Networking in AWS Carl Simpson Technical Architect, Zen Internet - - PowerPoint PPT Presentation

networking in aws
SMART_READER_LITE
LIVE PREVIEW

Networking in AWS Carl Simpson Technical Architect, Zen Internet - - PowerPoint PPT Presentation

Feb 16, 2024 385 likes •2.06k views

Networking in AWS Carl Simpson Technical Architect, Zen Internet Limited carl.simpson@zeninternet.co.uk About Me: About Me: Technical Architect Cloud & Hosting @ Zen Internet Limited About Me: Technical Architect Cloud

slide-1
SLIDE 1

Networking in AWS

Carl Simpson – Technical Architect, Zen Internet Limited carl.simpson@zeninternet.co.uk

slide-2
SLIDE 2

About Me:

slide-3
SLIDE 3

About Me:

  • Technical Architect – Cloud & Hosting @ Zen Internet Limited
slide-4
SLIDE 4

About Me:

  • Technical Architect – Cloud & Hosting @ Zen Internet Limited
  • 12 years at Zen Internet
slide-5
SLIDE 5

About Me:

  • Technical Architect – Cloud & Hosting @ Zen Internet Limited
  • 12 years at Zen Internet
  • Networking guy turned Cloud guy
slide-6
SLIDE 6

About Me:

  • Technical Architect – Cloud & Hosting @ Zen Internet Limited
  • 12 years at Zen Internet
  • Networking guy turned Cloud guy
  • Makes comments like:
  • “Someone should do a talk on AWS networking!”
slide-7
SLIDE 7

What we’re going to cover:

slide-8
SLIDE 8

What we’re going to cover:

  • VPC
slide-9
SLIDE 9

What we’re going to cover:

  • VPC
  • VPC End Points
slide-10
SLIDE 10

What we’re going to cover:

  • VPC
  • VPC End Points
  • VPC Peering
slide-11
SLIDE 11

What we’re going to cover:

  • VPC
  • VPC End Points
  • VPC Peering
  • Direct Connect
slide-12
SLIDE 12

What is a VPC?

slide-13
SLIDE 13

What is a VPC?

  • VPC = Virtual Private Cloud
slide-14
SLIDE 14

What is a VPC?

  • VPC = Virtual Private Cloud
  • A private network ‘container’ within your AWS account:
slide-15
SLIDE 15

VPC – A Container for:

slide-16
SLIDE 16

VPC – A Container for:

IP Subnet IP Subnet

slide-17
SLIDE 17

VPC – A Container for:

IP Subnet Route Table Route Table IP Subnet

slide-18
SLIDE 18

VPC – A Container for:

IP Subnet Route Table

Security Group Security Group

Route Table IP Subnet

slide-19
SLIDE 19

VPC – A Container for:

IP Subnet Route Table

EC2 instance

Security Group Security Group

Route Table

EC2 instance

IP Subnet

slide-20
SLIDE 20

VPC – A Container for:

IP Subnet Route Table

EC2 instance Amazon RDS

Security Group Security Group

Route Table

EC2 instance

IP Subnet

slide-21
SLIDE 21

VPC – A Container for:

IP Subnet Route Table

EC2 instance Amazon RDS Redis

Security Group Security Group

Route Table

EC2 instance

IP Subnet

slide-22
SLIDE 22

Setting up your VPC

slide-23
SLIDE 23

Pick a region

AWS Region

AWS Region

slide-24
SLIDE 24

Choose VPC address space

AWS Region VPC 10.0.0.0/16

VPC IPv4 CIDR block: 10.0.0.0/16

slide-25
SLIDE 25

Pick some Availability Zones

*Use three AZ where available

AWS Region AZ B AZ A VPC 10.0.0.0/16

AZ - A AZ - B

slide-26
SLIDE 26

Create some subnets

AWS Region AZ B Public Subnet B AZ A Public Subnet A Private Subnet 1A Private Subnet 2A Private Subnet 1A Private Subnet 2A VPC 10.0.0.0/16

Public Subnet A Public Subnet B

slide-27
SLIDE 27

Create some subnets

AWS Region AZ B Public Subnet B AZ A Public Subnet A Private Subnet 1A Private Subnet 2A Private Subnet 1A Private Subnet 2A VPC 10.0.0.0/16

Public Subnet A Private Subnet 1A Private Subnet 2A Public Subnet B Private Subnet 1B Private Subnet 2B

slide-28
SLIDE 28

Suitable for ‘most’ cases

/22 /22 /22 /20 /20 /20

slide-29
SLIDE 29

What makes a subnet public?

AWS Region AZ B Public Subnet B AZ A Public Subnet A Private Subnet 1A Private Subnet 2A Private Subnet 1A Private Subnet 2A VPC 10.0.0.0/16

Public Subnet A Public Subnet B

slide-30
SLIDE 30

What makes a subnet public?

AWS Region AZ B Public Subnet B AZ A Public Subnet A Private Subnet 1A Private Subnet 2A Public Route Table Private Subnet 1A Private Subnet 2A VPC 10.0.0.0/16

Public Route Table Public Subnet A Public Subnet B

slide-31
SLIDE 31

What makes a subnet private?

