(net403) another day, another billion packets
TRANSCRIPT
![Page 1: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/1.jpg)
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Eric Brandwine, AWS Security
October 2015
NET403
Another Day, Another Billion
Packets
![Page 2: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/2.jpg)
Deja Vu
![Page 3: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/3.jpg)
We have the cloud
EBS
RDS ElastiCacheAmazon
Redshift
EC2 Elastic Load
Balancing
![Page 4: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/4.jpg)
Customers have data centers
![Page 5: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/5.jpg)
Whiteboard engineering
EBS
RDS ElastiCacheAmazon
Redshift
EC2 Elastic Load
Balancing
![Page 6: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/6.jpg)
![Page 7: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/7.jpg)
EC2 as it was
10.44.12.4 10.44.12.5
10.44.92.1710.44.12.27
10.108.6.4
![Page 8: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/8.jpg)
Why that doesn’t work
192.168.0.0/16
Routing Table
• 192.168.0.0/16: stay here
• 10.44.12.4/32: AWS
• 10.44.92.17/32: AWS
• 10.108.6.4/32: AWS
10.44.0.0/16
10.44.12.4 10.44.12.5
10.44.92.1710.44.12.27
10.108.6.4
![Page 9: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/9.jpg)
Requirements
Customer selected IP addresses
Route aggregation for external connectivity
Conformance with existing network designs
![Page 10: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/10.jpg)
Virtual private cloud
172.31.0.0/18
192.168.0.0/16
Routing Table
• 192.168.0.0/16: stay here
• 172.31.0.0/18: AWS
172.31.1.0/24 172.31.2.0/24
172.31.1.7
172.31.1.8
172.31.1.9
172.31.2.12
172.31.2.51
![Page 11: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/11.jpg)
This is just virtual networking!
Subnet ~= VLAN
VPC ~= VRF (virtual routing and forwarding)
But…
![Page 12: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/12.jpg)
Scaling challenges
VLAN ID space is constrained
• 12 bits => 4096 total VLANs
VRF support is constrained
• Large routers => 1-2 thousand VRFs
Fixed ratio of VLANs:VRFs
![Page 13: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/13.jpg)
Router and capacity dimensions
Big Router
Data Plane
Control
Plane
Big Router
Data Plane
Control
Plane
![Page 14: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/14.jpg)
An example
Average router configuration line: 50 chars
Config per VPC: 10 lines
Subnets per VPC: 4
Config per subnet: 5 lines
Total VPCs: 2,000
Config size: 3 MB
![Page 15: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/15.jpg)
But…
Doesn’t scale
• 12 bit VLAN ID = 4096 VLANs (not enough)
• BIG routers support 4000 VRFs ($200k+)
Large VLANs make NEs cry
Tied to vendor bugfix cycles (6 months +)
We want commodity, fungible network gear
• BIG virtual routers are built by few companies
• Interoperability of advanced features is marginal
![Page 16: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/16.jpg)
Silos of capacity
A
C
B
FE
D
G
A AA
A
B
C
B B
B B
C
D
F FF
D
D
B
G G
/4 /4
/40 /40
0
0
0
0
1324 132
C
G G
3 27
D DD
9910
F F F F F
1815 40
BB B B B
BB B B B
BB B B B
B B
![Page 17: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/17.jpg)
Implementation requirements
Scale to millions of environments the size of Amazon.com
Any server, anywhere in a region can host an instance
attached to any subnet in any VPC
![Page 18: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/18.jpg)
Concepts
Server 192.168.0.3
Server 192.168.0.4
…
Server 192.168.1.3
Server 192.168.1.4
…
10.0.0.2
10.0.0.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping Service
Server:
Physical host in an
Amazon datacenter
Instance:
Amazon EC2
instance owned by a
customer
VPC:
Amazon Virtual
Private Cloud
owned by a
customer
VPC ID:
Identifier for a VPC
such as vpc-
1a2b3c4d
Mapping Service:
Distributed lookup
service. Maps VPC
+ Instance IP to
server
![Page 19: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/19.jpg)
L2 - Ethernet
10.0.0.2
10.0.0.3
L2 Src: MAC(10.0.0.2)
L2 Dst: ff:ff:ff:ff:ff:ff
ARP Who has
10.0.0.3?
The switch floods the
ARP request out all
ports
Ethernet Switch
L2 Src: MAC(10.0.0.3)
L2 Dst: MAC(10.0.0.2)
ARP 10.0.0.3 is at
MAC(10.0.0.3)
The switch snoops the
ARP response and
learns the port for
MAC(10.0.0.3).
