deep dive: amazon virtual private cloud
TRANSCRIPT
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Virtual Private Cloud
Deep DiveKevin Miller, Sr. Manager - Amazon EC2 Networking
Related Presentations – Videos online
https://www.youtube.com/user/AmazonWebServices
• ARC205 – VPC Fundamentals and Connectivity
• ARC401 – Black Belt Networking for Cloud Ninja– Application centric, network monitoring, management, floating IPs
• ARC403 – From One to Many: Evolving VPC Design
• SDD302 – A Tale of One Thousand Instances– Example of EC2-Classic customer adopting VPC
• SDD419 – Amazon EC2 Networking Deep Dive– Network performance, placement groups, enhanced networking
aws vpc –-expert-mode
Elastic
Network
Interface
Subnet A
us-west-2a172.31.0.0/20
172.31.0.5
Subnet B
us-west-2b172.31.16.0/20
Subnet C
us-west-2c172.31.32.0/20
EC2
Instance
Virtual Private Cloud
172.31.32.8EC2
Instance
AZ: Availability Zone
VPC connectivity 101
VPC connectivity: TL;DR
• Most common case: Internet
connectivity– Automatically enabled for default VPCs: You do
nothing
– Easy to enable for non-default VPCs: You do a little
bit
• There are many options, but they are
optional!
Create VPC
aws ec2 create-vpc --cidr 10.10.0.0/16aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.1.0/24 --a us-west-2aaws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.2.0/24 --a us-west-2b
Launch instances
aws ec2 run-instances --image ami-d636bde6 --sub subnet-d83d91bd --count 3aws ec2 run-instances --image ami-d636bde6 --sub subnet-b734f6c0 --count 3
Routes: Local connectivity
aws ec2 describe-route-tables --route-table-ids rtb-c9d737ad
|+----------------------------------------------------+|||| Routes |||||+-----------------------+------------+-------------+||||| DestinationCidrBlock | GatewayId | State ||||+-----------------------+------------+--------------||||| 10.10.0.0/16 | local | active ||||+-----------------------+------------+-------------+||
Traffic to the VPC’s range
stays in the VPC
Establish public connectivity
aws ec2 create-internet-gatewayaws ec2 attach-internet-gateway --internet igw-5a1ae13f --vpc vpc-c15180a4aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
Your default VPC is already
configured this way
Routes: Internet connectivity
aws ec2 describe-route-tables --route-table-ids rtb-ef36e58a
|+----------------------------------------------------+|||| Routes |||||+-----------------------+------------+-------------+||||| DestinationCidrBlock | GatewayId | State ||||+-----------------------+------------+--------------||||| 10.10.0.0/16 | local | active ||||| 0.0.0.0/0 | igw-5a1ae13f | active ||+----------------------------------------------------+||
Everything not destined for my
VPC goes to the Internet
Confirming your default VPC
describe-account-attributes
VPC only
VPC Endpoints for Amazon S3:
Getting to Amazon S3 without the Internet
Amazon S3 without an Internet Gateway
Setting up an Amazon S3 endpoint
vpc-c15180a4
rtb-ef36e58a
Routes: Amazon S3 connectivity
aws ec2 describe-route-tables --route-table-ids rtb-ef36e58a
|+-------------------------------------------------------------------+|||| Routes |||||+-----------------------+-----------------------------------------+||||| DestinationCidrBlock | DestinationPrefixListId | GatewayId ||||+-----------------------+-------------------------+----------------||||| 10.10.0.0/16 | | local ||||| | pl-68a54001 | vpce-a610f4cf ||+-------------------------+-------------------------+---------------+||
The Amazon S3 Prefix List
--------------------------------------------------| DescribePrefixLists |+------------------------------------------------+|| PrefixLists |||+---------------+------------------------------+||| PrefixListId | PrefixListName |||+---------------+------------------------------+||| pl-68a54001 | com.amazonaws.us-west-2.s3 |||+---------------+------------------------------+|||| Cidrs |||||+--------------------------------------------+||||| 54.231.160.0/19 |||||+--------------------------------------------+||
IP range for Amazon S3
Changes over time & managed by AWS
IAM policy: Amazon S3 bucket
{ "Version": "2012-10-17","Statement": [ {
"Sid": "Only my VPC Endpoint can access this bucket","Principal": "*","Action": "s3:*","Effect": "Deny","Resource": ["arn:aws:s3:::bucket-of-awesome",
"arn:aws:s3:::bucket-of-awesome/*"],"Condition": { "StringNotEquals": { "aws:sourceVpce": "vpce-a610f4cf" } }
}]
}
aws s3api put-bucket-policy --bucket bucket-of-awesome --policy file:///tmp/bucket_policy_for_vpce.json
In English:
Deny access to this bucket to
all but this VPC endpoint
IAM policy: VPC endpoint
{"Statement": [ {
"Sid": "Access to bucket-of-awesome","Principal": "*","Action": [ "s3:GetObject", "s3:PutObject" ],"Effect": "Allow","Resource": ["arn:aws:s3:::bucket-of-awesome",
"arn:aws:s3:::bucket-of-awesome/*"]}
]}
vpc-c15180a4rtb-ef36e58a
--policy-document file:///tmp/vpce_policy_document.json
In English:
This VPC endpoint is allowed only to
Get/Put to bucket-of-awesome
VPC Endpoint IAM policy can be
modified after the fact.
