(arc205) creating your virtual data center: vpc fundamentals and connectivity options | aws...
DESCRIPTION
In this session, we will walk through the fundamentals of Amazon Virtual Private Cloud (VPC). First, we will cover build-out and design fundamentals for VPC, including picking your IP space, subnetting, routing, security, NAT, and much more. We will then transition into different approaches and use cases for optionally connecting your VPC to your physical data center with VPN or AWS Direct Connect. This mid-level architecture discussion is aimed at architects, network administrators, and technology decision-makers interested in understanding the building blocks AWS makes available with VPC and how you can connect this with your offices and current data center footprint.TRANSCRIPT
Object Storage
CDN
User
Web
DNS
http://www.example.com
Internet Gateway
Internal
User
VPN Gateway
Router / Firewall
Corporate Data Center
http://internal-app
Web
VPN over
the Internet
Active Directory
Network configuration
Encryption
Backup appliances
Your on-premises apps
Users and access rules
Your private network
HSM appliance
Cloud backups
Your cloud apps
AWS Direct Connect
Corporate data centers
Web
Server
Application
Server
DB
Server
Data Volume
EC2 Web
Server
EC2
Application
Server
EC2 DB
Server
Amazon Elastic Block
Store (EBS) Data Volume
Data Mirroring /
Replication
Amazon Elastic
Compute Cloud
(EC2) instances are
stopped. Instances
can be restarted if
primary application
goes down.
Smaller EC2
instance for DB
but can be
stopped and
restarted as a
larger EC2
instance.
Amazon Route 53
User
Corporate Data Center
Repoint DNS in an
Outage
Route table Elastic network
interface
Amazon VPC RouterInternet
gateway
Customer
gateway
Virtual
private
gateway
VPN
connectionSubnet
Elastic IP
Availability Zone A Availability Zone B
VPC CIDR: 10.1.0.0 /16
Subnet
Availability Zone A
Subnet
Availability Zone B
10.1.1.0/24 10.1.10.0/24
VPC CIDR: 10.1.0.0 /16
Subnet
Availability Zone A
Subnet
Availability Zone B
10.1.1.0/24 10.1.10.0/24
Internet
Gateway
VPC CIDR: 10.1.0.0 /16
InternetAWS Public
API Endpoints
Subnet
Availability Zone A
Subnet
Availability Zone B
10.1.1.0/24 10.1.10.0/24
VPC CIDR: 10.1.0.0 /16
Internal
User
VPN Gateway
Customer Gateway
Corporate Data Center
VPN over
the Internet
Subnet
Availability Zone A
Subnet
Availability Zone B
10.1.1.0/24 10.1.10.0/24
VPC CIDR: 10.1.0.0 /16
Internal
User
VPN Gateway
Customer Gateway
Corporate Data Center
VPN over
the Internet
• By default, every subnet
can talk to every other
subnet
• Enabled by a virtual router
that sits in a star topology
between all subnets
• VPC DHCP service hands
out a .1 default gateway to
each instance coming up in
a subnet (in a /24 subnet)
Public Subnet
Availability Zone A
Private Subnet
Public Subnet
Availability Zone B
Private Subnet
Instance A
10.1.1.11 /24
Instance C
10.1.3.33 /24
Instance B
10.1.2.22 /24
Instance D
10.1.4.44 /24
VPC CIDR: 10.1.0.0 /16
.1
.1 .1
.1
Subnet
Availability Zone A
Subnet
Availability Zone B
10.1.1.0/24 10.1.10.0/24
Internet
Gateway
VPC CIDR: 10.1.0.0 /16
InternetAWS Public
API Endpoints
Route Table
Destination Target
10.1.0.0/16 local
0.0.0.0/0 igw
Subnet
Availability Zone A
Subnet
Availability Zone B
10.1.1.0/24 10.1.10.0/24
VPC CIDR: 10.1.0.0 /16
Internal User