AWS Region AZ B Public Subnet B AZ A Public Subnet A Private Subnet 1A Private Subnet 2A Public Route Table Private Subnet 1A Private Subnet 2A VPC 10.0.0.0/16

Private Subnet 1A Private Subnet 2A Private Subnet 1B Private Subnet 2B

slide-32
SLIDE 32

What makes a subnet private?

AWS Region AZ B Public Subnet B AZ A Public Subnet A Private Subnet 1A Private Subnet 2A Public Route Table VPC NAT gateway Private Route Table 1 Private Route Table 2 Private Subnet 1A Private Subnet 2A VPC 10.0.0.0/16 VPC NAT gateway

Private Route Table 1 Private Route Table 2 NAT Gateway Private Subnet 1A Private Subnet 2A Private Subnet 1B Private Subnet 2B

slide-33
SLIDE 33

What might a private subnet have?

AWS Region AZ B Public Subnet B AZ A Public Subnet A Private Subnet 1A Private Subnet 2A Public Route Table VPC NAT gateway Private Route Table 1 Private Route Table 2 Private Subnet 1A Private Subnet 2A VPC 10.0.0.0/16 VPC NAT gateway

Private Subnet 1A Private Subnet 2A Private Subnet 1B Private Subnet 2B

slide-34
SLIDE 34

What might a private subnet have?

AWS Region AZ B Public Subnet B AZ A Public Subnet A Private Subnet 1A Private Subnet 2A Public Route Table VPC NAT gateway Private Route Table 1 Private Route Table 2 Private Subnet 1A Private Subnet 2A VPC 10.0.0.0/16 VPC NAT gateway VGW

Virtual Private Gateway

Private Subnet 1A Private Subnet 2A Private Subnet 1B Private Subnet 2B
slide-35
SLIDE 35

Adding some servers/services

AWS Region AZ B Public Subnet B AZ A Public Subnet A Private Subnet 1A Private Subnet 2A Public Route Table VPC NAT gateway Private Route Table 1 Private Route Table 2 Private Subnet 1A Private Subnet 2A VPC 10.0.0.0/16 Elastic Load Balancer VPC NAT gateway VGW DB Server Web Server DB Server Web Server
slide-36
SLIDE 36

Adding some servers/services

AWS Region AZ B Public Subnet B AZ A Public Subnet A Private Subnet 1A Private Subnet 2A Public Route Table VPC NAT gateway Private Route Table 1 Private Route Table 2 Private Subnet 1A Private Subnet 2A VPC 10.0.0.0/16 Elastic Load Balancer VPC NAT gateway VGW DB Server Web Server DB Server Web Server

Load Balancer (ELB)

slide-37
SLIDE 37

Adding some servers/services

AWS Region AZ B Public Subnet B AZ A Public Subnet A Private Subnet 1A Private Subnet 2A Public Route Table VPC NAT gateway Private Route Table 1 Private Route Table 2 Private Subnet 1A Private Subnet 2A VPC 10.0.0.0/16 Elastic Load Balancer VPC NAT gateway VGW DB Server Web Server DB Server Web Server

Load Balancer (ELB) Web Server

slide-38
SLIDE 38

Adding some servers/services

AWS Region AZ B Public Subnet B AZ A Public Subnet A Private Subnet 1A Private Subnet 2A Public Route Table VPC NAT gateway Private Route Table 1 Private Route Table 2 Private Subnet 1A Private Subnet 2A VPC 10.0.0.0/16 Elastic Load Balancer VPC NAT gateway VGW DB Server Web Server DB Server Web Server

Load Balancer (ELB) Web Server Database Server

slide-39
SLIDE 39

What’s outside the VPC?

AWS Region AZ B Public Subnet B AZ A Public Subnet A Private Subnet 1A Private Subnet 2A Public Route Table VPC NAT gateway Private Route Table 1 Private Route Table 2 Private Subnet 1A Private Subnet 2A VPC 10.0.0.0/16 Elastic Load Balancer VPC NAT gateway VGW DB Server Web Server DB Server Web Server
slide-40
SLIDE 40

What’s outside the VPC?

AWS Region AWS Public Services AZ B Public Subnet B AZ A Public Subnet A Private Subnet 1A Private Subnet 2A Public Route Table VPC NAT gateway Private Route Table 1 Private Route Table 2 Private Subnet 1A Private Subnet 2A Elastic Load Balancer VPC NAT gateway VGW DB Server Web Server DB Server Web Server Amazon S3 Lambda function Amazon DynamoDB VPC 10.0.0.0/16

AWS Public Services

slide-41
SLIDE 41

What’s outside the VPC?

AWS Region AWS Public Services AZ B Public Subnet B AZ A Public Subnet A Private Subnet 1A Private Subnet 2A Public Route Table VPC NAT gateway Private Route Table 1 Private Route Table 2 Private Subnet 1A Private Subnet 2A Elastic Load Balancer VPC NAT gateway VGW DB Server Web Server DB Server Web Server Amazon S3 Lambda function Amazon DynamoDB VPC 10.0.0.0/16

AWS Public Services

slide-42
SLIDE 42

But I want my stuff to be totally private!