VPC Peering:
Getting between VPCs without the Internet
Shared services VPC using VPC peering
• Common/core services
– Authentication/directory
– Monitoring
– Logging
– Remote administration
– Scanning
VPC peering for VPC-to-VPC connectivity
aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87VPC A> aws ec2 create-route --ro rtb-ef36e58a --des 10.20.0.0/16 --vpc-peer pcx-ee56be87VPC B> aws ec2 create-route --ro rtb-67a2b31c --des 10.10.0.0/16 --vpc-peer pcx-ee56be87
VPC A - 10.10.0.0/16
vpc-c15180a4
VPC B - 10.20.0.0/16
vpc-062dfc63
VPC peering across accounts
aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63--peer-owner 472752909333
# In owner account 472752909333aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87
VPC A - 10.10.0.0/16
vpc-c15180a4
VPC B - 10.20.0.0/16
vpc-062dfc63
Account ID 472752909333
VPC peering – Additional considerations
• Security groups not supported across
peerings
• Data transfer between VPCs metered at
inter-AZ rate
• No “transit” capability for VPN, AWS Direct
Connect, or third-party VPCs
• Peer VPC address ranges cannot overlap
VPN and AWS Direct Connect:
Getting between VPC and your data center
VPN connection
Corporate Data Center
aws ec2 create-vpn-gateway --type ipsec.1aws ec2 attach-vpn-gateway --vpn vgw-f9da06e7 --vpc vpc-c15180a4aws ec2 create-customer-gateway --type ipsec.1 --public 54.64.1.2 --bgp 6500aws ec2 create-vpn-connection --vpn vgw-f9da06e7 --cust cgw-f4d905ea --t ipsec.1
Using AWS Direct Connect
Corporate Data Center
aws directconnect create-connection --loc EqSE2 --b 1Gbps --conn My_Firstaws directconnect create-private-virtual-interface --conn dxcon-fgp13h2s --new virtualInterfaceName=Foo, vlan=10, asn=60, authKey=testing, amazonAddress=192.168.0.1/24, customerAddress=192.168.0.2/24,virtualGatewayId=vgw-f9da06e7
Redundant VPN connection
Automatic route propagation from VGW
Corporate Data Center
192.168.0.0/16
aws ec2 delete-route --ro rtb-ef36e58a --dest 192.168.0.0/16aws ec2 enable-vgw-route-propagation --ro rtb-ef36e58a --gateway-id vgw-f9da06e7
Used to automatically update routing table(s) with
routes present in the virtual private gateway (VGW)
Configuring route table
Corporate Data Center
192.168.0.0/16
aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id vgw-f9da06e7
VPC with private and public connectivity
Corporate Data Center
192.168.0.0/16
aws ec2 create-internet-gatewayaws ec2 attach-internet-gateway --internet igw-5a1ae13f --vpc vpc-c15180a4aws ec2 delete-route --ro rtb-ef36e58a --dest 0.0.0.0/0aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13faws ec2 create-route --ro rtb-ef36e58a --dest 192.168.0.0/16 --gateway-id vgw-f9da06e7
Remote connectivity best practices
Corporate Data Center
Availability Zone Availability Zone
Each VPN connection consists of
2 IPSec tunnels.
Use Border Gateway Protocol
(BGP) for failure recovery.
Remote connectivity best practices
Corporate Data Center
Availability Zone Availability Zone
A pair of VPN
connections (4 IPSec
tunnels total) protects
against failure of your
customer gateway
Remote connectivity best practices
Corporate Data Center
Availability Zone Availability Zone
Redundant AWS Direct
Connect connections
with VPN backup
ClassicLink
Getting between VPC and EC2-Classic
ClassicLink is relevant to you if:
• You have a significant deployment on EC2-Classic
• You want a phased migration to VPC to take advantage of:– New instance types
– Enhanced networking
– VPC security benefits (Amazon S3 endpoints, etc.)
– Features (VPC Flow Logs, etc.)
What ClassicLink does: words
• Connectivity over private IP
address between linked
instances in EC2-Classic and
VPC
• Classic instances can take
membership in VPC Security
Groups
What ClassicLink does: pictures
Security Group:
MyWebServers
Security Group:
MyBackends
VPC Security Group:
MyWebServers
VPC Security Group:
MyBackends
ClassicLink APIs & CLI
Enabling ClassicLink
vpc-4325f426
To use ClassicLink the VPC must
have this feature enabled. Can be
restricted with IAM policy.
