s u m m i t - aws-de-marketing.s3-eu-central-1.amazonaws.com... · summit © 2019, amazon web...
TRANSCRIPT
![Page 1: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/1.jpg)
S U MM I TB E R L I N
![Page 2: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/2.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
AWS Networking – Advanced Concepts and New Capabilities
Viktor GoldbergCloud Infrastructure ArchitectAWS Professional Services
Matt JohnsonManager, Solutions ArchitectureAWS WWPS UK
![Page 3: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/3.jpg)
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Virtual Private Cloud (Amazon VPC) enables you to have complete control
over your AWS virtual networking environment.
In this session, we will work through the process and features involved to build an
advanced hybrid and connected architecture exploring the new capabilities
including VPC Shared Subnets, AWS Transit Gateway, Route 53 Resolver and AWS
Global Accelerator.
We dive into how they work and how you might use them.
What to expect
![Page 4: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/4.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
What not to expect
• Explanation of VPC basics; we assume that you know:• VPCs
• Subnets
• Route Tables
• Security Groups / NACLs
• Explanation of AWS core services
![Page 5: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/5.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Agenda
Account
Strategy
VPN
WAN
AWS Direct Connect
Transit VPC
Network
Services
Connectivity
WAN
Shared
ServicesMulti-Region
Options
![Page 6: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/6.jpg)
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
![Page 7: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/7.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Our starting point
VPN
WAN
AWS Direct Connect
Virtual private gateway
Dev Prod
![Page 8: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/8.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Challenge: Adding more VPCs
VPN
WAN
AWS Direct Connect
Dev Prod Dev Prod Dev Prod
![Page 9: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/9.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Challenge: Peering VPCs
VPN
WAN
AWS Direct Connect
Dev Prod Dev Prod Dev Prod
Connect dev and prod
VPC peering
Connect the yellow environment
How does this scale?
Let’s:
![Page 10: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/10.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
VPN
WAN
AWS Direct Connect
Dev Prod Dev Prod Dev Prod
Dev Prod Dev Prod Dev Prod
Scaling connections?
Scaling VPC peering?
Shared services?
Firewall and services?
![Page 11: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/11.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Transit VPC
VPN
WAN
AWS Direct Connect
Transit VPC
Dev Prod Dev Prod Dev Prod
Dev Prod Dev Prod Dev Prod
![Page 12: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/12.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
VPN
WAN
AWS Direct Connect
Transit Gateway
AWSTransit Gateway
Dev Prod Dev Prod Dev Prod
Dev Prod Dev Prod Dev Prod
![Page 13: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/13.jpg)
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
![Page 14: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/14.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Automation of infrastructure
AWS Direct Connect and VPN standards
Subnet and routing standards
AWS Identity and Access Management
Strict security groups and routing
Identifying resources with tags
S m a l l e r V P C s o r a c c o u n t sL a r g e r V P C s o r a c c o u n t s
Account and VPC segmentat ion
Infrastructure and
NetworkingPolicy and IAM
![Page 15: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/15.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Segmentation: Decision inputs
Relationship between accounts, VPCs, and tenants?
• Do accounts and tenants trust each other?
• Is the current network segmentation intentional or a side effect?
Who owns security and networking?
• Each team or a centralized team?
Compliance and governance requirements?
• Can they be scoped to an account or a VPC level
![Page 16: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/16.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Baseline security
IAM
Security groups
Segmentation options: Layers
Application Application
Application Application
Application
Application
Inside the account
At the VPC
ACLs
Network security
Route tables
Network ACLs
Separate VPCs
![Page 17: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/17.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Segmentation in a VPC with network ACLs
Inbound network ACL
# Source Action
100 10.0.1.0/24 ALLOW
101 10.0.101.0/24 ALLOW
200 10.0.0.0/16 DENY
300 0.0.0.0/0 ALLOW
Mimic behavior of a single VPC:
![Page 18: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/18.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
both?
Provide granular account control with centralized infrastructure
![Page 19: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/19.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
VPC sharing
Easily share VPC networks between AWS accounts, providing
central oversight and control for networking engineers
![Page 20: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/20.jpg)
VPC Sharing and Resource Access ManagerShare subnets between accounts in an AWS Organization
Account
Account
Account
Account
Resource Share
• Public subnets
• Private subnets
Resource Share
• Private subnets
Infrastructure
account
![Page 21: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/21.jpg)
VPC Sharing and Resource Access ManagerAccount owners only see subnets and their resources
Account
Account
![Page 22: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/22.jpg)
VPC Sharing and Resource Access ManagerAccount owners only see subnets and their resources
Account
Account
![Page 23: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/23.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Segmentation in a Shared VPC with network ACLs
Account
Account
Account
Account
Public subnet
Private subnet Private subnet
Resource share
• Public subnets
• Private subnets
Resource share
• Public subnets
• Private subnets
Public subnet
10.0.1.0/24 10.0.2.0/24
10.0.101.0/24 10.0.102.0/24
Inbound network ACL
# Source Action
100 10.0.1.0/24 ALLOW
101 10.0.101.0/24 ALLOW
200 10.0.0.0/16 DENY
300 0.0.0.0/0 ALLOW
Mimic behavior of a single VPC:
![Page 24: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/24.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
VPC Sharing benefits
Less unused resources
• Higher density subnets, add up
to 5 additional CIDRs
• More efficient use of VPN and
AWS Direct Connect
Separation of duties
• Infrastructure strictly controls
routing, IP addresses, and VPC
structure
• Developers own their resources,
accounts, and security groups
Decouple accounts and networks
• Account protection and billing
without additional infrastructure
• Many accounts with fewer
networks
• Avoid VPC peering charges
![Page 25: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/25.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Segmentation considerations: Where to start
Security groups and IAM are effective and proven• Encourage IAM and security group use and monitor security configuration
Shared VPCs• Tenants should limit access from the internet and other tenants• VPCs using VPC peering are likely to benefit from Shared VPCs• Design around resource and limit contention
Separate VPCs• Often the best security decision is the simplest. Separate VPCs are simple.• Use separate VPCs for strong network segmentation and resource isolation• Transit Gateway removes the scaling issues with many VPCs (peering, VPN, routes)
Transit Gateway route tables define multi-VPC policy• Consider isolating environments (dev and prod) and allow access to shared resources
![Page 26: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/26.jpg)
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
![Page 27: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/27.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Shared services connectivity options
VPC peering
• One-to-one connectivity
• Scales to 100 VPCs
• Security groups across VPCs
• Inter-region peering
Transit VPC
• Shared services as a spoke
• Bandwidth constrained
• Complex management
• Instance and licensing costsVPN
WAN
AWS Direct Connect
Transit VPC
Shared
Services
AWS Transit Gateway
• Many-to-many or one-to-many with route tables
• Highly scalable
• Hourly per AZ endpoint costs
Account Account
Account Account
Development
Account Account
Account Account
Testing
Account Account
Account Account
Production Shared Services
Route
Tables
Route
Tables
Transit Gateway
AWS PrivateLink
• One-to-many connectivity
• Highly scalable
• Supports overlapping CIDRs
• Uses Elastic Load Balancing
• Load balancing and hourly endpoint costs
![Page 28: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/28.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
VPN
WAN
AWS Direct Connect
Transit VPC
Transit VPC Mechanics
![Page 29: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/29.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Route table
Destination Target
10.2.0.0/16 Local
0.0.0.0/0 VGW
Transit VPC: Routing
Virtual private
gateway (VGW)
Virtual Private
Network (VPN)
Transit VPC
10.0.0.0/16
10.1.0.0/16 10.2.0.0/16
Internet
The VPN Instances
advertise routes to each
VGW with BGP. This can be
a default route or individual
routes.
![Page 30: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/30.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Why doesn’t peer ing work?
VPC peering
Transit VPC
10.0.0.0/16
10.1.0.0/16 10.2.0.0/16Route table
Destination Target
10.2.0.0/16 Local
0.0.0.0/0 PCX
Internet
![Page 31: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/31.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Why doesn’t peer ing work?
VPC peering
Transit VPC
10.0.0.0/16
10.1.0.0/16 10.2.0.0/16Route table
Destination Target
10.2.0.0/16 Local
0.0.0.0/0 PCX
Internet
Destination: InternetTraffic must either
originate or terminate
on a network interface
in the VPC
Transitive routing
![Page 32: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/32.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Why does VPN work?
