aws re:invent 2016: another day, another billion packets (net401)
TRANSCRIPT
![Page 1: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/1.jpg)
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Steve Mueller, Senior Product Manager, VPC, EC2 Networking
November 30, 2016
Another Day, Another Billion Packets
NET401
![Page 2: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/2.jpg)
We Have the Cloud
Amazon
EBS
Amazon
RDS
Amazon
ElastiCache
Amazon
Redshift
Amazon EC2 Elastic Load
Balancing
![Page 3: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/3.jpg)
Customers Have Datacenters
![Page 4: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/4.jpg)
Whiteboard Engineering
Amazon
EBS
Amazon
RDS
Amazon
ElastiCache
Amazon
Redshift
Amazon
EC2
Elastic Load
Balancing
![Page 5: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/5.jpg)
![Page 6: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/6.jpg)
EC2 as It Was
10.44.12.4 10.44.12.5
10.44.92.1710.44.12.27
10.108.6.4
![Page 7: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/7.jpg)
Why That Doesn’t Work
192.168.0.0/16
Routing Table
• 192.168.0.0/16: stay here
• 10.44.12.4/32: AWS
• 10.44.92.17/32: AWS
• 10.108.6.4/32: AWS
10.44.0.0/16
10.44.12.4 10.44.12.5
10.44.92.1710.44.12.27
10.108.6.4
![Page 8: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/8.jpg)
Requirements
Customer selected IP addresses
Route aggregation for external connectivity
Conformance with existing network designs
![Page 9: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/9.jpg)
172.31.0.0/18
192.168.0.0/16
Routing Table
• 192.168.0.0/16: stay here
• 172.31.0.0/18: AWS
172.31.1.0/24 172.31.2.0/24
172.31.1.7
172.31.1.8
172.31.1.9
172.31.2.12
172.31.2.51
Amazon Virtual Private Cloud (Amazon VPC)
![Page 10: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/10.jpg)
This Is Just Virtual Networking!
Subnet ~= VLAN
VPC ~= VRF (virtual routing and forwarding)
But…
![Page 11: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/11.jpg)
Scaling Challenges
VLAN ID space is constrained
• 12 bits => 4096 total VLANs
VRF support is constrained
• Large routers => 1-2 thousand VRFs
Fixed ratio of VLANs:VRFs
![Page 12: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/12.jpg)
Router and Capacity Dimensions
Big Router
Data Plane
Control
Plane
Big Router
Data Plane
Control
Plane
![Page 13: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/13.jpg)
An Example
Average router configuration line: 50 chars
Config per VPC: 10 lines
Subnets per VPC: 4
Config per subnet: 5 lines
Total VPCs: 2,000
Config size: 3 MB
![Page 14: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/14.jpg)
But…
Doesn’t scale
• 12 bit VLAN ID = 4096 VLANs (not enough)
• BIG routers support 4000 VRFs ($200k+)
Large VLANs make NEs cry
Tied to vendor bugfix cycles (6 months +)
We want commodity, fungible network gear
• BIG virtual routers are built by few companies
• Interoperability of advanced features is marginal
![Page 15: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/15.jpg)
Silos of Capacity
A
C
B
FE
D
G
A AA
A
B
C
B B
B B
C
D
F FF
D
D
B
G G
/4 /4
/40 /40
0
0
0
0
1324 132
C
G G
3 27
D DD
9910
F F F F F
1815 40
BB B B B
BB B B B
BB B B B
B B
![Page 16: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/16.jpg)
Implementation Requirements
Scale to millions of environments the size of Amazon.com
Any server, anywhere in a region can host an instance
attached to any subnet in any VPC
![Page 17: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/17.jpg)
Concepts
Server 192.168.0.3
Server 192.168.0.4
…
Server 192.168.1.3
Server 192.168.1.4
…
10.0.0.2
10.0.0.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping Service
Server:
Physical host in an
Amazon data center
Instance:
Amazon EC2
instance owned by a
customer
VPC:
Amazon Virtual
Private Cloud
owned by a
customer
VPC ID:
Identifier for a VPC
such as vpc-
1a2b3c4d
Mapping Service:
Distributed lookup
service. Maps VPC
+ Instance IP to
server
![Page 18: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/18.jpg)
Layer 2 (L2): Ethernet
10.0.0.2
10.0.0.3
L2 Src: MAC(10.0.0.2)
L2 Dst: ff:ff:ff:ff:ff:ff
ARP Who has
10.0.0.3?
The switch floods the
ARP request out all
ports
Ethernet Switch
L2 Src: MAC(10.0.0.3)
L2 Dst: MAC(10.0.0.2)
ARP 10.0.0.3 is at
MAC(10.0.0.3)
The switch snoops the
ARP response and
learns the port for
MAC(10.0.0.3).