Attaching a EC2-Classic instance to a VPC
i-2b3ecd1c
vpc-4325f426 sg-da107fbf
Link this specific instance to
the VPC using the specified
VPC security groups
Migration VPC: Keep it simple
• Internet connectivity
• One subnet per AZ
• Similar Security Groups
Elastic Load Balancing (ELB) supports ClassicLink
Security Group:
MyWebServersVPC Security Group:
MyWebServers
ClassicLink – Component stages
• Start with AWS-managed
infrastructure– RDS, ElastiCache, Redshift
• Next ELB
• Then instancesEC2-Classic
ClassicLink
RDS DB
InstanceElastiCache
Cache NodeElastic Load
Balancer
RDS DB
InstanceElastiCache
Cache NodeElastic Load
Balancer
ClassicLink
RDS DB
Instance
Route53
ELB
ClassicLink
RDS DB
Instance
ELB
Route53
ClassicLink
RDS DB
Instance
ELB
Route53
ClassicLink
RDS DB
Instance
ELB
Route53
ClassicLink
RDS DB
Instance
ELB
Route53
ClassicLink
RDS DB
Instance
Route53
ClassicLink
RDS DB
Instance
Route53
ClassicLink – Additional considerations
• VPC address ranges for use with ClassicLink
– 10.0.0.0/15, or any other range outside 10.0.0.0/8
– Why? EC2-Classic instance private IP addresses are in 10.2.0.0 – 10.255.255.255
• VPC also can’t have extra route table entries to 10.0.0.0/8
• ClassicLink instances use EC2-Classic for all Internet traffic. No
access from VPN/Direct Connect or a VPC peer to a ClassicLink
instance.
• ClassicLink must be enabled after instance launch (Run) or Start
• VPC instance DNS names do not resolve from EC2-Classic, and vice-
versa
VPC Flow Logs:
What’s going on inside my VPC?
See all of the traffic at your instances
• Visibility into effects of
Security Group rules
• Troubleshooting
network connectivity
• Ability to analyze
traffic
Getting set up: CloudWatch Logs
MyVPCFlowLogs
Your VPC Flow Logs
will go here
Getting set up: IAM Role
{"Version": "2012-10-17","Statement": [{"Sid": "","Effect": "Allow","Principal": {
"Service": "vpc-flow-logs.amazonaws.com"},
"Action": "sts:AssumeRole"}
]}
VpcFlowLogsRole
VPC Flow Logs has permission to
assume this role
Getting set up: IAM Role, continued
{"Statement": [
{"Action": [
"logs:CreateLogGroup","logs:CreateLogStream","logs:DescribeLogGroups","logs:DescribeLogStreams","logs:PutLogEvents"
],"Effect": "Allow","Resource": "*"
}]
}
aws iam put-role-policy --role-name VpcFlowLogsRole --policy-name AccessToCloudWatchLogs --policy-document file:///tmp/inline_policy_document.json
Grant VPC Flow Logs access to
your CloudWatch Logs
Getting set up: VPC Flow Logs
MyVPCFlowLogs111122223333:role/VpcFlowLogsRole
-----------------------------------------------------------------| CreateFlowLogs |+-------------+-------------------------------------------------+| ClientToken| 2VVt8sDNhVI3ZXy32ICeCU7MGykMPkQ5kzsdzHcXnk4= |+-------------+-------------------------------------------------+|| FlowLogIds |||+-------------------------------------------------------------+|
|| fl-ea995892 |||+-------------------------------------------------------------+|
Can be VPC, Subnet, or
NetworkInterface
Can be ACCEPT,
REJECT, or ALL
Reading your VPC Flow Logs
MyVpcFlowLogs
------------------------------------------------------------------------------------------------------------| DescribeLogStreams |+--------------------------------------------------------------------------------------------------------- +|| logStreams |||+---------------------+----------------------------------------------------------------------------------+||| arn | arn:aws:logs:us-east-1:111122223333:log-group:MyVPCFlowLogs:log-stream:eni-97ee1c31-accept |||| creationTime | 1434203061652 |||| firstEventTimestamp| 1434202443000 |||| lastEventTimestamp | 1434202917000 |||| lastIngestionTime | 1434203662454 ||
|| logStreamName | eni-97ee1c31-accept ||
|| storedBytes | 0 |||| uploadSequenceToken| 49540113925456550918981667094152056847848616976877379954 |||+---------------------+----------------------------------------------------------------------------------+|
ACCEPT logs for my
Network Interface
Interpreting your VPC Flow Logs
eni-97ee1c31-accept...2 111122223333 eni-97ee1c31 132.163.4.101 10.0.1.95 123 123 17 9 684 1434202443 1434203036 ACCEPT OK
2 111122223333 eni-97ee1c31 10.0.1.95 218.65.30.217 22 40534 6 13 3201 1434202567 1434202615 ACCEPT OK
2 111122223333 eni-97ee1c31 10.0.1.95 12.130.116.82 80 28110 6 5 343 1434203039 1434203096 ACCEPT OK
Source IP address,
Dest IP address
Source port, dest port
Packets, Bytes
Your Feedback is Important to AWSPlease complete the session evaluation. Tell us what you think!
NEW YORK
NEW YORK
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved.