create-route --ro rtb-ef36e58a --dest 10.20.0.0/16 --instance-id i-f832afcc# VPC Baws ec2 modify-network-interface-attribute --net eni-9c1b693a --no-source-dest-checkaws ec2 create-route --ro rtb-67a2b31c --dest 10.10.0.0/16 –-instance-id i-9c1b693a

Software VPN

between these

instances

Enabling communication

between instances in these

subnets; adding routes to the

default routing table

Routing all traffic from subnets

to the Internet via a firewall is

conceptually similar

# Default routing table directs traffic to the NAT/firewall instanceaws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --instance-id i-f832afcc

# Routing table for 10.10.3.0/24 directs to the Internetaws ec2 create-route --ro rtb-67a2b31c --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f

aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87VPC A> aws ec2 create-route --ro rtb-ef36e58a --des 10.20.0.0/16 --vpc-peer pcx-ee56be87VPC B> aws ec2 create-route --ro rtb-67a2b31c --des 10.10.0.0/16 --vpc-peer pcx-ee56be87

VPC A - 10.10.0.0/16

vpc-c15180a4

VPC B - 10.20.0.0/16

vpc-062dfc63

aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63--peer-owner 472752909333

# In owner account 472752909333aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87

VPC A - 10.10.0.0/16

vpc-c15180a4

VPC B - 10.20.0.0/16

vpc-062dfc63

Account ID 472752909333

VPC A - 10.10.0.0/16 VPC B - 10.20.0.0/16

# Default routing table directs Peer traffic to the NAT/firewall instanceaws ec2 create-route --ro rtb-ef36e58a --dest 10.20.0.0/16 --instance-id i-f832afcc

# Routing table for 10.10.3.0/24 directs to the Peeringaws ec2 create-route --ro rtb-67a2b31c --dest 10.20.0.0/16 --vpc-peer pcx-ee56be87

Classic environment: 2 security

groups, a load balancer,

and instances.

ELB

ELB

ELB

AMI

EBS

Snapshot

ELB

AMI

EBS

Snapshot

AMI

EBS

Snapshot

Pros Cons

One time move Requires (longer) maintenance

window

Easy back-out plan Test up-front

Easier for smaller deployments Harder for larger deployments

You can dry-run this whole

sequence without turning

off the Classic instances

ELB

Pros Cons

Shorter, per-component

maintenance windows

Requires maintenance windows

Per component back-out plans Takes longer to complete migration

Easier for larger deployments Per component integration

(EIPs/Elastic Load Balancing,

CIDR-based security group rules)

RDS DB

Instance

Amazon

Route 53

ELB

RDS DB

Instance

ELB

Amazon

Route 53

RDS DB

Instance

ELB

Amazon

Route 53

RDS DB

Instance

ELB

Amazon

Route 53

RDS DB

Instance

ELB

Amazon

Route 53

Amazon

Route 53

RDS DB

Instance

Amazon

Route 53

RDS DB

Instance

Pros Cons

(Potentially) No maintenance window Additional complexity during migration

Direct private IP connectivity and security group

integration

Still need to replace EC2-Classic

instances with new VPC instances

Designed for the largest deployments

EC2-Classic

ClassicLink

RDS DB

InstanceElastiCache

Cache NodeElastic Load

Balancing

RDS DB

InstanceElastiCache

Cache NodeElastic Load

Balancing

vpc-4325f426

To use ClassicLink, the VPC

must have this feature enabled.

Can be restricted with IAM policy.

i-2b3ecd1c

vpc-4325f426 sg-da107fbf

Link this specific instance to

the VPC using the specified

VPC security groups.

i-2b3ecd1c

vpc-4325f426 sg-da107fbf

Link required after Run (new

instance launch) or Start

(stopped instance)

http://bit.ly/awsevals