summit - amazon web services mark… · with the security group. automatically applies to all...
TRANSCRIPT
S U M M I TB e r l i n
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Networking fundamentals
Corina MotoiAWS Solutions Architect
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Introductory - 200“These sessions provide an overview of AWS services
and features, and they assume that attendees are new to the topic. These sessions highlight basic use cases,
features, functions, and benefits."
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Default VPC
172.31.0.128
172.31.0.129
172.31.1.24
172.31.1.27
54.4.5.6
54.2.3.4
Amazon Virtual Private Cloud (Amazon VPC)
Subnet in availability zone (AZ) 1
Subnet in availability zone (AZ) 2
/16 IPv4 CIDR block (172.31.0.0/16).
/20 default subnet
Connected Internet Gateway
Security Group (SG)
Network Access Control List (NACL)
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
IP addressing
Creating subnets
Routing in a VPC
Security
VPC concepts & fundamentals
DNS in-VPC with Amazon Route 53
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Choosing an IP address range
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Choosing an IP address range for your VPC
172.31.0.0/16Recommended: RFC1918 range
Recommended: /16
(65,536 addresses)
Avoid ranges that overlap with other networks to which you might connect
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Creating subnets in a VPC
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
VPC subnets and Availability Zones
172.31.0.0/16
Availability Zone Availability Zone Availability Zone
VPC subnet VPC subnet VPC subnet
172.31.0.0/24 172.31.1.0/24 172.31.2.0/24
eu-west-1a eu-west-1b eu-west-1c
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
IPv6 in your VPC• Can have a dual-stack VPC by adding an IPv6 CIDR• Fixed sizes for VPC and subnets:
• /56 VPC (4,722,366,482,869,645,213,696 addresses)
• /64 subnets (18,446,744,073,709,551,616 addresses)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
VPC subnets and Availability Zones
172.31.0.0/16
Availability Zone Availability Zone Availability Zone
VPC subnet VPC subnet VPC subnet
172.31.0.0/24 172.31.1.0/24 172.31.2.0/24
eu-west-1a eu-west-1b eu-west-1c
2600:1f16:14d:6300::/56
2600:1f16:14d:6300::/64 2600:1f16:14d:6301::/64 2600:1f16:14d:6302::/64
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Routing in a VPC
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Routing in your VPC• Route tables contain rules for which packets go where
• Your VPC has a default route table
• But, you can create and assign different route tables to different subnets
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Traffic destined for my VPC stays in my VPC
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
DNS in a VPC
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
VPC DNS options
Use Amazon DNS serverHave EC2 auto-assign DNS
host names to instances
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Amazon Route 53 private hosted zones
Private Hosted Zone
example.demohostedzone.org 172.31.0.99
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Amazon Route 53 Resolver for hybrid clouds
Route 53 Resolver endpoints
Conditional forwarding rules
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Network security
Flow logsNetwork access control list
Security groups
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Network security
Flow logsNetwork access control list
Security groups
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
“MyWebServers” security group
“MyBackends” security group
Allow only “MyWebServers”
Security groups follow application structure
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Security groups example: Web servers
Allow HTTP traffic from anywhere
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Security groups example: Backends
Allow application traffic from web servers only
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Network security
Flow logsNetwork access control list
Security groups
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Security groups vs. NACLsSecurity group Network ACLOperates at instance level Operates at subnet level
Supports allow rules only Supports allow and deny rules
Is stateful: return traffic is automatically allowed regardless of any rules
Is stateless: return traffic must be explicitly allowed by rules
All rules evaluated before deciding whether to allow traffic
Rules evaluated in order when deciding whether to allow traffic
Applies only to instances explicitly associated with the security group
Automatically applies to all instances launched into associated subnets
Doesn’t filter traffic to or from link-local addresses (169.254.0.0/16) or AWS-reserved IPv4 addresses;these are the first four IPv4 addresses of the subnet (including the Amazon VPC DNS server)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Network security
Flow logsNetwork access control list
Security groups
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
VPC flow logs
AZ 2AZ 1
• Visibility
• Troubleshooting
• Analyze traffic
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
VPC flow logs: Setup
VPC traffic metadata captured in Amazon S3
or Amazon CloudWatch Logs
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
VPC flow logs format
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Internet connectivity or not
Connecting to other VPCs
Connecting to your on-premises network
Connecting your VPC
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Internet connectivity or not
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Internet gateway
Destination Target10.0.1.0/24 local0.0.0.0/0 igw_id
Inbound internet access
198.51.100.3
Destination Target10.0.2.0/24 local
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Internet gateway
Outbound internet access
NAT gateway
198.51.100.4
Destination Target10.0.1.0/24 local0.0.0.0/0 igw_id
Destination Target10.0.2.0/24 local0.0.0.0/0 Nat_gateway
_id
198.51.100.3
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Connecting to other VPCs
VPC Peering Transit Gateway
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Connecting to other VPCs
VPC Peering Transit Gateway
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
VPC peering• Full private IP connectivity
between two VPCs
• Can peer VPCs across regions
• VPCs can be in different accounts
• VPC CIDR ranges must not overlap
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Establish a VPC peering: Initiate request
Step 1
Initiate peering request
172.31.0.0/16 10.55.0.0/16
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Establish a VPC peering: Accept request
Step 1
Initiate peering request
Step 2
Accept peering request
172.31.0.0/16 10.55.0.0/16
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Establish a VPC peering: Create a route
Step 1
Initiate peering request
Step 2
Accept peering request
Step 3
172.31.0.0/16 10.55.0.0/16
Traffic destined for the peered VPC should go to the peering
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Connecting to other VPCs
VPC Peering Transit Gateway
and beyond
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
VPN connectionCustomer gateway Amazon VPC Amazon VPC
AWS Direct Connect Gateway
VPC peering
VPC peering VPC peering
Amazon VPC Amazon VPCVPC peering
VPN connection
VPN connection
VPC peering
Before Transit Gateway …
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
With Transit Gateway …
TransitGateway
Amazon VPCAmazon VPC
Amazon VPCAmazon VPC
Customergateway
VPNconnection
AWS DirectConnect Gateway
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Connecting to on-premises networks:
AWS VPNAWS
Direct Connect
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Extend an on-premises network into your VPC
AWS VPN
AWS Direct Connect
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS VPN basics
customer gateway
virtual private
gateway
Two IPSec tunnels192.168.0.0/16 172.31.0.0/16
192.168/16
Your networking device
VPN connection
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Direct Connect basics
AWS Direct Connect location
Customer or partner cage AWS cage
Customer network
192.168.0.0/16
AWS services
virtual private
gateway
172.31.0.0/16Private virtual
interface
Public virtual interface
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
VPC Sharing VPC endpoints and AWS PrivateLink
…more AWS networking
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Sharing VPC resources
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
VPC Sharing – owner account
NACL
NACL
Infrastructure account
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
VPC Sharing – participant account
Account Web
Account DB
Account APP
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
VPC Sharing – participant account
Account Web
Account DB
Account APP
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
VPC endpoints
Interface VPC endpoints
PrivateLinkGateway VPC endpoints
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Gateway VPC endpoints: Amazon S3 and DynamoDB
S3 bucket
Route S3-bound traffic to the VPC
endpoint
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Interface VPC endpoints
Private IP: 172.31.1.6
Private IP: 172.31.2.10
AWS Services
APIs
*service*.eu-west-1.amazonaws.com
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS PrivateLink: VPC endpoint services
Endpointvpce-1234 example servicePrivate IP:
10.10.1.6
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you!
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Corina [email protected]
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.