aws re:invent 2016: nextgen networking: new capabilities for amazon’s virtual private cloud...
TRANSCRIPT
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Camil Samaha, Solutions Architecture
Kaartik Viswanath, Product Manager, EC2 Networking
December 2, 2016
NET303
NextGen NetworkingNew Capabilities for the Amazon Virtual
Private Cloud
What to Expect from the Session
• Review Amazon Virtual Private Cloud concepts
• Learn about new capabilities released over the
past year
• Discuss the value provided by these new
features
• Describe use cases
Introducing VPC
EC2 instance
10.2.2.2
10.3.3.3
54.1.2.3
54.2.3.4
Introducing VPC
172.31.0.128
172.31.0.129
172.31.1.24
172.31.1.27
54.4.5.6
54.2.3.4
Choose IP address range and setup subnets
10.10.1.0/24
Availability Zone
VPC subnet
us-west-2a
10.10.2.0/24
Availability Zone
VPC subnet
us-west-2b
Choose IP address range and setup subnets
10.10.1.0/24
Availability Zone
VPC subnet
us-west-2a
10.10.2.0/24
Availability Zone
VPC subnet
us-west-2b
Destination Target Status
10.10.0.0/16 local Active
Traffic destined to my VPC
stays in my VPC
DNS support for non-RFC 1918 addresses (NEW)
• RFC 1918 private address ranges:
• 10.0.0.0/8
• 172.16.0.0/12
• 192.168.0.0/16
• Native EC2 DNS support for private VPC IP addresses
outside of the RFC 1918 space
• Removes the need for running custom DNS servers
Authorize traffic
10.10.1.0/24
us-west-2a
10.10.2.0/24
us-west-2b
security group
Authorize traffic
• Network access control lists (ACLs)
• Can be applied at the subnet level
• Act as a stateless firewall for associated subnets
• Security groups (SGs)
• Can be applied at the instance level
• Act as a stateful firewall for associated instances
• New: Create up to 500 SGs per VPC (per region)
Security group limits
• 500 security groups per VPC (per region)
• 50 inbound and 50 outbound rules per security group
• 5 security groups per network interface (max 16)
• Number to remember: 250
• (# of rules) * (# of security groups per interface) <= 250
• Example 1: if you want to increase the # of rules to 100, then
we decrease your # of security groups per interface to 2
• Example 2: if you want 10 security groups per interface, we
decrease your # of rules per security group to 25
Establish public connectivity
10.10.1.0/24 10.10.2.0/24
10.10.1.34
10.10.1.61
10.10.2.9
10.10.2.26
IGW
54.4.5.6
Destination Target Status
10.10.0.0/16 local Active
0.0.0.0/0 igw-5a1ae13f Active
Everything not destined for
my VPC goes to the Internet
Internet access via a NAT instance
10.10.1.0/24 10.10.2.0/24
0.0
.0.0
/0
0.0.0.0/0
Destination Target Status
10.10.0.0/16 local Active
0.0.0.0/0 nat-instance-id Active
NAT instance
54.2.0.12 (EIP)
Everything not destined for
my VPC goes to the Internet
via the NAT instance
Internet access via NAT Gateway (NEW)
10.10.1.0/24 10.10.2.0/24
0.0
.0.0
/0
0.0.0.0/0
Public IP: 54.2.0.12
NAT GatewayDestination Target Status
10.10.0.0/16 local Active
0.0.0.0/0 nat-0da73389b88c2bd3 Active
Everything not destined for
my VPC goes to the Internet
via the NAT Gateway
Amazon VPC NAT Gateway
• Managed network address translation service
• You assign an Elastic IP address at creation
• Connections initiated from the Internet are prevented
• Each NAT gateway is created in a specific Availability
Zone (AZ)
• Built-in redundancy for high availability in the AZ
• Create a NAT gateway in each of your AZs for an AZ-
independent architecture
Amazon VPC NAT Gateway (cont.)