L2 Src: MAC(10.0.0.2)
L2 Dst: MAC(10.0.0.3)
L3 Src: 10.0.0.2
L3 Dst: 10.0.0.3
ICMP/TCP/UDP/…
![Page 19: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/19.jpg)
Layer 2 (L2): VPC
Server 192.168.0.3
Server 192.168.0.4
…
Server 192.168.1.3
Server 192.168.1.4
10.0.0.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping Service
L2 Src: MAC(10.0.0.2)
L2 Dst: ff:ff:ff:ff:ff:ff
ARP Who has
10.0.0.3?
L2 Src: MAC(10.0.0.3)
L2 Dst: MAC(10.0.0.2)
ARP 10.0.0.3 is at
MAC(10.0.0.3)
Src: 192.168.0.3
Dst: Mapping Service
Query:
Blue 10.0.0.3
Src: Mapping Service
Dst: 192.168.0.3
Reply:
Host: 192.168.1.4
MAC: MAC(10.0.0.3)
10.0.0.2
![Page 20: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/20.jpg)
Server 192.168.0.3
Server 192.168.0.4
Server 192.168.1.3
Server 192.168.1.4
10.0.0.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping Service
10.0.0.2
…
L2 Src: MAC(10.0.0.2)
L2 Dst: MAC(10.0.0.3)
L3 Src: 10.0.0.2
L3 Dst: 10.0.0.3
ICMP/TCP/UDP/…
VPC: Blue
Src: 192.168.0.3
Dst: 192.168.1.4
Src: 192.168.1.4
Dst: Mapping Service
Validate:
Blue 10.0.0.2 is at
192.168.0.3
Src: Mapping Service
Dst: 192.168.1.4
Mapping valid:
Blue10.0.0.2 is at
192.168.0.3
Layer 2 (L2): VPC
…
![Page 21: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/21.jpg)
VPC Isolation
Server 192.168.0.3
Server 192.168.0.4
…
Server 192.168.1.3
Server 192.168.1.4
10.0.0.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping Service
10.0.0.2
Src: 192.168.0.4
Dst: Mapping Service
Query:
Grey 10.0.0.3
L2 Src: MAC(10.0.0.4)
L2 Dst: ff:ff:ff:ff:ff:ff
ARP Who has
10.0.0.3?
![Page 22: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/22.jpg)
VPC Isolation
Server 192.168.0.3
Server 192.168.0.4
…
Server 192.168.1.3
Server 192.168.1.4
10.0.0.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping Service
10.0.0.2
Src: 192.168.0.4
Dst: Mapping Service
Query:
Blue 10.0.0.3
L2 Src: MAC(10.0.0.4)
L2 Dst: ff:ff:ff:ff:ff:ff
ARP Who has
10.0.0.3?
192.168.0.4 is not
hosting any instances
in VPC Blue.
Mapping Denied
Alarm Raised
![Page 23: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/23.jpg)
VPC Isolation
Server 192.168.0.3
Server 192.168.0.4
…
Server 192.168.1.3
Server 192.168.1.4
10.0.0.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping Service
10.0.0.2
…
L2 Src: MAC(10.0.0.4)
L2 Dst: MAC(10.0.0.3)
L3 Src: 10.0.0.4
L3 Dst: 10.0.0.3
ICMP/TCP/UDP/…
VPC: Blue
Src: 192.168.0.4
Dst: 192.168.1.4
Src: 192.168.1.4
Dst: Mapping Service
Validate:
Blue 10.0.0.4 is at
192.168.0.4
Src: Mapping Service
Dst: 192.168.1.4
Mapping invalid!
192.168.1.4 does not
deliver the packet to
the instance.
Alarm Raised.
![Page 24: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/24.jpg)
Layer 3 (L3): IP Routing
10.0.0.2
10.0.1.3
L2 Src: MAC(10.0.0.2)
L2 Dst: ff:ff:ff:ff:ff:ff
ARP Who has
10.0.0.1?
Ethernet Switch
L2 Src: MAC(10.0.0.1)
L2 Dst: MAC(10.0.0.2)
ARP 10.0.0.1 is at
MAC(10.0.0.1)
L2 Src: MAC(10.0.0.2)
L2 Dst: MAC(10.0.0.1)
L3 Src: 10.0.0.2
L3 Dst: 10.0.1.3
ICMP/TCP/UDP/…
RouterEthernet Switch
L2 Src: MAC(10.0.1.1)
L2 Dst: MAC(10.0.1.3)
L3 Src: 10.0.0.2
L3 Dst: 10.0.1.3
ICMP/TCP/UDP/…
![Page 25: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/25.jpg)
Layer 3 (L3): VPC
Server 192.168.0.3
Server 192.168.0.4
…
Server 192.168.1.3
Server 192.168.1.4
10.0.1.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping Service
L2 Src: MAC(10.0.0.2)
L2 Dst: ff:ff:ff:ff:ff:ff
ARP Who has
10.0.0.1?