AWS Region AWS Public Services AZ B AZ A Private Subnet 1A Private Subnet 2A Private Route Table 1 Private Route Table 2 Private Subnet 1A Private Subnet 2A VPC 10.0.0.0/16 VGW DB Server Web Server DB Server Web Server Amazon S3 Lambda function Amazon DynamoDB
slide-43
SLIDE 43

But I want my stuff to be totally private!

AWS Region AWS Public Services AZ B AZ A Private Subnet 1A Private Subnet 2A Private Route Table 1 Private Route Table 2 Private Subnet 1A Private Subnet 2A VPC 10.0.0.0/16 VGW DB Server Web Server DB Server Web Server Amazon S3 Lambda function Amazon DynamoDB

Internet

slide-44
SLIDE 44

Use VPC Endpoints

AWS Region Amazon S3 Lambda function AWS Public Services VPG VPC NAT gateway Amazon DynamoDB
slide-45
SLIDE 45

Use VPC Endpoints

AWS Region Amazon S3 Lambda function AWS Public Services VGW VPC NAT gateway Amazon DynamoDB VPC Endpoint VPC Endpoint VPC Endpoint Saves money on NAT Gateway data transfer!
  • * Currently in preview.
  • Endpoints for other services coming

*

slide-46
SLIDE 46

Why use VPC Endpoints?

slide-47
SLIDE 47

Why use VPC Endpoints?

  • Improve Security
slide-48
SLIDE 48

Why use VPC Endpoints?

  • Improve Security
  • Reference them in security groups
slide-49
SLIDE 49

Why use VPC Endpoints?

  • Improve Security
  • Reference them in security groups
  • Restrict S3 buckets to only VPC end point access (bucket policy)

{ "Sid": "Access-to-specific-VPCE-only", "Action": "s3:*", "Effect": "Deny", "Resource": ["arn:aws:s3:::examplebucket", "arn:aws:s3:::examplebucket/*"], "Condition": { "StringNotEquals": { "aws:sourceVpce": "vpce-1a2b3c4d" } }

slide-50
SLIDE 50

Why use VPC Endpoints?

  • Improve Security
  • Reference them in security groups
  • Restrict S3 buckets to only VPC end point access (bucket policy)
  • Performance
slide-51
SLIDE 51

Why use VPC Endpoints?

  • Improve Security
  • Reference them in security groups
  • Restrict S3 buckets to only VPC end point access (bucket policy)
  • Performance
  • Save Money
slide-52
SLIDE 52

VPC Endpoints

AWS Region AWS Public Services AZ B AZ A Private Subnet 1A Private Subnet 2A Private Route Table 1 Private Route Table 2 Private Subnet 1A Private Subnet 2A VPC 10.0.0.0/16 VGW DB Server Web Server DB Server Web Server Amazon S3 Lambda function Amazon DynamoDB VPC Endpoint VPC Endpoint VPC Endpoint
slide-53
SLIDE 53

VPC Endpoints

AWS Region AWS Public Services AZ B AZ A Private Subnet 1A Private Subnet 2A Private Route Table 1 Private Route Table 2 Private Subnet 1A Private Subnet 2A VPC 10.0.0.0/16 VGW DB Server Web Server DB Server Web Server Amazon S3 Lambda function Amazon DynamoDB VPC Endpoint VPC Endpoint VPC Endpoint
slide-54
SLIDE 54

VPC Endpoints

AWS Region AWS Public Services AZ B AZ A Private Subnet 1A Private Subnet 2A Private Route Table 1 Private Route Table 2 Private Subnet 1A Private Subnet 2A VPC 10.0.0.0/16 VGW DB Server Web Server DB Server Web Server Amazon S3 Lambda function Amazon DynamoDB VPC Endpoint VPC Endpoint VPC Endpoint
slide-55
SLIDE 55

Putting it all together

AWS Region AWS Public Services AZ B Public Subnet B AZ A Public Subnet A Private Subnet 1A Private Subnet 2A Public Route Table VPC NAT gateway Private Route Table 1 Private Route Table 2 Private Subnet 1A Private Subnet 2A VPC 10.0.0.0/16 Elastic Load Balancer VPC NAT gateway VGW DB Server Web Server DB Server Web Server Amazon S3 Lambda function Amazon DynamoDB VPC Endpoint VPC Endpoint VPC Endpoint
slide-56
SLIDE 56

What VPC things haven’t I mentioned?

slide-57
SLIDE 57

What VPC things haven’t I mentioned?

IPv6

slide-58
SLIDE 58

What VPC things haven’t I mentioned?

