Download - An Introduction to Amazon VPC
PRIVATE ISLANDS FOR RENTAN INTRODUCTION TO AMAZON VPC
Sarah Zelechoski | @szelechoski#vBrownBag 10/28/2015
AN INTRODUCTION TO AMAZON VPC
I MY DATACENTER
‣ own your own equipment
‣ private network segment
‣ control over security
‣ hand-on support/physical access
‣ invested a lot in
‣ hardware
‣ storage
‣ staff
‣ virtualization
AN INTRODUCTION TO AMAZON VPC
BUT CLOUD IS THE NEW HOTNESS
‣ scale up/scale down
‣ only pay for usage
‣ geography
‣ push button interface
‣ scripting/automation community
‣ less maintenance
‣ hardware/power/bandwidth
WE TRIED AWS A FEW YEARS AGO, BUT ...
Every Company Ever
AN INTRODUCTION TO AMAZON VPC
AN INTRODUCTION TO AMAZON VPC
THE 'BURBS (EC2-CLASSIC)
‣ no privacy
‣ shared hardware/resources
‣ no network segmentation
‣ shared private address space
‣ all instances public presence
‣ security groups inflexible
‣ ingress rules only
‣ unable to change live
AN INTRODUCTION TO AMAZON VPC
THE 'BURBS (EC2-CLASSIC)
‣ strict HOA
‣ stingy w/ IPs
‣ some instance types not allowed
‣ no connection back to your DC
‣ new AWS services not available
‣ overcrowding
‣ not available to new accounts
GOOD NEWS EVERYONE!
Professor Farnsworth
AN INTRODUCTION TO AMAZON VPC
YOUR LITTLE SLICE OF HEAVEN
‣ logically isolated
‣ option for single-tenant hardware
‣ private networking
‣ control
‣ security
‣ compatible with all AWS services
AN INTRODUCTION TO AMAZON VPC
AWS VPC AND NETWORKING
‣ VIRTUAL PRIVATE CLOUD (VPC) ‣ REGION ‣ INTERNET GATEWAY (IGW) ‣ SUBNETS ‣ PUBLIC SUBNETS ‣ DMZ ‣ BASTION HOST ‣ NAT
‣ PRIVATE SUBNETS ‣ ROUTING TABLES ‣ NETWORK ACLS ‣ SECURITY GROUPS ‣ ADVANCED TOPICS
AN INTRODUCTION TO AMAZON VPC
VPC
‣ self-contained / isolated
‣ /16 CIDR of your choosing
‣ build to suit
‣ custom subnet structure
‣ custom routing
‣ custom security
‣ resources assigned to single VPCPRIVATE ISLAND
AN INTRODUCTION TO AMAZON VPC
REGION
‣ geographical region
‣ multiple datacenters
‣ close to you or your customers
‣ some bigger/more popular than others
‣ VPC lives in one region
OCEAN
AN INTRODUCTION TO AMAZON VPC
INTERNET GATEWAY (IGW)
‣ all communication with Internet happens through IGW
‣ one IGW per VPC
‣ public subnets use as default gateway
‣ private subnets use a NAT instance to forward traffic
CHANNEL
AN INTRODUCTION TO AMAZON VPC
PUBLIC SUBNET
‣ classic DMZ
‣ instances have public IP
‣ traffic will flow directly to IGW
‣ can interface with instances inside
‣ houses all ingress points to your VPC
‣ minimize this footprint / fringe security THE SHALLOWS
AN INTRODUCTION TO AMAZON VPC
DMZ INSTANCES
‣ instances with public presence
‣ VPN appliance
‣ bastion host
‣ proxy server
‣ software load balancers
‣ security is important
‣ have a very good reasonGUEST CABANAS
AN INTRODUCTION TO AMAZON VPC
BASTION HOST
‣ alternative to VPN
‣ access private instances
‣ SSH for admins
‣ tunnel for automation tools
‣ needs strict security
‣ restrict ports
‣ SSH user-specific keysHELIPAD
AN INTRODUCTION TO AMAZON VPC
ELASTIC LOAD BALANCER (ELB)
‣ public interface
‣ gateway to your applications and services
‣ expose different ports outside vs. inside
‣ SSL and SSL termination
‣ high availability and failover
ARRIVAL JETTY
star.reactiveops.com
AN INTRODUCTION TO AMAZON VPC
NETWORK ADDRESS TRANSLATION (NAT)
‣ private egress
‣ maps private network to public address
‣ allows outbound communication from private network
‣ reach out for
‣ git, ntp, apt/yum
‣ return traffic permitted EXCURSIONS
AN INTRODUCTION TO AMAZON VPC
PRIVATE SUBNET
‣ inner sanctum
‣ instances only have private address
‣ not routable directly from internet
‣ ingress -> ELB
‣ egress -> NAT
‣ control access points
‣ network ACLs
‣ security groups RESORT
AN INTRODUCTION TO AMAZON VPC
ROUTING TABLES
‣ tells traffic how to get from one place to another
‣ VPC CIDR is local by default
‣ each routing table defines different default gateway
‣ public: 0.0.0.0/0 => IGW
‣ private: 0.0.0.0/0 => NAT
‣ one RT associated to subnet
‣ many subnets same RT CONCIERGE
AN INTRODUCTION TO AMAZON VPC
NETWORK ACL
‣ control access to subnet
‣ evaluated in order
‣ ingress and egress
‣ ALLOW or DENY
‣ stateless!