Transit VPC
10.0.0.0/16
10.1.0.0/16 10.2.0.0/16Route table
Destination Target
10.2.0.0/16 Local
0.0.0.0/0 VGW
Internet
Destination: Internet
Virtual Private
Network (VPN)
Traffic must either
originate or terminate
on a network interface
in the VPC
Transitive routing
![Page 33: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/33.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Shared services connectivity options at scale
VPC Peering
• 1-to-1 connectivity
• Scales to 100 VPCs
• Security groups across VPCs
• Inter-region peering
Transit VPC
• Shared services as a spoke
• Bandwidth restricted
• Complex management
• Instance and licensing costs
AWS Transit Gateway
• Many-to-many or one-to-many with route tables
• Highly scalable
• Hourly per AZ endpoint costs
Account Account
Account Account
Development
Account Account
Account Account
Testing
Account Account
Account Account
Production Shared Services
Route
Tables
Route
Tables
Transit Gateway
AWS PrivateLink
• One-to-many connectivity
• Highly scalable
• Supports overlapping CIDRs
• Uses Elastic Load Balancing
• Load balancing and hourly endpoint costs
![Page 34: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/34.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
What is the AWS Transit Gateway?
![Page 35: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/35.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Introducing: Transit Gateway
AWS Region
Transit Gateway
ENIs
VPN
Routing domain
Routing domain
AWS Direct
Connect *
Regional service
Scalable
Flexible routing
Available Q1 2019
![Page 36: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/36.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Flat: Transit Gateway route domains (route tables)
Transit Gateway
Route Destination
10.1.0.0/16 vpc-att-1xxxxxxx
10.2.0.0/16 vpc-att-2xxxxxxx
10.3.0.0/16 vpc-att-3xxxxxxx
10.4.0.0/16 vpc-att-4xxxxxxx
Default
routing domain
Route Destination
10.1.0.0/16 Local
10.0.0.0/8 tgw-xxxxxxxxx
Per VPC
![Page 37: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/37.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Flat: Transit Gateway route domains (route tables)
Transit Gateway
Route Destination
10.1.0.0/16 vpc-att-1xxxxxxx
10.2.0.0/16 vpc-att-2xxxxxxx
10.3.0.0/16 vpc-att-3xxxxxxx
10.4.0.0/16 vpc-att-4xxxxxxx
Default
routing domain
Route Destination
10.1.0.0/16 Local
10.0.0.0/8 tgw-xxxxxxxxx
Per VPC
![Page 38: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/38.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Isolated: Transit Gateway route domains
Transit Gateway
Route Destination
0.0.0.0/0 VPN
Routing domain
for VPN
Route Destination
10.1.0.0/16 Local
0.0.0.0/0 tgw-xxxxxxxxx
Per VPC
VPN
Routing domain for VPCs
Route Destination
10.1.0.0/16 vpc-att-1xxxx
10.2.0.0/16 vpc-att-2xxxx
Route Destination
10.3.0.0/16 vpc-att-3xxxx
10.4.0.0/16 vpc-att-4xxxx
![Page 39: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/39.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Isolated: Transit Gateway route domains
Transit Gateway
Route Destination
0.0.0.0/0 VPN
Route Destination
10.1.0.0/16 Local
0.0.0.0/0 tgw-xxxxxxxxx
Per VPC
VPN
Route Destination
10.1.0.0/16 vpc-att-1xxxx
10.2.0.0/16 vpc-att-2xxxx
Route Destination
10.3.0.0/16 vpc-att-3xxxx
10.4.0.0/16 vpc-att-4xxxx
Associate
go
Propagate routescan reach
Routing domain
for VPN
Routing domain for VPCs
![Page 40: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/40.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Isolated: Transit Gateway route domains
Transit Gateway
Route Destination
0.0.0.0/0 VPN
Route Destination
10.1.0.0/16 Local
0.0.0.0/0 tgw-xxxxxxxxx
Per VPC
VPN
Route Destination
10.1.0.0/16 vpc-att-1xxxx
10.2.0.0/16 vpc-att-2xxxx
Route Destination
10.3.0.0/16 vpc-att-3xxxx
10.4.0.0/16 vpc-att-4xxxx
Routing domain
for VPN
Routing domain for VPCs
![Page 41: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/41.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Isolated: Transit Gateway route domains
Transit GatewayShared
services
VPN
VPC
Route Destination
10.1.0.0/16 vpc-att-1xxxx
10.2.0.0/16 vpc-att-2xxxx
Route Destination
10.3.0.0/16 vpc-att-3xxxx
10.4.0.0/16 vpc-att-4xxxx
Route Destination
10.0.0.0/8 VPN
10.4.0.0/16 vpc-att-4xxxx
VPCs associate to a route table with routes to shared resources
Shared resources attach to a route table with routes to all resources
![Page 42: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/42.jpg)
Reference Network Architecture
Account Account
Account Account
Account Account
Account Account
Account Account
Account Account
VPNAWS Direct
Connect *
Account Account Account Account IAM, cross-account roles
Route
tables
Route
tables
Transit Gateway
Available Q1 2019
![Page 43: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/43.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Quick comparison: Transit Gateway and Transit VPC
VPN
WAN
AWS Direct Connect
Transit VPC
Transit VPC Transit Gateway
![Page 44: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/44.jpg)
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
![Page 45: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/45.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
AWS Global Infrastructure
• 20 Regions with 60 Availability Zones
• 4 Regions coming soon: Bahrain, Cape Town, Hong Kong SAR, and second USA GovCloud
Global Infrastructure
![Page 46: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/46.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
160 Points of Presence (PoPs)
• 149 Edge Locations
• 11 Regional Edge Caches
Points of Presence
AWS Global Infrastructure
• 20 Regions with 60 Availability Zones
• 4 Regions coming soon: Bahrain, Cape Town, Hong Kong SAR, and second USA GovCloud