IPv6 VPC Flow s

slide-59
SLIDE 59

IPv4 reminder

AWS Region AWS Public Services AZ B Public Subnet B AZ A Public Subnet A Private Subnet 1A Private Subnet 2A Public Route Table VPC NAT gateway Private Route Table 1 Private Route Table 2 Private Subnet 1A Private Subnet 2A VPC 10.0.0.0/16 VPC NAT gateway VGW Amazon S3 Lambda function Amazon DynamoDB
slide-60
SLIDE 60

Dual Stack (IPv4 & IPv6)

AWS Region AWS Public Services AZ B Public Subnet B AZ A Public Subnet A Private Subnet 1A Private Subnet 2A Public Route Table Private Route Table 1 Private Route Table 2 Private Subnet 1A Private Subnet 2A VPC 10.0.0.0/16 2001:DB8::/56 Amazon S3 Lambda function Amazon DynamoDB

+

slide-61
SLIDE 61

Dual Stack (IPv4 & IPv6)

AWS Region AWS Public Services AZ B Public Subnet B AZ A Public Subnet A Private Subnet 1A Private Subnet 2A Public Route Table Private Route Table 1 Private Route Table 2 Private Subnet 1A Private Subnet 2A VPC 10.0.0.0/16 2001:DB8::/56 Amazon S3 Lambda function Amazon DynamoDB

AWS assigned /56 IPv6 address space

+

slide-62
SLIDE 62

Focusing on IPv6 - /64s Everywhere

AWS Region AWS Public Services AZ B Public Subnet B AZ A Public Subnet A Private Subnet 1A Private Subnet 2A Public Route Table Private Route Table 1 Private Route Table 2 Private Subnet 1A Private Subnet 2A VPC 10.0.0.0/16 2001:DB8::/56 Amazon S3 Lambda function Amazon DynamoDB

AWS assigned /56 IPv6 address space /64 /64 /64 /64 /64 /64

slide-63
SLIDE 63

Focusing on IPv6 (Public Subnet Routing)

AWS Region AWS Public Services AZ B Public Subnet B AZ A Public Subnet A Private Subnet 1A Private Subnet 2A Public Route Table Private Route Table 1 Private Route Table 2 Private Subnet 1A Private Subnet 2A VPC 10.0.0.0/16 2001:DB8::/56 Amazon S3 Lambda function Amazon DynamoDB

AWS assigned /56 IPv6 address space /64 /64 /64 /64 /64 /64

slide-64
SLIDE 64 AWS Region AWS Public Services AZ B Public Subnet B AZ A Public Subnet A Private Subnet 1A Private Subnet 2A Public Route Table Private Route Table 1 Private Route Table 2 Private Subnet 1A Private Subnet 2A VPC 10.0.0.0/16 2001:DB8::/56 Amazon S3 Lambda function Amazon DynamoDB Egress Only GW

Focusing on IPv6 (Private Subnet Routing)

AWS assigned /56 IPv6 address space /64 /64 /64 /64 /64 /64

Egress Only Gateway

slide-65
SLIDE 65 AWS Region AWS Public Services AZ B Public Subnet B AZ A Public Subnet A Private Subnet 1A Private Subnet 2A Public Route Table Private Route Table 1 Private Route Table 2 Private Subnet 1A Private Subnet 2A VPC 10.0.0.0/16 2001:DB8::/56 VGW Amazon S3 Lambda function Amazon DynamoDB Egress Only GW

Focusing on IPv6 (External Private Routing)

AWS assigned /56 IPv6 address space /64 /64 /64 /64 /64 /64

slide-66
SLIDE 66

Dual Stack – All together

AWS assigned /56 IPv6 address space

Egress Only Gateway

AWS Region AWS Public Services AZ B Public Subnet B AZ A Public Subnet A Private Subnet 1A Private Subnet 2A Public Route Table VPC NAT gateway Private Route Table 1 Private Route Table 2 Private Subnet 1A Private Subnet 2A VPC 10.0.0.0/16 2001:DB8::/56 VPC NAT gateway VGW DB Server Web Server DB Server Web Server Amazon S3 Lambda function Amazon DynamoDB Egress Only GW

+

slide-67
SLIDE 67

Some CloudFormation IPv6 nonsense

slide-68
SLIDE 68

Some CloudFormation IPv6 nonsense

What the docs say:

Ipv6TestSubnetCidrBlock: Type: "AWS::EC2::SubnetCidrBlock" Properties: Ipv6CidrBlock: !Ref Ipv6SubnetCidrBlock SubnetId: !Ref Ipv6TestSubnet

slide-69
SLIDE 69

Some CloudFormation IPv6 nonsense

What the docs say:

Ipv6TestSubnetCidrBlock: Type: "AWS::EC2::SubnetCidrBlock" Properties: Ipv6CidrBlock: !Ref Ipv6SubnetCidrBlock SubnetId: !Ref Ipv6TestSubnet

slide-70
SLIDE 70

Some CloudFormation IPv6 nonsense

What the docs say:

Ipv6TestSubnetCidrBlock: Type: "AWS::EC2::SubnetCidrBlock" Properties: Ipv6CidrBlock: !Ref Ipv6SubnetCidrBlock SubnetId: !Ref Ipv6TestSubnet

slide-71
SLIDE 71

Some CloudFormation IPv6 nonsense

What the docs say:

Ipv6TestSubnetCidrBlock: Type: "AWS::EC2::SubnetCidrBlock" Properties: Ipv6CidrBlock: !Ref Ipv6SubnetCidrBlock SubnetId: !Ref Ipv6TestSubnet

slide-72
SLIDE 72

Some CloudFormation IPv6 nonsense

What the docs say:

Ipv6TestSubnetCidrBlock: Type: "AWS::EC2::SubnetCidrBlock" Properties: Ipv6CidrBlock: !Ref Ipv6SubnetCidrBlock SubnetId: !Ref Ipv6TestSubnet