L2 Src: MAC(10.0.0.1)
L2 Dst: MAC(10.0.0.2)
ARP 10.0.0.1 is at
MAC(10.0.0.1)
Src: 192.168.0.3
Dst: Mapping Service
Query:
Blue 10.0.0.1
Src: Mapping Service
Dst: 192.168.0.3
Reply:
Host: Gateway
MAC: MAC(10.0.0.1)
10.0.0.2
![Page 26: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/26.jpg)
Layer 3 (L3): VPC
Server 192.168.0.3
Server 192.168.0.4
…
Server 192.168.1.3
Server 192.168.1.4
10.0.1.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping Service
Src: 192.168.0.3
Dst: Mapping Service
Query:
Blue 10.0.1.3
Src: Mapping Service
Dst: 192.168.0.3
Reply:
Host: 192.168.1.4
MAC: MAC(10.0.1.3)
10.0.0.2
L2 Src: MAC(10.0.0.2)
L2 Dst: MAC(10.0.0.1)
L3 Src: 10.0.0.2
L3 Dst: 10.0.1.3
ICMP/TCP/UDP/…
VPC: Blue
Src: 192.168.0.3
Dst: 192.168.1.4
Src: 192.168.1.4
Dst: Mapping Service
Validate:
Blue 10.0.0.2 is at
192.168.0.3
Src: Mapping Service
Dst: 192.168.1.4
Mapping valid:
Blue 10.0.0.2 is at
192.168.0.3
L2 Src: MAC(10.0.1.1)
L2 Dst: MAC(10.0.1.3)
L3 Src: 10.0.0.2
L3 Dst: 10.0.1.3
ICMP/TCP/UDP/…
![Page 27: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/27.jpg)
Caching
Server 192.168.0.3
Server 192.168.0.4
…
Server 192.168.1.3
Server 192.168.1.4
…
10.0.0.2
10.0.0.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping Service
L2 Src: MAC(10.0.1.1)
L2 Dst: MAC(10.0.1.3)
L3 Src: 10.0.0.2
L3 Dst: 10.0.1.3
ICMP/TCP/UDP/…
![Page 28: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/28.jpg)
10.0.0.0/18
172.16.0.0/16
10.0.0.0/24 10.0.1.0/24
10.0.0.7
10.0.0.8
10.0.0.9
10.0.1.12
10.0.1.51
VPC: Blue
Src: 192.168.0.3
Dst: ???
L3 Src: 10.0.0.7
L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
Getting Home – or Anywhere, Really
![Page 29: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/29.jpg)
Edges
Server 192.168.0.3
Server 192.168.0.4
…
Edge 192.168.4.3
Edge 192.168.4.4
10.0.1.3
10.0.0.4
10.0.0.2
Mapping Service
10.0.0.2
L3 Src: 10.0.0.2
L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
VPC: Blue
Src: 192.168.0.3
Dst: 192.168.4.3
L3 Src: 10.0.0.2
L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
Host 10.0.0.4 192.168.0.4
Host 10.0.1.4 192.168.0.4
…
172.16.0.0/16 Edge 192.168.4.3
…
![Page 30: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/30.jpg)
Edges: VPN
Edge 192.168.4.3VPC: Blue
Src: 192.168.0.3
Dst: 192.168.4.3
L3 Src: 10.0.0.2
L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
IPSEC Stuff
Src: 54.68.100.245
Dst: 205.251.242.54
L3 Src: 10.0.0.2
L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
VPN
![Page 31: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/31.jpg)
Edges: Direct Connect
Edge 192.168.4.3VPC: Blue
Src: 192.168.0.3
Dst: 192.168.4.3
L3 Src: 10.0.0.2
L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
802.1Q VLAN Tag
Src: 54.68.100.245
Dst: 205.251.242.54
L3 Src: 10.0.0.2
L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
AWS
Direct Connect
![Page 32: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/32.jpg)
Edges: Internet (IGW)
Edge 192.168.4.3VPC: Blue
Src: 192.168.0.3
Dst: 192.168.4.3
L3 Src: 10.0.0.2
L3 Dst: 176.32.96.190
ICMP/TCP/UDP/…
L3 Src: 10.0.0.2
L3 Dst: 176.32.96.190
ICMP/TCP/UDP/…
Internet
54.148.157.46
![Page 33: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/33.jpg)
Edges: Recap
VPNEdge 192.168.4.3
VPC: Blue
Src: 192.168.0.3
Dst: 192.168.4.3
L3 Src: 10.0.0.2
L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
IPSEC Stuff
Src: 54.68.100.245
Dst: 205.251.242.54
L3 Src: 10.0.0.2
L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
AWS Direct ConnectEdge 192.168.4.3
VPC: Blue
Src: 192.168.0.3
Dst: 192.168.4.3
L3 Src: 10.0.0.2
L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
802.1Q VLAN Tag
Src: 54.68.100.245
Dst: 205.251.242.54
L3 Src: 10.0.0.2