L2 Src: MAC(10.0.0.2)
L2 Dst: MAC(10.0.0.3)
L3 Src: 10.0.0.2
L3 Dst: 10.0.0.3
ICMP/TCP/UDP/…
![Page 20: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/20.jpg)
L2 - VPC
Server 192.168.0.3
Server 192.168.0.4
…
Server 192.168.1.3
Server 192.168.1.4
10.0.0.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping Service
L2 Src: MAC(10.0.0.2)
L2 Dst: ff:ff:ff:ff:ff:ff
ARP Who has
10.0.0.3?
L2 Src: MAC(10.0.0.3)
L2 Dst: MAC(10.0.0.2)
ARP 10.0.0.3 is at
MAC(10.0.0.3)
Src: 192.168.0.3
Dst: Mapping Service
Query:
Blue 10.0.0.3
Src: Mapping Service
Dst: 192.168.0.3
Reply:
Host: 192.168.1.4
MAC: MAC(10.0.0.3)
10.0.0.2
![Page 21: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/21.jpg)
Server 192.168.0.3
Server 192.168.0.4
Server 192.168.1.3
Server 192.168.1.4
10.0.0.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping Service
10.0.0.2
…
L2 Src: MAC(10.0.0.2)
L2 Dst: MAC(10.0.0.3)
L3 Src: 10.0.0.2
L3 Dst: 10.0.0.3
ICMP/TCP/UDP/…
VPC: Blue
Src: 192.168.0.3
Dst: 192.168.1.4
Src: 192.168.1.4
Dst: Mapping Service
Validate:
Blue 10.0.0.2 is at
192.168.0.3
Src: Mapping Service
Dst: 192.168.1.4
Mapping valid:
Blue10.0.0.2 is at
192.168.0.3
L2 - VPC
…
![Page 22: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/22.jpg)
VPC isolation
Server 192.168.0.3
Server 192.168.0.4
…
Server 192.168.1.3
Server 192.168.1.4
10.0.0.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping Service
10.0.0.2
Src: 192.168.0.4
Dst: Mapping Service
Query:
Grey 10.0.0.3
L2 Src: MAC(10.0.0.4)
L2 Dst: ff:ff:ff:ff:ff:ff
ARP Who has
10.0.0.3?
![Page 23: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/23.jpg)
VPC isolation
Server 192.168.0.3
Server 192.168.0.4
…
Server 192.168.1.3
Server 192.168.1.4
10.0.0.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping Service
10.0.0.2
Src: 192.168.0.4
Dst: Mapping Service
Query:
Blue 10.0.0.3
L2 Src: MAC(10.0.0.4)
L2 Dst: ff:ff:ff:ff:ff:ff
ARP Who has
10.0.0.3?
192.168.0.4 is not
hosting any instances
in VPC Blue.
Mapping Denied
Alarm Raised
![Page 24: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/24.jpg)
VPC isolation
Server 192.168.0.3
Server 192.168.0.4
…
Server 192.168.1.3
Server 192.168.1.4
10.0.0.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping Service
10.0.0.2
…
L2 Src: MAC(10.0.0.4)
L2 Dst: MAC(10.0.0.3)
L3 Src: 10.0.0.4
L3 Dst: 10.0.0.3
ICMP/TCP/UDP/…
VPC: Blue
Src: 192.168.0.4
Dst: 192.168.1.4
Src: 192.168.1.4
Dst: Mapping Service
Validate:
Blue 10.0.0.4 is at
192.168.0.4
Src: Mapping Service
Dst: 192.168.1.4
Mapping invalid!
192.168.1.4 does not
deliver the packet to
the instance.
Alarm Raised.
![Page 25: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/25.jpg)
L3 – IP routing
10.0.0.2
10.0.1.3
L2 Src: MAC(10.0.0.2)
L2 Dst: ff:ff:ff:ff:ff:ff
ARP Who has
10.0.0.1?
Ethernet Switch
L2 Src: MAC(10.0.0.1)
L2 Dst: MAC(10.0.0.2)
ARP 10.0.0.1 is at
MAC(10.0.0.1)
L2 Src: MAC(10.0.0.2)
L2 Dst: MAC(10.0.0.1)
L3 Src: 10.0.0.2
L3 Dst: 10.0.1.3
ICMP/TCP/UDP/…
RouterEthernet Switch
L2 Src: MAC(10.0.1.1)
L2 Dst: MAC(10.0.1.3)
L3 Src: 10.0.0.2
L3 Dst: 10.0.1.3
ICMP/TCP/UDP/…
![Page 26: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/26.jpg)
L3 - VPC
Server 192.168.0.3
Server 192.168.0.4
…
Server 192.168.1.3
Server 192.168.1.4
10.0.1.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping Service
L2 Src: MAC(10.0.0.2)
L2 Dst: ff:ff:ff:ff:ff:ff
ARP Who has
10.0.0.1?