What you need to do:

Ipv6TestSubnetCidrBlock: Type: 'AWS::EC2::SubnetCidrBlock' Properties: Ipv6CidrBlock: 'Fn::Join':
  • '00'
  • - 'Fn::Select':
  • '0'
  • 'Fn::Split':
  • '00::/56'
  • 'Fn::Select':
  • '0'
  • 'Fn::GetAtt':
  • Vpc
  • Ipv6CidrBlocks
  • '::/64'
SubnetId: Ref: PubSubnet1a DependsOn: VpcIpv6CidrBlock
slide-73
SLIDE 73

Some CloudFormation IPv6 nonsense

What the docs say:

Ipv6TestSubnetCidrBlock: Type: "AWS::EC2::SubnetCidrBlock" Properties: Ipv6CidrBlock: !Ref Ipv6SubnetCidrBlock SubnetId: !Ref Ipv6TestSubnet

What you need to do:

Ipv6TestSubnetCidrBlock: Type: 'AWS::EC2::SubnetCidrBlock' Properties: Ipv6CidrBlock: 'Fn::Join':
  • '00'
  • - 'Fn::Select':
  • '0'
  • 'Fn::Split':
  • '00::/56'
  • 'Fn::Select':
  • '0'
  • 'Fn::GetAtt':
  • Vpc
  • Ipv6CidrBlocks
  • '::/64'
SubnetId: Ref: PubSubnet1a DependsOn: VpcIpv6CidrBlock

Look up the /56 CIDR Block

slide-74
SLIDE 74

Some CloudFormation IPv6 nonsense

What the docs say:

Ipv6TestSubnetCidrBlock: Type: "AWS::EC2::SubnetCidrBlock" Properties: Ipv6CidrBlock: !Ref Ipv6SubnetCidrBlock SubnetId: !Ref Ipv6TestSubnet

What you need to do:

Ipv6TestSubnetCidrBlock: Type: 'AWS::EC2::SubnetCidrBlock' Properties: Ipv6CidrBlock: 'Fn::Join':
  • '00'
  • - 'Fn::Select':
  • '0'
  • 'Fn::Split':
  • '00::/56'
  • 'Fn::Select':
  • '0'
  • 'Fn::GetAtt':
  • Vpc
  • Ipv6CidrBlocks
  • '::/64'
SubnetId: Ref: PubSubnet1a DependsOn: VpcIpv6CidrBlock

Split on 00::/56 and grab the 1st part

slide-75
SLIDE 75

Some CloudFormation IPv6 nonsense

What the docs say:

Ipv6TestSubnetCidrBlock: Type: "AWS::EC2::SubnetCidrBlock" Properties: Ipv6CidrBlock: !Ref Ipv6SubnetCidrBlock SubnetId: !Ref Ipv6TestSubnet

What you need to do:

Ipv6TestSubnetCidrBlock: Type: 'AWS::EC2::SubnetCidrBlock' Properties: Ipv6CidrBlock: 'Fn::Join':
  • '00'
  • - 'Fn::Select':
  • '0'
  • 'Fn::Split':
  • '00::/56'
  • 'Fn::Select':
  • '0'
  • 'Fn::GetAtt':
  • Vpc
  • Ipv6CidrBlocks
  • '::/64'
SubnetId: Ref: PubSubnet1a DependsOn: VpcIpv6CidrBlock

Join your chosen:

  • Subnet ‘hextet’,
  • AWS assigned prefix &
  • /::64
slide-76
SLIDE 76

Auditing (VPC Flow Logs)

slide-77
SLIDE 77

Auditing (VPC Flow Logs)

flow logs elastic network adapter elastic network adapter
slide-78
SLIDE 78

So we’re done?

slide-79
SLIDE 79

BIG

slide-80
SLIDE 80

BIG

slide-81
SLIDE 81

BIG

slide-82
SLIDE 82

BIG

slide-83
SLIDE 83

BIG

No! There’s more!

slide-84
SLIDE 84

You can have lots of VPCs

Baby Baby Baby Baby Baby Baby
slide-85
SLIDE 85

So why have multiple VPCs?

Baby Baby Baby Baby Baby Baby
slide-86
SLIDE 86

So why have multiple VPCs?

Question: “Why have multiple AWS accounts?”

Baby Baby Baby Baby Baby Baby
slide-87
SLIDE 87

Why have multiple accounts?

slide-88
SLIDE 88

Why have multiple accounts?

  • Damage limitation
slide-89
SLIDE 89

Why have multiple accounts?

  • Damage limitation
  • Control/Autonomy
slide-90
SLIDE 90

Why have multiple accounts?

  • Damage limitation
  • Control/Autonomy
slide-91
SLIDE 91

Why have multiple accounts?

  • Damage limitation
  • Control/Autonomy
  • Regulation
slide-92
SLIDE 92

Why have multiple accounts?

  • Damage limitation
  • Control/Autonomy
  • Regulation
  • Disaster Recovery
slide-93
SLIDE 93

“But I need my resources to communicate with those in other VPCs!”

slide-94
SLIDE 94

Use VPC Peering

A B

slide-95
SLIDE 95

VPC Peering

slide-96
SLIDE 96

VPC peering got much better in the last year!

slide-97
SLIDE 97

VPC peering got much better in the last year!