‣ optional security layer
‣ default ALLOW allFRONT GATE
AN INTRODUCTION TO AMAZON VPC
SECURITY GROUPS
‣ instance based
‣ associated w/ network interface
‣ ingress AND egress
‣ tcp, udp, icmp ports
‣ SG or specific CIDR
‣ stateful!
‣ can change live
‣ principle of least privilege DOOR LOCKS
AN INTRODUCTION TO AMAZON VPC
SECURITY GROUPS
‣ port-based
‣ web-http: ingress port 80
‣ mysql : ingress port 3306
‣ ssh-local: ingress port 22 from VPC CIDR
‣ role-based
‣ presentation
‣ application
‣ data
BUT WAIT, THERE'S MORE!
Billy Mays
AN INTRODUCTION TO AMAZON VPC
ADVANCED TOPICS
‣ AVAILABILITY ZONES ‣ ADVANCED SUBNETTING ‣ VPC PEERING
AN INTRODUCTION TO AMAZON VPC
AVAILABILITY ZONES
‣ isolated locations within a region
‣ connected by low latency links
‣ VPC can span multiple AZs
‣ single AZ failure happens
‣ AWS services built to span AZs
AN INTRODUCTION TO AMAZON VPC
ADVANCED SUBNETTING
‣ get away from public/private dichotomy
‣ create a new subnet when
‣ different hosts need to route in different ways
‣ using fault-tolerant configurations and distributing instances across availability zones
‣ increased security warrants the usage of network ACLs or abstraction
AN INTRODUCTION TO AMAZON VPC
ADVANCED SUBNETTING
‣ subnets should be as large as possible
‣ autoscaling groups quickly eat up addresses
‣ leave yourself room to grow
‣ align subnets to make network ACLs easy
VPC = 10.0.0.0/16public subnets = 10.0.0.0/19
AZ1 = 10.0.0.0/21 AZ2 = 10.0.8.0/21 AZ3 = 10.0.16.0/21 # spare 10.0.24.0/21
presentation subnets = 10.0.32.0/19 AZ1 = 10.0.32.0/21 AZ2 = 10.0.40.0/21 AZ3 = 10.0.48.0/21 # spare 10.0.56.0/21
application subnets = 10.0.64.0/19 AZ1 = 10.0.64.0/21 AZ2 = 10.0.72.0/21 AZ3 = 10.0.80.0/21 # spare 10.0.88.0/21
data subnets = 10.0.96.0/19 AZ1 = 10.0.96.0/21 AZ2 = 10.0.104.0/21 AZ3 = 10.0.112.0/21 # spare 10.0.120.0/21
/16: 65534 addresses/18: 16382 addresses/19: 8190 addresses/20: 4094 addresses
HTTPS://MEDIUM.COM/AWS-ACTIVATE-STARTUP-BLOG/PRACTICAL-VPC-
DESIGN-8412E1A18DCC
AN INTRODUCTION TO AMAZON VPC
VPC PEERING
‣ enable private routing of traffic between VPCs
‣ instances in either VPC communicate as if they reside on the same network
‣ no bandwidth loss
‣ used to share common resources
‣ used to separate areas of concern
AN INTRODUCTION TO AMAZON VPC
VPC PEERING
‣ cannot connect matching or overlapping CIDR blocks
‣ peered VPCs must be in the same regions
‣ no transitive VPC peering
‣ reference of a SG from the peer VPC not supported. CIDR blocks must be used instead.
‣ private EC2 DNS cannot be resolved between instances in peered VPCs