vpc - module 2 part 2 - awsome day 2017
TRANSCRIPT
Your private network in AWS
VPC
EC2 Instance
172.31.0.128
172.31.0.129
172.31.1.24
172.31.1.27
54.4.5.6
54.2.3.4
Creating an Internet-connected VPC: steps
Choosing an address range
Setting up subnets in Availability Zones
Creating a route to the Internet
Authorizing traffic to/from the VPC
Choosing an IP address range
What is an Internet Protocol address?
An IP address is FOUR numbers (octets*) separated by the period symbol.
192.168.90.0
What is an Internet Protocol address range?
From 192.168.90.0 to (and including) 192.168.90.255
How many IP address can we use?
192.168.90.0 plus another 255 IP addresses = 256 IP addresses.
What is an Internet Protocol address range?
From 192.0.0.0 to (and including) 192.0.0.255256 IP addresses
From 192.0.0.0 to (and including) 192.0.255.255256 * 256 = 65,536
From 192.0.0.0 to (and including) 192.255.255.255256 * 256 * 256 = 16,777,216
Classless inter-domain routing [CIDR notation]
An IP address range is the starting 4 octets (IP address) plus a value after a slash.
i.e 192.168.90.0/24
What is that value and what does it mean?
Binary
128 64 32 16 84 2 1
0 0 0 0 00 0 0
0 1 0 1 10 1 0
1 1 1 1 11 1 1
0 0 0 0 01 1 1
The number 0 represented in binaryThe number 90 represented in binaryThe number 255 represented in binaryThe number 7 represented in binary
IP addresses172.31.0.010101100.00011111.00000000.00000000
172.31.0.25510101100.00011111.00000000.11111111
172.31.0.0 to 172.31.255.255
From 172.31.0.0/255.255.255.255 to and including 172.31.255.255/255.255.255.255
172.31.0.0/255.255.0.0172.31.0.0/(8).(8).(0).(0)
172.31.0.0/16 gives you 65,536 IP addresses to pick from.
Choosing an IP address range for your VPC
172.31.0.0/16
Recommended: RFC1918 range
Avoid ranges that overlap with other networks to which you might connect.
Subnets
VPC subnets and Availability Zones
172.31.0.0/16
Availability Zone Availability Zone Availability ZoneVPC subnet VPC subnet VPC subnet
172.31.0.0/24 172.31.1.0/24 172.31.2.0/24
eu-west-1a eu-west-1b eu-west-1c
Route to the Internet
Routing in your VPC
• Route tables contain rules for which packets go where
• Your VPC has a default route table• … but you can assign different route
tables to different subnets
Traffic destined for my VPC stays in my VPC
Internet Gateway
Send packets here if you want them to reach the Internet
Everything that isn’t destined for the VPC:Send to the Internet
Network security in VPC:Network ACLs / Security Groups
Network ACLs: Stateless firewalls
English translation: Allow all traffic in
Can be applied on a subnet basis
“MyWebServers” Security Group
“MyBackends” Security Group
Allow w
eb traffic
on 0.0.0.0/0
Allow only “MyWebServers”
Security Groups follow application structure
Security Groups example: web servers
In English: Hosts in this group are reachable from the Internet on port 80 (HTTP)
Security Groups example: backends
In English: Only instances in the MyWebServers Security Group can reach instances in this Security Group
Security Groups in VPC: additional notes
• Follow the Principle of Least Privilege• VPC allows creation of egress as well as ingress
Security Group rules• Many application architectures lend themselves to a 1:1
relationship between Security Groups (who can reach me) and IAM roles (what I can do).
Connectivity options for VPCs
Beyond Internet connectivity
Restricting Internet access Connecting to your corporate network
Connecting to other VPCs
Restricting Internet access:Routing by subnet
Routing by subnet
VPC subnet
VPC subnet
Has route to Internet
Has no route to Internet
Outbound-only Internet access: NAT Gateway
VPC subnet VPC subnet
0.0.
0.0/
0
0.0.0.0/0
Public IP: 54.161.0.39
NAT Gateway
Inter-VPC connectivity:VPC peering
Example VPC peering use: shared services VPCCommon/core services
• Authentication/directory• Monitoring• Logging• Remote administration• Scanning
Security Groups across peered VPCs
VPC Peering
172.31.0.0/16 10.55.0.0/16
Orange Security Group Blue Security Group
ALLOW
Establish a VPC peering: initiate request
172.31.0.0/16 10.55.0.0/16
Step 1
Initiate peering request
Establish a VPC peering: accept request
172.31.0.0/16 10.55.0.0/16
Step 1
Initiate peering request
Step 2
Accept peering request
Establish a VPC peering: create route
172.31.0.0/16 10.55.0.0/16Step 1
Initiate peering request
Step 2
Accept peering request
Step 3
Create routes
In English: Traffic destined for the peered VPC should go to the peering
Connecting to on-premises networks:Virtual Private Network & Direct Connect
Extend an on-Premises network into your VPC
VPN
Direct Connect
AWS VPN basics
Customer Gateway
Virtual Gateway
Two IPSec tunnels
192.168.0.0/16 172.31.0.0/16
192.168/16
Your networking device
VPN and Amazon Direct Connect
• Both allow secure connections between your network and your VPC
• VPN is a pair of IPSec tunnels over the Internet
• DirectConnect is a dedicated line with lower per-GB data transfer rates
• For highest availability: Use both
VPC and the rest of AWS
AWS services in your VPC
Example: Amazon RDS database in your VPC
10.10.0.0/16
10.10.1.0/24AZ A
10.10.2.0/24AZ B
Reachable via DNS Name: mydb-cluster-1 ….us-west-2.rds.amazonaws.com
VPC Endpoints for S3
S3 and your VPC
10.10.0.0/16
10.10.1.0/24AZ A
10.10.2.0/24AZ B S3 Bucket
Your applications
Your data
AWS VPC Endpoints for S3
10.10.0.0/16
10.10.1.0/24AZ A
10.10.2.0/24AZ B S3 Bucket
AWS VPC Endpoints for S3
10.10.0.0/16
10.10.1.0/24AZ A
10.10.2.0/24AZ B S3 Bucket
Route S3-bound traffic to the VPCE
IAM Policy for VPC Endpoints
10.10.0.0/16
10.10.1.0/24AZ A
10.10.2.0/24AZ B S3 Bucket
IAM Policy at VPC Endpoint: Restrict actions of VPC in S3
IAM Policy at S3 Bucket: Make accessible from
VPC Endpoint only
DNS in a VPC
VPC Flow Logs: VPC traffic metadata in Amazon CloudWatch Logs
VPC Flow Logs
Visibility into effects of Security Group rulesTroubleshooting network connectivityAbility to analyze traffic
10.10.0.0/16
10.10.1.0/24AZ A
10.10.2.0/24AZ B
VPC Flow Logs: setup
VPC traffic metadata captured in CloudWatch Logs
VPC Flow Logs data in CloudWatch Logs
Who’s this?# dig +short -x 109.236.86.32 internetpolice.co.
REJECT
UDP Port 53 = DNS
VPC: your private network in AWS