  • Reference Security Groups in peered VPCs
slide-98
SLIDE 98

Reference Security Groups in peered VPCs

A B e.g. VPC A Security Group ID sg-000001a allows inbound port 80 from Security Group ID sg-000001b which is applied to resources in VPC B

slide-99
SLIDE 99

VPC peering got much better in the last year!

  • Reference Security Groups in peered VPCs
  • Resolve DNS in peered VPCs
slide-100
SLIDE 100

Resolve DNS in peered VPCs

A B e.g. When VPC A resolves ‘ec2-35-176-15-190.eu-west- 2.compute.amazonaws.com’ which lives in VPC B, it resolves to 10.10.0.162 not 35.176.15.190

slide-101
SLIDE 101

VPC peering got much better in the last year!

  • Reference Security Groups in peered VPCs
  • Resolve DNS in peered VPCs
slide-102
SLIDE 102

VPC peering got much better in the last year!

  • Reference Security Groups in peered VPCs
  • Resolve DNS in peered VPCs
  • AWS have good (not cheap) transit VPC solutions
slide-103
SLIDE 103

VPC peering limitations

slide-104
SLIDE 104

VPC peering limitations

  • Unique address space required
slide-105
SLIDE 105

VPC peering limitations

  • Unique address space required
  • No VPC Transit
slide-106
SLIDE 106

No (native) VPC transit

slide-107
SLIDE 107

VPC peering full mesh

slide-108
SLIDE 108

Why would I want to transit a VPC anyway?

slide-109
SLIDE 109

Why would I want to transit a VPC anyway?

  • Force all traffic through central firewall(s)
slide-110
SLIDE 110

Force all traffic through central firewall(s)

slide-111
SLIDE 111

Force all traffic through central firewall(s)

‘local’ routes create real challenges!

slide-112
SLIDE 112

Force all traffic through central firewall(s)

Local Routes create real challenges!

Subnet A Subnet B Subnet C Web DB FW/ IDS
slide-113
SLIDE 113

Force all traffic through central firewall(s)

Local Routes create real challenges!

Subnet A Subnet B Subnet C Web DB FW/ IDS
slide-114
SLIDE 114

Force all traffic through central firewall(s)

Local Routes create real challenges!

Subnet A Subnet B Subnet C Web DB FW/ IDS
slide-115
SLIDE 115

Force all traffic through central firewall(s)

Local Routes create real challenges!

Subnet A Subnet B Subnet C Web DB FW/ IDS
slide-116
SLIDE 116

Force all traffic through central firewall(s)

Local Routes create real challenges!

Subnet A Subnet B Subnet C Web DB FW/ IDS

P

slide-117
SLIDE 117

Force all (inter-subnet) traffic through a firewall (for IDS/IPS)