• Automatic scaling
• Uniform offering; you don’t need to decide on the type or
size
• Up to 10 Gbps of bursty TCP, UDP, and ICMP traffic
• Use multiple gateways in multiple subnets for > 10 Gbps
• Can use a network ACL to control traffic to/from subnet
Create a NAT Gateway
Create a NAT Gateway
Update subnet routing table
VPC public connectivity via NAT
NAT instance(s)
Pros
• Central control
• All protocols
Cons
• Availability risks
• Lots of work to manage
• Scaling hard, limited
NAT gateway
Pros
• Managed & maintained by AWS
• Highly available
• Optimized for NAT traffic
• Automatic scaling
Cons
• Port forwarding not supported
• TCP & ICMP fragmentation not
supported
VPC Endpoints for Amazon S3
10.10.1.0/24 10.10.2.0/24
10.10.1.34
10.10.1.61
10.10.2.9
10.10.2.26
IGW
54.4.5.6
Destination Target Status
10.10.0.0/16 local Active
pl-68a54001 vpce-a610f4cf Active
Prefix list for Amazon S3;
IP range changes over time
and is managed by AWS
Amazon EMR clusters in VPC private subnets
Private subnet
Public subnet
Amazon EMR
Service
Amazon S3S3 endpointCluster
IGW
NAT gateway
ENI
Access resources in a VPC from AWS Lambda
Private subnet
Public subnetAmazon Redshift
Amazon S3S3 endpoint
IGW
NAT gateway
ENI
AWS Lambda
function
Amazon ElastiCache
Amazon RDS
Amazon Redshift enhanced VPC routing
Private subnet
Public subnet
Amazon Redshift Amazon S3S3 endpoint
IGW
NAT gateway
ENI
Amazon S3
us-east-1 us-west-2
VPC peering: Connecting VPCs without the Internet
10.10.1.0/24
VPC A
10.10.0.0/16
10.20.1.0/24
VPC B
10.20.0.0/16
Destination Target Status
10.10.0.0/16 local Active
10.20.0.0/16 pcx-44eb539a Active
Traffic destined for the peered
VPC should go to the peering
VPC peering
10.10.1.0/24
10.10.0.0/16 10.20.0.0/16
10.20.1.0/24
10.20.30.0/24
New: Support for security group references between peered VPCs
Source Protocol Port Range
10.20.1.0/24 All All
10.20.30.7/32 All All
10.20.30.56/32 All All
Source Protocol Port Range
sg-530afe56 All All
VPC peering
10.10.1.0/24
10.10.0.0/16 10.20.0.0/16
10.20.1.0/24
New: Support for DNS resolution between peered VPCs
10.20.1.35
54.4.5.6
#Before# dig ec2-54-4-5-6.compute-1.amazonaws.com +short
54.4.5.6
#After# dig ec2-54-4-5-6.compute-1.amazonaws.com +short
10.20.1.35
IPv6 VPC/EC2 support (NEW)
• /56 CIDR block of globally unique addresses per VPC
• /64 GUA CIDR block per subnet
• Security groups, NACLs, Flow Logs
• Local, Internet gateway, Direct Connect, VPC peering
• Egress only internet gateway
• Supported EC2 instances: all current generation
instance types except M3 and G2
• IPv6 in the Cloud Overview and Deep Dive sessions
18,446,744,073,709,551,616
2001:db8:1234:1a00::/64
IPv6 connectivity
10.10.1.0/24 10.10.2.0/24
10.10.0.0/16
NAT gateway
Internet gateway Egress-only Internet gateway
IPv4: 10.10.1.35 IPv4: 10.10.1.35Elastic IP: 198.51.4.2
Elastic IP: 198.51.4.5
2001:db8:1234:1a00::/56
2001:db8:1234:1a02::/64
IPv6: 2001:db8:1234:1a00::123IPv6: 2001:db8:1234:1a02::432
Destination Target
10.10.0.0/16 local
2001:db8:1234:1a00::/56 local
0.0.0.0/0 igw-id
::/0 igw-id
Destination Target
10.10.0.0/16 local
2001:db8:1234:1a00::/56 local
0.0.0.0/0 nat-id
::/0 eigw-id
ClassicLink: Connecting VPC and EC2-Classic
• Connectivity over private IP addresses between linked
instances in EC2-Classic and VPC
• Phased migration to VPC
• Classic instances can take membership in VPC security
groups
• New: Support for DNS resolution of public
hostnames to private IP addresses
ClassicLink over VPC peering (NEW)
VPC BVPC AClassic
10000s instances.
1000s services.
Dozens of teams.
Moving at their own schedule.
Netflix – Migration from Classic to VPC
Netflix
Thank you!
Remember to complete
your evaluations!
Related Sessions
• NET201 – Creating Your Virtual Data Center: VPC Fundamentals
and Connectivity Options
• NET204 – IPv6 in the Cloud: Protocol and AWS Service Overview
• NET304 – Moving Mountains: Netflix’s Migration into VPC
• NET307 – IPv6 in the Cloud: Virtual Private Cloud Deep Dive
• NET402 – Deep Dive: AWS Direct Connect and VPNs