VPN Gateway
Customer Gateway
Corporate Data Center
VPN over
the Internet
Availability Zone A Availability Zone B
Subnet: 10.1.1.0/24
Internet
Gateway
VPC CIDR: 10.1.0.0 /16
InternetAWS Public
API Endpoints
Route Table
Destination Target
10.1.0.0/16 local
0.0.0.0/0 igw
Subnet: 10.1.10.0/24
EIP EIP
Availability Zone A Availability Zone B
Subnet: 10.1.1.0/24
Internet
Gateway
VPC CIDR: 10.1.0.0 /16
InternetAWS Public
API Endpoints
Route Table
Destination Target
10.1.0.0/16 local
0.0.0.0/0 igw
Subnet: 10.1.10.0/24
ENI
(eth0)ENI
(eth0)
Availability Zone A Availability Zone B
VPC CIDR: 10.1.0.0 /16
VPC Subnet with ACL VPC Subnet with ACL
VPC Subnet with ACL
Availability Zone A Availability Zone B
Subnet: 10.1.1.0/24
VPC CIDR: 10.1.0.0 /16
Subnet: 10.1.10.0/24
Security Group
Route
Table
Route
Table
Internet
Gateway
Virtual Private
Gateway
Virtual Router
VPC 10.1.0.0/16
VPC Public Subnet VPC Private Subnet
NAT Instance
Public: 54.200.129.18
Private: 10.1.1.11 /24
Web Server
Public: 54.200.129.29
Private: 10.1.1.12 /24
Database Server
Private: 10.1.10.3 /24
Database Server
Private: 10.1.10.4 /24
Database Server
Private: 10.1.10.5 /24
Route Table
Destination Target
10.1.0.0/16 local
0.0.0.0/0 igw
AWS Public
API Endpoints
VPC 10.1.0.0/16
VPN or Direct Connect
Route Table
Destination Target
10.1.0.0/16 local
172.16.0.0/8 vgw
0.0.0.0/0 NAT
IGW VGW
CGW
Examples of “high blast radius” VPC API calls that should be
restricted:AttachInternetGateway
AssociateRouteTable
CreateRoute
DeleteCustomerGateway
DeleteInternetGateway
DeleteNetworkAcl
DeleteNetworkAclEntry
DeleteRoute
DeleteRouteTable
DeleteDhcpOptions
ReplaceNetworkAclAssociation
DisassociateRouteTable
• Consider future AWS region expansion
• Consider future connectivity to your internal networks
• Consider applications your VPC will host
• Consider subnet design
• VPC can be /16 down to /28
• CIDR cannot be modified after creation
• Overlapping IP spaces = future headache
VPC Subnet
Elastic Network
interface
Security Group
Network ACL
Instance
VPC Subnet with NACL
• ProblemIf my instance fails or I need to upgrade it, I need to push traffic to
another instance with the same public and private IP addresses
and same network interface
• SolutionDeploy your application in VPC and use an ENI on eth1 that can
be moved between instances and retain same MAC, public, and
private IP addresses
• Pros
– Since we are moving the ENI, DNS will not need to be updated
– Fallback is as easy as moving the ENI back to the original
instance
– Anything pointing to the public or private IP on the instance will
not need to be updated
– ENIs can be moved across instances in a subnet Virtual Private Cloud
EC2 EC2
Availability Zone
VPC Subnet
Amazon Route 53
ENI (eth1)
• Tagging strategy should be part of early design
• Project code, cost center, environment, version, team,
business unit
• Tag resources right after creation
• Tags supported for resource permissions
• AWS Billing also supports tags
• Tight IAM controls on the creation and editing of tags
Use Amazon EC2 run resource permissions to control:
• What AMI can be launched
• What VPC or subnet can be targeted
• What security groups must be in place
• Which VPCs allow peering
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_IAM.html
For more policy examples:
http://blogs.aws.amazon.com/securi
ty/post/Tx2KPWZJJ4S26H6/Demys
tifying-EC2-Resource-Level-
Permissions
1. Backhaul through your own corporate firewall?
2. Public route with public IP
3. Using NAT
1. Advanced patterns1. Creating an HA NAT
2. Using a proxy layer
Availability Zone A
Private Subnet Private Subnet
AWS
Region
Virtual
Private
Gateway
VPN
Connection
Customer
Data Center
Intranet
App
Intranet
App
Availability Zone B
Amazon
S3
Customer
Border Router
Customer Gateway
Internet
Internet
Route Table
Destination Target
10.1.0.0/16 local
0.0.0.0/0 vgw
• ProblemEC2 instances need access to the Internet
• Solution– Either attach an EIP or have a public IP added at launch
– Create a route from the subnet where you are deploying
your instances to the IGW
• Pros
Your devices can access the Internet and AWS public endpoints
• Notes
Your security group can prohibit inbound traffic from the Internet
so your instances can reach the Internet but cannot be reached
publicly from outside your VPC
Virtual Private Cloud
EC2 / NAT
Availability Zone
VPC Public Subnet
Internet Gateway
Internet
Elastic or Public IP
Amazon S3
bucket
Route Table
Destination Target
10.1.0.0/16 local
0.0.0.0/0 igw
• ProblemEC2 instances in a private subnet need access to the Internet
to call APIs, for downloads, and for updates to software
packages and the OS
• SolutionDeploy a NAT server on an EC2 instance that will provide
Internet access to servers in private subnets
• Pros– Your devices are not publicly addressable but still have
Internet access
– NAT gives instances in private subnet capability to access
AWS services and APIs outside of VPCVirtual Private Cloud
EC2 / NAT
Availability Zone
VPC Public Subnet
VPC Private Subnet
Internet Gateway
Internet
EC2 EC2
Route Table
Destination Target
10.1.0.0/16 local
0.0.0.0/0 NAT
• Redundant IPSEC tunnels
• Supports BGP and static routing
• Redundant customer gateways
Virtual Private Cloud
Availability ZoneAvailability Zone
VPC Subnet VPC Subnet
Customer Gateway
Customer Network
VPN
Router Virtual Private Gateway
Virtual Private Cloud
Availability ZoneAvailability Zone
VPC Subnet VPC Subnet
Customer Gateway
Customer Network
New York
VPN
Router Virtual Private Gateway
Customer Gateway
Customer Network
Chicago
VPN
Customer Gateway
Customer Network
Los Angeles
VPN
Virtual Private Cloud
Availability ZoneAvailability Zone
VPC Subnet VPC Subnet
IPSEC
VPN
Virtual Private Gateway
Router
72.21.209.193Router
72.21.209.225
Tunnel 1 Tunnel 2
Customer Gateway
xxx.xxx.xxx.xxx
Customer Network
IPSEC
VPN
Virtual Private Cloud
Availability ZoneAvailability Zone
VPC Subnet VPC Subnet
Tunnel 1
Virtual Private Gateway
Router
72.21.209.193Router
72.21.209.225
Customer Gateway
xxx.xxx.xxx.xxx
Customer Network
Customer Gateway
xxx.xxx.xxx.yyy
Tunnel 2Tunnel 2
Tunnel 1
10.1.0.0/16
10.0.0.0/16
• VPCs within same region
Peer
request
Peer
accept
• Same or different accounts
• IP space cannot overlap
• Only one between any two
VPCs
• Alternative to using the Internet to access
AWS cloud services
• Private network connection between AWS
and your data center
• Can reduce costs, increase bandwidth, and
provide a more consistent network
experience than Internet-based connections
• Two different Direct Connect scenarios– Direct Connect from Colo at Direct Connect POP Site
– Direct Connect from remote site
http://aws.amazon.com/directconnect/partners/
Direct Connect
Location
Customer
Data Center
Customer
Office
Customer
Office
Customer
Office
Customer
Data Center
Customer
Data CenterAWS Direct Connect
location
AWS Direct Connect private virtual
interface connects to VGW on VPC• 1 PVI per VPC
• 802.1Q VLAN tags isolate traffic
across AWS Direct ConnectPrivate layer 2 circuit or cross-connect
One or multiple (redundant)
Hosted: 50–500 Mbps
Dedicated: 1 Gbps or 10 Gbps
Simplify with AWS Direct Connect
Public-Facing
Web App
AWS
RegionProd QA Dev
Internal
Company Apps
Internal
Company Apps
Internal
Company Apps
PVI1 PVI2 PVI3 PVI4 PVI5
AWS Public
API Endpoints
Please give us your feedback on this session.
Complete session evaluations and earn re:Invent swag.
http://bit.ly/awsevals