Customer-VPC - 10.0.0.0/16 AZ B Author Diagram Status Carl Simpson – Zen Internet Ltd Draft – Version 3 TransitSub1B 10.0.103.0/24 PubSub2B 10.0.102.0/24 Co-lo 10.0.107.0/24 - DBSub1B DB-i2 DB-SG1 CiscoASA-B A B AWS Pri RT-B TransitSub2B 10.0.104.0/24 A 10.0.105.0/24 – WebFarmSub2B B 10.0.106.0/24 – WebFarmSub2B C B CiscoFP-B A B Web2-i4 Web2-i5 Web2-i6 Web-i41 Web-i5 Web-i6 D Routing Table: 10.0.0.0/16 via local 192.168.0.1 via CiscoFP-B-int-B 192.168.0.2 via CiscoFP-A-int-B 0.0.0.0/0 via CiscoASA-int-B Routing Table: 10.0.102.0/24 via connected 10.0.103.0/24 via connected 0.0.0.0/0 via AWS Pub2 RT 192.168.0.2/32 via F5-int-B 10.0.5.0/24 via CiscoFP-B-int-A 10.0.6.0/24 via CiscoFP-B-int-A 10.0.105.0/24 via CiscoFP-B-int-A 10.0.106.0/24 via CiscoFP-B-int-A Routing Table: 10.0.101.0/24 via connected 10.0.102.0/24 via connected 0.0.0.0/0 via AWS Pub1 RT 10.0.5.0/24 via CiscoASA-B-int-A 10.0.6.0/24 via CiscoASA-B-int-A 10.0.105.0/24 via CiscoASA-B-int-A 10.0.106.0/24 via CiscoASA-B-int-A Routing Table: 10.0.0.0/16 via local 0.0.0.0/0 via IGW SNAT to 192.168.0.2 WebSG1 WebSG2 Routing Table: 10.0.103.0/24 via connected 10.0.104.0/24 via connected 0.0.0.0/0 via CiscoASA-int-B 192.168.0.2/32 via CiscoASA-int-B 10.0.105.0/24 via AWS Pri RT-B-int-A 10.0.106.0/24 via AWS Pri RT-B-int-A 10.0.5.0/24 via AWS Pri RT-A-int-A 10.0.6.0/24 via AWS Pri RT-A-int-A AWS RT (unused) AWS Pub2 RT EIP4 PubSub1B 10.0.101.0/24 AWS Pub1 RT F5-B A EIP2 LbSG1 AZ A TransitSub1A 10.0.3.0/24 PubSub2A 10.0.2.0/24 10.0.7.0/24 - DBSub1A DB-i1 DB-SG1 CiscoASA-A A B AWS Pri RT-A TransitSub2A 10.0.4.0/24 A 10.0.5.0/24 - WebFarmSub1A B 10.0.6.0/24 – WebFarmSub2A C IGW B CiscoFP-A A B Web2-i3 Web2-i2 Web2-i1 Web-i3 Web-i2 Web-i1 D Routing Table: 10.0.0.0/16 via local 192.168.0.1 via CiscoFP-A-int-B 192.168.0.2 via CiscoFP-B-int-B 0.0.0.0/0 via CiscoASA-A-int-B Routing Table: 10.0.2.0/24 via connected 10.0.3.0/24 via connected 0.0.0.0/0 via AWS Pub2 RT 192.168.0.1/32 via F5-int-B 10.0.5.0/24 via CiscoFP-A-int-A 10.0.6.0/24 via CiscoFP-A-int-A 10.0.105.0/24 via CiscoFP-A-int-A 10.0.106.0/24 via CiscoFP-A-int-A Routing Table: 10.0.1.0/24 via connected 10.0.2.0/24 via connected 0.0.0.0/0 via AWS Pub1 RT 10.0.5.0/24 via CiscoASA-A-int-A 10.0.6.0/24 via CiscoASA-A-int-A 10.0.105.0/24 via CiscoASA-A-int-A 10.0.106.0/24 via CiscoASA-A-int-A Routing Table: 10.0.0.0/16 via local 0.0.0.0/0 via IGW SNAT to 192.168.0.1 WebSG1 WebSG2 Routing Table: 10.0.3.0/24 via connected 10.0.4.0/24 via connected 0.0.0.0/0 via CiscoASA-int-B 192.168.0.1/32 via CiscoASA-int-B 10.0.5.0/24 via AWS Pri RT-A-int-A 10.0.6.0/24 via AWS Pri RT-A-int-A 10.0.105.0/24 via AWS Pri RT-A-int-A 10.0.106.0/24 via AWS Pri RT-A-int-A AWS RT (unused) AWS Pub2 RT EIP3 PubSub1A 10.0.1.0/24 AWS Pub1 RT F5-A A EIP1 LbSG1 Date 27/08/2015 VGW CiscoASA CiscoASA Route53 (health checked & RR/weighted DNS) Clients query AZ C: 192.168.0.3 – SNAT F5 load balancer 10.0.201.0/24 – PubSub1C 10.0.202.0/24 – PubSub2C 10.0.203.0/24 – TransitSub1C 10.0.204.0/24 – TransitSub2C 10.0.205.0/24 – WebFarmSub1C 10.0.206.0/24 – WebFarmSub2C 10.0.207.0/24 – DbSub1C
slide-118
SLIDE 118

Why would I want to transit a VPC anyway?

  • Force all traffic through a firewall
  • Privately route between VPCs in remote regions
slide-119
SLIDE 119

AWS Global VPC Transit Solution

https://aws.amazon.com/answers/networking/transit-vpc/
slide-120
SLIDE 120

Direct Connect

slide-121
SLIDE 121

Why use Direct Connect?

slide-122
SLIDE 122

Why use Direct Connect?

  • Lower latency
slide-123
SLIDE 123

EU-WEST-1 (Dublin) You Are Here! EU-WEST-2 (London)

slide-124
SLIDE 124

EU-WEST-1 (Dublin) Manchester EU-WEST-2 (London)

slide-125
SLIDE 125

EU-WEST-1 (Dublin) Manchester EU-WEST-2 (London)

slide-126
SLIDE 126

EU-WEST-1 (Dublin) Manchester EU-WEST-2 (London)

Best Direct Connect Path
slide-127
SLIDE 127

Why use Direct Connect?

  • Lower latency

X

slide-128
SLIDE 128

Why use Direct Connect?

  • Lower latency
  • Service Level Agreement

X

slide-129
SLIDE 129

Lets check the AWS Direct Connect FAQs:

“Q. Does AWS Direct Connect offer a Service Level Agreement (SLA)?”

slide-130
SLIDE 130

Lets check the AWS Direct Connect FAQs:

“Q. Does AWS Direct Connect offer a Service Level Agreement (SLA)?” Answer: “Not at this time.”

slide-131
SLIDE 131

Why use Direct Connect?

  • Lower latency
  • Service Level Agreement

X X

slide-132
SLIDE 132

Why use Direct Connect?

  • Lower latency
  • Service Level Agreement
  • High Bandwidth

X X

slide-133
SLIDE 133

AWS Direct Connect Bandwidth

slide-134
SLIDE 134

AWS Direct Connect Bandwidth

  • Provides 1 Gbps and 10 Gbps ports
slide-135
SLIDE 135

AWS Direct Connect Bandwidth

  • Provides 1 Gbps and 10 Gbps ports
  • Now supports LACP
slide-136
SLIDE 136

Why use Direct Connect?

  • Lower latency
  • Service Level Agreement
  • High Bandwidth

X X 

slide-137
SLIDE 137

Why use Direct Connect?