L2 Src: MAC(10.0.0.1)
L2 Dst: MAC(10.0.0.2)
ARP 10.0.0.1 is at
MAC(10.0.0.1)
Src: 192.168.0.3
Dst: Mapping Service
Query:
Blue 10.0.0.1
Src: Mapping Service
Dst: 192.168.0.3
Reply:
Host: Gateway
MAC: MAC(10.0.0.1)
10.0.0.2
![Page 27: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/27.jpg)
L3 - VPC
Server 192.168.0.3
Server 192.168.0.4
…
Server 192.168.1.3
Server 192.168.1.4
10.0.1.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping Service
Src: 192.168.0.3
Dst: Mapping Service
Query:
Blue 10.0.1.3
Src: Mapping Service
Dst: 192.168.0.3
Reply:
Host: 192.168.1.4
MAC: MAC(10.0.1.3)
10.0.0.2
L2 Src: MAC(10.0.0.2)
L2 Dst: MAC(10.0.0.1)
L3 Src: 10.0.0.2
L3 Dst: 10.0.1.3
ICMP/TCP/UDP/…
VPC: Blue
Src: 192.168.0.3
Dst: 192.168.1.4
Src: 192.168.1.4
Dst: Mapping Service
Validate:
Blue 10.0.0.2 is at
192.168.0.3
Src: Mapping Service
Dst: 192.168.1.4
Mapping valid:
Blue 10.0.0.2 is at
192.168.0.3
L2 Src: MAC(10.0.1.1)
L2 Dst: MAC(10.0.1.3)
L3 Src: 10.0.0.2
L3 Dst: 10.0.1.3
ICMP/TCP/UDP/…
![Page 28: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/28.jpg)
Caching
Server 192.168.0.3
Server 192.168.0.4
…
Server 192.168.1.3
Server 192.168.1.4
…
10.0.0.2
10.0.0.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping Service
L2 Src: MAC(10.0.1.1)
L2 Dst: MAC(10.0.1.3)
L3 Src: 10.0.0.2
L3 Dst: 10.0.1.3
ICMP/TCP/UDP/…
![Page 29: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/29.jpg)
Getting home (or anywhere, really)
10.0.0.0/18
172.16.0.0/16
10.0.0.0/24 10.0.1.0/24
10.0.0.7
10.0.0.8
10.0.0.9
10.0.1.12
10.0.1.51
VPC: Blue
Src: 192.168.0.3
Dst: ???
L3 Src: 10.0.0.7
L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
![Page 30: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/30.jpg)
Edges
Server 192.168.0.3
Server 192.168.0.4
…
Edge 192.168.4.3
Edge 192.168.4.4
10.0.1.3
10.0.0.4
10.0.0.2
Mapping Service
10.0.0.2
L3 Src: 10.0.0.2
L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
VPC: Blue
Src: 192.168.0.3
Dst: 192.168.4.3
L3 Src: 10.0.0.2
L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
Host 10.0.0.4 192.168.0.4
Host 10.0.1.4 192.168.0.4
…
172.16.0.0/16 Edge 192.168.4.3
…
![Page 31: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/31.jpg)
Edges (three different ones)
Edge 192.168.4.3VPC: Blue
Src: 192.168.0.3
Dst: 192.168.4.3
L3 Src: 10.0.0.2
L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
IPSEC Stuff
Src: 54.68.100.245
Dst: 205.251.242.54
L3 Src: 10.0.0.2
L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
VPN
![Page 32: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/32.jpg)
Edges (three different ones)
Edge 192.168.4.3VPC: Blue
Src: 192.168.0.3
Dst: 192.168.4.3
L3 Src: 10.0.0.2
L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
802.1Q VLAN Tag
Src: 54.68.100.245
Dst: 205.251.242.54
L3 Src: 10.0.0.2
L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
Direct Connect
![Page 33: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/33.jpg)
Edges (three different ones)
Edge 192.168.4.3VPC: Blue
Src: 192.168.0.3
Dst: 192.168.4.3
L3 Src: 10.0.0.2
L3 Dst: 176.32.96.190
ICMP/TCP/UDP/…
L3 Src: 10.0.0.2
L3 Dst: 176.32.96.190
ICMP/TCP/UDP/…
Internet
54.148.157.46
![Page 34: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/34.jpg)
Edges (three different ones)
VPNEdge 192.168.4.3
VPC: Blue
Src: 192.168.0.3
Dst: 192.168.4.3
L3 Src: 10.0.0.2
L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
IPSEC Stuff
Src: 54.68.100.245
Dst: 205.251.242.54
L3 Src: 10.0.0.2
L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