![Page 47: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/47.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Amazon Global Network
• Redundant 100 GbE network
• Private network capacity betweenall AWS region, except China
Global Network
AWS Global Infrastructure
• 20 Regions with 60 Availability Zones
• 4 Regions coming soon: Bahrain, Cape Town, Hong Kong SAR, and second USA GovCloud
160 Points of Presence (PoPs)
• 149 Edge Locations
• 11 Regional Edge Caches
![Page 48: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/48.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Multiple services traverse the backbone
![Page 49: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/49.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Content Distribution with Amazon CloudFront
Fast, massively scaled and
globally distributed
Highly Programmable
Deep Integration with AWS
Network and application
protection at the edge
![Page 50: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/50.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Local ISP Network A B C D E F
Access Application!
Accessing your application is not this straightforward!It can take many networks to reach the application
Paths to and from the application may differ
Each hop impacts performance and can introduce risk
Introducing AWS Global Accelerator
![Page 51: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/51.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Local ISP AWS Network
Accessing your web applications with AWS Global Accelerator
Adding AWS Global Accelerator removes these inefficiencies
Leverages the Global AWS Network
Resulting in improved performance
![Page 52: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/52.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
AWS Region 1 AWS Region 2
3.10.3.1253.10.3.125
![Page 53: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/53.jpg)
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
![Page 54: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/54.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Connecting to on-premises
Virtual Private Gateway VPN AWS Direct Connect
VPN WAN
• Per VPC
• 1.25 Gbps per tunnel
• Encrypted in transit
• Per VPC (50 per port)
• Multiple VPCs with Direct Connect gateway
• No bandwidth restraint
AWS Transit Gateway VPN
VPN
• Multiple VPCs
• Add VPN connection as needed
• 1.25 Gbps per tunnel
• Roadmap: AWS Direct Connect
Amazon EC2 Customer VPN
VPN
• Per VPC or multiple (Transit VPC)
• Bandwidths vary by instance type
• AWS Marketplace options
• Scalability is generally limited by management complexity
![Page 55: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/55.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Connecting to On-premises at Scale
Virtual Private Gateway VPN AWS Direct Connect
VPN WAN
• Per VPC
• 1.25 gbps per tunnel
• Encrypted in transit
• Per VPC (50 per port)
• Multiple VPCs with Direct Connect gateway
• No bandwidth restraint
AWS Transit Gateway VPN
VPN
• Multiple VPCs
• Add VPN connection as needed
• 1.25 gbps per tunnel
• Roadmap: AWS Direct Connect
Amazon EC2 Customer VPN
VPN
• Per VPC or multiple (Transit VPC)
• Bandwidths vary by instance type
• AWS Marketplace options
• Scalability is generally limited by management complexity
![Page 56: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/56.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Private connectivity with AWS Direct Connect
Dedicated private connection
from on-premised to AWS
Consistent network
performance
Reduced bandwidth costs
Compatible with all
AWS services
![Page 57: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/57.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
AWS Direct Connect to Many VPCs
AWS Region
10.1.0.0/16
WAN
On-premises
AWS Direct Connect
location
Private virtual interface (VIF)
Customer
router
AWS
router
Customer
router
AWS
router
10.2.0.0/16
Up to 50 VIFs per port
AWS Direct Connect
location 2
![Page 58: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/58.jpg)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Direct Connect and Transit Gateway
Use Direct Connect in parallel Use VPN over a Direct Connect public virtual interface (VIF)
Account Account
Account Account
Account Account
Account Account
Account Account
Account Account
VPN
AWS Direct
Connect
Route
Tables
Route
Tables
Transit GatewayPrivate virtual
interfaces
VPN
AWS Direct
Connect
Route
Tables
Route
Tables
Transit Gateway
Public virtual
interface
AWS Region
Receive AWS
public IP addresses
Native Direct Connect support planned for Q1 2019
![Page 59: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/59.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
VPN With Transit Gateway
VPN
Route
tables
Route
tables
Transit Gateway
Customer Gateway
Consolidate VPN at the Transit Gateway (TGW)
• VPN acts similar to the Virtual Private Gateway (VGW)
• Bandwidth, configuration, APIs, cost, and experience
• VPN is attached to a TGW instead of a VGW
• Same 1.25 gbps bandwidth per tunnel applies
Encryption to the edge of many VPCs
• Traffic is encrypted until it’s inside the VPC
• Does not natively encrypt traffic between VPCs
• Inter-region VPC peering does
![Page 60: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/60.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
VPN with Transit Gateway: Add more bandwidth
VPN
Route
tables
Route
tables
Transit Gateway
Customer Gateway
Support for spreading traffic across many tunnels
• Equal Cost Multi-Path (ECMP) support with BGP multi-
path
• Tested up to 50 Gbps of traffic
• Split traffic into smaller flows, multi-part uploads, etc.