L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
InternetEdge 192.168.4.3
VPC: Blue
Src: 192.168.0.3
Dst: 192.168.4.3
L3 Src: 10.0.0.2
L3 Dst: 176.32.96.190
ICMP/TCP/UDP/…
L3 Src: 54.148.157.46
L3 Dst: 176.32.96.190
ICMP/TCP/UDP/…
![Page 34: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/34.jpg)
Image credit: Wikipedia
https://en.wikipedia.org/wiki/1918_Eighth_Avenue
A Brief Diversion
![Page 35: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/35.jpg)
VPC Pricing
Cost per VPC: $0.00
Cost per subnet: $0.00
Upcharge per instance: $0.00
![Page 36: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/36.jpg)
Nov 10, 2010
![Page 37: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/37.jpg)
172.31.0.0/18
172.31.1.0/24 172.31.2.0/24
172.31.1.7
172.31.1.8
172.31.2.12
172.31.2.51
VPC as a Platform
![Page 38: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/38.jpg)
VPC as a Platform
VPN and Direct Connect
Security group egress filtering
Network ACLs
Routing tables
Elastic Network Interfaces (ENIs)
Multiple IPs
![Page 39: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/39.jpg)
Amazon S3 Endpoints
172.31.0.0/18
172.31.1.0/24 172.31.2.0/24
172.31.1.7 172.31.2.12
![Page 40: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/40.jpg)
Amazon S3 Endpoints
172.31.0.0/18
172.31.1.0/24 172.31.2.0/24
172.31.1.7 172.31.2.12
![Page 41: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/41.jpg)
Server 192.168.0.3
Server 192.168.0.4
…
Edge 192.168.4.3
Edge 192.168.4.4
10.0.1.3
10.0.0.4
10.0.0.2
10.0.0.2
L3 Src: 10.0.0.2
L3 Dst: 54.231.33.89
TCP/HTTP/…
VPC: Blue
Src: 192.168.0.3
Dst: 192.168.4.4
L3 Src: 10.0.0.2
L3 Dst: 54.231.33.89
TCP/HTTP/…
EdgesMapping Service
Host 10.0.0.4 192.168.0.4
Host 10.0.1.4 192.168.0.4
…
172.16.0.0/16 Edge 192.168.4.3
S3.us-east-1 Edge 192.168.4.4
…
![Page 42: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/42.jpg)
A New Edge: S3
Edge 192.168.4.4VPC: Blue
Src: 192.168.0.3
Dst: 192.168.4.4
L3 Src: 10.0.0.2
L3 Dst: 54.231.33.89
TCP/HTTP/…
VPC Endpoint 1a2b3c4d
Src: 54.68.100.245
Dst: 54.231.33.89
L3 Src: 10.0.0.2
L3 Dst: 54.231.33.89
TCP/HTTP/…
S3 endpoint
![Page 43: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/43.jpg)
S3 Endpoints and Policy
172.31.0.0/18
172.31.1.0/24 172.31.2.0/24
172.31.1.7 172.31.2.12
{
"Statement": [
{
"Sid": "Access-to-specific-bucket-only",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"]
}
]
}
{
"Statement": [
{
"Sid": "Access-to-specific-VPC-only",
"Principal": "*",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"],
"Condition": {
"StringNotEquals": {
"aws:sourceVpc": "vpc-111bbb22"
}
}
}
]
}
![Page 44: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/44.jpg)
Simple Complex
Limited Flexible
EC2 VPC
![Page 45: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/45.jpg)
172.31.0.0/18
172.31.1.0/24 172.31.2.0/24
172.31.1.7
172.31.1.8
172.31.1.9
172.31.2.12
172.31.2.51
Default VPC
![Page 46: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/46.jpg)
Simple Complex
Limited Flexible
EC2 - VPC
![Page 47: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/47.jpg)
Related Sessions
NET201 - Creating Your Virtual Data Center: VPC Fundamentals and Connectivity Options
NET303 - NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud
NET304 - Moving Mountains: Netflix's Migration into VPC
NET402 - Deep Dive: AWS Direct Connect and VPNs
NET404 - Making Every Packet Countr
![Page 48: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/48.jpg)
Remember to complete
your evaluations!
![Page 49: AWS re:Invent 2016: Another Day, Another Billion Packets (NET401)](https://reader031.vdocument.in/reader031/viewer/2022022412/58f16c231a28ab35138b45ab/html5/thumbnails/49.jpg)
Thank you!