  • Lower latency
  • Service Level Agreement
  • High Bandwidth
  • Consistent Network Performance

X X 

slide-138
SLIDE 138

Consistent Network Performance?

slide-139
SLIDE 139

Consistent Network Performance?

  • Dedicated Links
slide-140
SLIDE 140

Consistent Network Performance?

  • Dedicated Links
  • Isolated from Internet Routing changes
slide-141
SLIDE 141

Consistent Network Performance?

  • Dedicated Links
  • Isolated from Internet Routing changes
  • More controlled environment
slide-142
SLIDE 142

Consistent Network Performance?

  • Dedicated Links
  • Isolated from Internet Routing changes
  • More controlled environment

slide-143
SLIDE 143

Why use Direct Connect?

  • Lower latency
  • Service Level Agreement
  • High Bandwidth
  • Consistent Network Performance

X X  

slide-144
SLIDE 144

Why use Direct Connect?

  • Lower latency
  • Service Level Agreement
  • High Bandwidth
  • Consistent Network Performance
  • Private Connectivity to Amazon VPC

X X  

slide-145
SLIDE 145

Why use Direct Connect?

  • Lower latency
  • Service Level Agreement
  • High Bandwidth
  • Consistent Network Performance
  • Private Connectivity to Amazon VPC
  • Private Connectivity to AWS public services

X X  

slide-146
SLIDE 146

Connectivity Options - Single Site Solution

Customer Office VGW
slide-147
SLIDE 147

Connectivity Options - Single Site Solution

Use Zen, we can provide this! :-)

Customer Office VGW
slide-148
SLIDE 148

Connectivity Options - Multi-site solution

Customer Office(s) Customer IPVPN/ MPLS Customer Data Centre(s) VGW
slide-149
SLIDE 149

Connectivity Options - Multi-site solution

Use Zen, we can provide this too! :-)

Customer Office(s) Customer IPVPN/ MPLS Customer Data Centre(s) VGW
slide-150
SLIDE 150

Connectivity Options – Multi-site solution (private and public)

Use Zen, we can provide this too! :-) Customer Requires Public IP space for access to public services!

Customer Office(s) Customer IPVPN/ MPLS Customer Data Centre(s) Amazon S3 Lambda function Amazon SQS Public Services VGW
slide-151
SLIDE 151

Why use Direct Connect?

  • Lower latency
  • Service Level Agreement
  • High Bandwidth
  • Consistent Network Performance
  • Private Connectivity to Amazon VPC
  • Private Connectivity to AWS public services

X X  

slide-152
SLIDE 152

Why use Direct Connect?

  • Lower latency
  • Service Level Agreement
  • High Bandwidth
  • Consistent Network Performance
  • Private Connectivity to Amazon VPC
  • Private Connectivity to AWS public services

X X   

slide-153
SLIDE 153

Why use Direct Connect?

  • Lower latency
  • Service Level Agreement
  • High Bandwidth
  • Consistent Network Performance
  • Private Connectivity to Amazon VPC
  • Private Connectivity to AWS public services

X X    

slide-154
SLIDE 154

So how do I get Direct Connect?

slide-155
SLIDE 155

So how do I get Direct Connect?

  • DIY connection
  • 1G or 10G bandwidth options only
  • Build your network out to a direct connect location
slide-156
SLIDE 156

So how do I get Direct Connect?

  • DIY connection
  • 1G or 10G bandwidth options only
  • Build your network out to a direct connect location
  • Hosted connection
  • 50M bandwidth and up
  • Partner ‘may’ bring the connection to you
slide-157
SLIDE 157

Direct Connect - A little more detail

slide-158
SLIDE 158

Direct Connect Routing

AWS Router Customer /Partner Router VLAN 1 Customer/Partner ASN Amazon ASN VGW
slide-159
SLIDE 159

Direct Connect Routing

AWS Router Customer /Partner Router VLAN 1 eBGP Customer/Partner ASN Amazon ASN VGW
slide-160
SLIDE 160

Direct Connect Routing

AWS Router Customer /Partner Router VLAN 1 eBGP Customer/Partner ASN Amazon ASN VGW

Announce Routes Announce Routes

slide-161
SLIDE 161

Direct Connect Routing

AWS Router Customer /Partner Router VLAN 1 eBGP Customer/Partner ASN Amazon ASN VGW

Announce Routes Announce Routes MED and AS PATH prepending supported

slide-162
SLIDE 162

Direct Connect Routing

AWS Router Customer /Partner Router VLAN 1 eBGP Customer/Partner ASN Amazon ASN VGW

Announce Routes Announce Routes MED and AS PATH prepending supported Direct Connect preferred over VPN connection

slide-163
SLIDE 163

What we’ve covered:

  • VPC
  • VPC End Points
  • VPC Peering
  • Direct Connect
slide-164
SLIDE 164

Final thing…

slide-165
SLIDE 165

Public Cloud Connect

Another Cloud Provider AWS (EU-West) Regions

Public Cloud Connect: for multi-cloud access

Customer Site 1 Customer Site 2 Customer Site n
slide-166
SLIDE 166

Thanks!

slide-167
SLIDE 167

Questions?