Check your on-premises configuration
• Multi-path BGP
• ECMP support, amount of equal paths, reverse-path
forwarding/spoofing checks
• Only supported with BGP, not static routing
![Page 61: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/61.jpg)
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
![Page 62: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/62.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Route 53 Resolver
Managed DNS Resolver service from Route 53
Create conditional forwarding rules to re-direct
query traffic
Enables hybrid connectivity over AWS Direct Connect
and Managed VPN
![Page 63: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/63.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Enabling Hybrid Cloud
VPC
Data Center
![Page 64: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/64.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Enabling Hybrid Cloud
VPC
Data Center
X
![Page 65: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/65.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Enabling Hybrid Cloud
VPC
Data Center
X
![Page 66: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/66.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Enabling Hybrid Cloud
VPC
Data Center
![Page 67: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/67.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Enabling Hybrid Cloud
VPC
Data Center
![Page 68: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/68.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Enabling Hybrid Cloud
VPC
Data Center
VPC
VPC
![Page 69: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/69.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Enabling Hybrid Cloud
VPC
Data Center
VPC
VPC
![Page 70: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/70.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Enabling Hybrid Cloud
VPC
Data Center
VPC
VPC
![Page 71: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/71.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Route 53 Resolver
![Page 72: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/72.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Benefit to you: Reduced Complexity
![Page 73: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/73.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Benefit to you: Availability
• Use AWS high availability architecture
• Create additional redundancy by provisioning more ENIs in different AZs
VPC
![Page 74: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/74.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Benefit to you: Cross Account Rules Sharing
VPC
VPC
VPC
![Page 75: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/75.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Benefit to you: Cross Account Rules Sharing
VPC
VPC
VPC
![Page 76: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/76.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Client VPN
Support for OpenVPN clients
Available in 4 regions at
launch; others coming soon
Connected users charged per user per hour
![Page 77: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/77.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Attachment
to Amazon
VPC
TLS based tunnel
over the internet
User with Open
VPN Client
Client VPN Endpoint
Client
The
InternetAmazon
DynamoDBAmazon S3
On-Premises
![Page 78: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/78.jpg)
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
![Page 79: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/79.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Private connectivity with Inter-region Peering
Private connectivity for two
or more VPCs between regions
Highly available, no single
point of failure
All traffic stays on the AWS
global backbone network
All traffic encrypted and
anonymized
![Page 80: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/80.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Multiple Regions
WAN
On-premises
AWS Direct Connect
location
Private virtual
interface (VIF)
Customer
router
AWS
router
Customer
router
AWS
router
AWS Region
AWS Direct Connect
location 2
Direct
Connect
gateway
Account
AWS Region
![Page 81: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/81.jpg)
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
![Page 82: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/82.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Takeaways
We have tools and architectures that horizontally scale to many VPCs
There’s wiggle room for your specific use cases
Use services in combination to meet scale and security requirements
![Page 83: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/83.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Advice
• Networking changes fast, no more crystal balls
• Start simple! Stay simple. Reduce complexity to smaller scopes
• Segment and modify as needed
• Experiment and test
![Page 84: S U M M I T - aws-de-marketing.s3-eu-central-1.amazonaws.com... · SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Networking –Advanced Concepts](https://reader034.vdocument.in/reader034/viewer/2022042308/5ed512f088180403687e5d38/html5/thumbnails/84.jpg)
Thank you!
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.