Direct ConnectEdge 192.168.4.3
VPC: Blue
Src: 192.168.0.3
Dst: 192.168.4.3
L3 Src: 10.0.0.2
L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
802.1Q VLAN Tag
Src: 54.68.100.245
Dst: 205.251.242.54
L3 Src: 10.0.0.2
L3 Dst: 172.16.14.17
ICMP/TCP/UDP/…
InternetEdge 192.168.4.3
VPC: Blue
Src: 192.168.0.3
Dst: 192.168.4.3
L3 Src: 10.0.0.2
L3 Dst: 176.32.96.190
ICMP/TCP/UDP/…
L3 Src: 54.148.157.46
L3 Dst: 176.32.96.190
ICMP/TCP/UDP/…
![Page 35: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/35.jpg)
Image credit: Wikipedia
https://en.wikipedia.org/wiki/1918_Eighth_Avenue
A brief diversion
![Page 36: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/36.jpg)
VPC pricing
Cost per VPC: $0.00
Cost per subnet: $0.00
Upcharge per instance: $0.00
![Page 37: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/37.jpg)
Nov 10, 2010
![Page 38: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/38.jpg)
VPC as a platform
172.31.0.0/18
172.31.1.0/24 172.31.2.0/24
172.31.1.7
172.31.1.8
172.31.2.12
172.31.2.51
![Page 39: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/39.jpg)
VPC as a platform
VPN and Direct Connect
Security group egress filtering
Network ACLs
Routing tables
Elastic Network Interfaces (ENIs)
Multiple IPs
![Page 40: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/40.jpg)
Amazon S3 endpoints
172.31.0.0/18
172.31.1.0/24 172.31.2.0/24
172.31.1.7 172.31.2.12
![Page 41: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/41.jpg)
Amazon S3 endpoints
172.31.0.0/18
172.31.1.0/24 172.31.2.0/24
172.31.1.7 172.31.2.12
![Page 42: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/42.jpg)
Server 192.168.0.3
Server 192.168.0.4
…
Edge 192.168.4.3
Edge 192.168.4.4
10.0.1.3
10.0.0.4
10.0.0.2
10.0.0.2
L3 Src: 10.0.0.2
L3 Dst: 54.231.33.89
TCP/HTTP/…
VPC: Blue
Src: 192.168.0.3
Dst: 192.168.4.4
L3 Src: 10.0.0.2
L3 Dst: 54.231.33.89
TCP/HTTP/…
EdgesMapping Service
Host 10.0.0.4 192.168.0.4
Host 10.0.1.4 192.168.0.4
…
172.16.0.0/16 Edge 192.168.4.3
S3.us-east-1 Edge 192.168.4.4
…
![Page 43: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/43.jpg)
A new edge
Edge 192.168.4.4VPC: Blue
Src: 192.168.0.3
Dst: 192.168.4.4
L3 Src: 10.0.0.2
L3 Dst: 54.231.33.89
TCP/HTTP/…
VPC Endpoint 1a2b3c4d
Src: 54.68.100.245
Dst: 54.231.33.89
L3 Src: 10.0.0.2
L3 Dst: 54.231.33.89
TCP/HTTP/…
S3 endpoint
![Page 44: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/44.jpg)
Endpoints & policy
172.31.0.0/18
172.31.1.0/24 172.31.2.0/24
172.31.1.7 172.31.2.12
{
"Statement": [
{
"Sid": "Access-to-specific-bucket-only",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"]
}
]
}
{
"Statement": [
{
"Sid": "Access-to-specific-VPC-only",
"Principal": "*",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"],
"Condition": {
"StringNotEquals": {
"aws:sourceVpc": "vpc-111bbb22"
}
}
}
]
}
![Page 45: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/45.jpg)
Simple Complex
Limited Flexible
EC2 VPC
![Page 46: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/46.jpg)
Default VPC
172.31.0.0/18
172.31.1.0/24 172.31.2.0/24
172.31.1.7
172.31.1.8
172.31.1.9
172.31.2.12
172.31.2.51
![Page 47: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/47.jpg)
Simple Complex
Limited Flexible
EC2 - VPC
![Page 48: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/48.jpg)
Thank you!
![Page 49: (NET403) Another Day, Another Billion Packets](https://reader033.vdocument.in/reader033/viewer/2022052514/587dc15b1a28ab1b498b618d/html5/thumbnails/49.jpg)
Remember to complete
your evaluations!