S U M M I TB e r l i n

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

AWS Networking fundamentals

Corina MotoiAWS Solutions Architect

S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Introductory - 200“These sessions provide an overview of AWS services

and features, and they assume that attendees are new to the topic. These sessions highlight basic use cases,

features, functions, and benefits."

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Default VPC

172.31.0.128

172.31.0.129

172.31.1.24

172.31.1.27

54.4.5.6

54.2.3.4

Amazon Virtual Private Cloud (Amazon VPC)

Subnet in availability zone (AZ) 1

Subnet in availability zone (AZ) 2

/16 IPv4 CIDR block (172.31.0.0/16).

/20 default subnet

Connected Internet Gateway

Security Group (SG)

Network Access Control List (NACL)

S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

IP addressing

Creating subnets

Routing in a VPC

Security

VPC concepts & fundamentals

DNS in-VPC with Amazon Route 53

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Choosing an IP address range

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Choosing an IP address range for your VPC

172.31.0.0/16Recommended: RFC1918 range

Recommended: /16

(65,536 addresses)

Avoid ranges that overlap with other networks to which you might connect

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Creating subnets in a VPC

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

VPC subnets and Availability Zones

172.31.0.0/16

Availability Zone Availability Zone Availability Zone

VPC subnet VPC subnet VPC subnet

172.31.0.0/24 172.31.1.0/24 172.31.2.0/24

eu-west-1a eu-west-1b eu-west-1c

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

IPv6 in your VPC• Can have a dual-stack VPC by adding an IPv6 CIDR• Fixed sizes for VPC and subnets:

• /56 VPC (4,722,366,482,869,645,213,696 addresses)

• /64 subnets (18,446,744,073,709,551,616 addresses)

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

VPC subnets and Availability Zones

172.31.0.0/16

Availability Zone Availability Zone Availability Zone

VPC subnet VPC subnet VPC subnet

172.31.0.0/24 172.31.1.0/24 172.31.2.0/24

eu-west-1a eu-west-1b eu-west-1c

2600:1f16:14d:6300::/56

2600:1f16:14d:6300::/64 2600:1f16:14d:6301::/64 2600:1f16:14d:6302::/64

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Routing in a VPC

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Routing in your VPC• Route tables contain rules for which packets go where

• Your VPC has a default route table

• But, you can create and assign different route tables to different subnets

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Traffic destined for my VPC stays in my VPC

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

DNS in a VPC

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

VPC DNS options

Use Amazon DNS serverHave EC2 auto-assign DNS

host names to instances

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Amazon Route 53 private hosted zones

Private Hosted Zone

example.demohostedzone.org 172.31.0.99

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Amazon Route 53 Resolver for hybrid clouds

Route 53 Resolver endpoints

Conditional forwarding rules

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Network security

Flow logsNetwork access control list

Security groups

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Network security

Flow logsNetwork access control list

Security groups

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

“MyWebServers” security group

“MyBackends” security group

Allow only “MyWebServers”

Security groups follow application structure

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Security groups example: Web servers

Allow HTTP traffic from anywhere

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Security groups example: Backends

Allow application traffic from web servers only

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Network security

Flow logsNetwork access control list

Security groups

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Security groups vs. NACLsSecurity group Network ACLOperates at instance level Operates at subnet level

Supports allow rules only Supports allow and deny rules

Is stateful: return traffic is automatically allowed regardless of any rules

Is stateless: return traffic must be explicitly allowed by rules

All rules evaluated before deciding whether to allow traffic

Rules evaluated in order when deciding whether to allow traffic

Applies only to instances explicitly associated with the security group

Automatically applies to all instances launched into associated subnets

Doesn’t filter traffic to or from link-local addresses (169.254.0.0/16) or AWS-reserved IPv4 addresses;these are the first four IPv4 addresses of the subnet (including the Amazon VPC DNS server)

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Network security

Flow logsNetwork access control list

Security groups

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

VPC flow logs

AZ 2AZ 1

• Visibility

• Troubleshooting

• Analyze traffic

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

VPC flow logs: Setup

VPC traffic metadata captured in Amazon S3

or Amazon CloudWatch Logs

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

VPC flow logs format

S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Internet connectivity or not

Connecting to other VPCs

Connecting to your on-premises network

Connecting your VPC

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Internet connectivity or not

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Internet gateway

Destination Target10.0.1.0/24 local0.0.0.0/0 igw_id

Inbound internet access

198.51.100.3

Destination Target10.0.2.0/24 local

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Internet gateway

Outbound internet access

NAT gateway

198.51.100.4

Destination Target10.0.1.0/24 local0.0.0.0/0 igw_id

Destination Target10.0.2.0/24 local0.0.0.0/0 Nat_gateway

_id

198.51.100.3

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Connecting to other VPCs

VPC Peering Transit Gateway

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Connecting to other VPCs

VPC Peering Transit Gateway

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

VPC peering• Full private IP connectivity

between two VPCs

• Can peer VPCs across regions

• VPCs can be in different accounts

• VPC CIDR ranges must not overlap

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Establish a VPC peering: Initiate request

Step 1

Initiate peering request

172.31.0.0/16 10.55.0.0/16

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Establish a VPC peering: Accept request

Step 1

Initiate peering request

Step 2

Accept peering request

172.31.0.0/16 10.55.0.0/16

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Establish a VPC peering: Create a route

Step 1

Initiate peering request

Step 2

Accept peering request

Step 3

172.31.0.0/16 10.55.0.0/16

Traffic destined for the peered VPC should go to the peering

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Connecting to other VPCs

VPC Peering Transit Gateway

and beyond

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

VPN connectionCustomer gateway Amazon VPC Amazon VPC

AWS Direct Connect Gateway

VPC peering

VPC peering VPC peering

Amazon VPC Amazon VPCVPC peering

VPN connection

VPN connection

VPC peering

Before Transit Gateway …

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

With Transit Gateway …

TransitGateway

Amazon VPCAmazon VPC

Amazon VPCAmazon VPC

Customergateway

VPNconnection

AWS DirectConnect Gateway

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Connecting to on-premises networks:

AWS VPNAWS

Direct Connect

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Extend an on-premises network into your VPC

AWS VPN

AWS Direct Connect

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

AWS VPN basics

customer gateway

virtual private

gateway

Two IPSec tunnels192.168.0.0/16 172.31.0.0/16

192.168/16

Your networking device

VPN connection

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

AWS Direct Connect basics

AWS Direct Connect location

Customer or partner cage AWS cage

Customer network

192.168.0.0/16

AWS services

virtual private

gateway

172.31.0.0/16Private virtual

interface

Public virtual interface

S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

VPC Sharing VPC endpoints and AWS PrivateLink

…more AWS networking

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Sharing VPC resources

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

VPC Sharing – owner account

NACL

NACL

Infrastructure account

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

VPC Sharing – participant account

Account Web

Account DB

Account APP

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

VPC Sharing – participant account

Account Web

Account DB

Account APP

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

VPC endpoints

Interface VPC endpoints

PrivateLinkGateway VPC endpoints

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Gateway VPC endpoints: Amazon S3 and DynamoDB

S3 bucket

Route S3-bound traffic to the VPC

endpoint

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

Interface VPC endpoints

Private IP: 172.31.1.6

Private IP: 172.31.2.10

AWS Services

APIs

*service*.eu-west-1.amazonaws.com

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

AWS PrivateLink: VPC endpoint services

Endpointvpce-1234 example servicePrivate IP:

10.10.1.6

S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Thank you!

S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Corina Motoicmotoi@amazon.co.uk

S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.