Networking in AWS Carl Simpson Technical Architect, Zen Internet - PowerPoint PPT Presentation

Why use VPC Endpoints? • Improve Security • Reference them in security groups • Restrict S3 buckets to only VPC end point access (bucket policy) • Performance

Why use VPC Endpoints? • Improve Security • Reference them in security groups • Restrict S3 buckets to only VPC end point access (bucket policy) • Performance • Save Money

VPC Endpoints AWS Region AWS Public Services AZ A AZ B VPC Endpoint Amazon S3 VPC Endpoint Amazon DynamoDB VPC Endpoint Lambda function Private Subnet 1A Private Subnet 1A Web Web Server Server Private Subnet 2A Private Subnet 2A DB DB Server Server Private Route Table 1 Private Route Table 2 VPC VGW 10.0.0.0/16

VPC Endpoints AWS Region AWS Public Services AZ A AZ B VPC Endpoint Amazon S3 VPC Endpoint Amazon DynamoDB VPC Endpoint Lambda function Private Subnet 1A Private Subnet 1A Web Web Server Server Private Subnet 2A Private Subnet 2A DB DB Server Server Private Route Table 1 Private Route Table 2 VPC VGW 10.0.0.0/16

VPC Endpoints AWS Region AWS Public Services AZ A AZ B VPC Endpoint Amazon S3 VPC Endpoint Amazon DynamoDB VPC Endpoint Lambda function Private Subnet 1A Private Subnet 1A Web Web Server Server Private Subnet 2A Private Subnet 2A DB DB Server Server Private Route Table 1 Private Route Table 2 VPC VGW 10.0.0.0/16

Putting it all together AWS Region AWS Public Services AZ A AZ B VPC Endpoint Amazon S3 Public Subnet A Public Subnet B VPC Elastic Load Balancer Endpoint Amazon DynamoDB VPC NAT gateway VPC NAT gateway Public Route Table VPC Endpoint Lambda function Private Subnet 1A Private Subnet 1A Web Web Server Server Private Subnet 2A Private Subnet 2A DB DB Server Server Private Route Table 1 Private Route Table 2 VPC VGW 10.0.0.0/16

What VPC things haven’t I mentioned?

What VPC things haven’t I mentioned? IPv6

What VPC things haven’t I mentioned? IPv6 VPC Flow s

IPv4 reminder AWS Region AWS Public Services AZ A AZ B Amazon S3 Public Subnet A Public Subnet B Amazon DynamoDB VPC NAT gateway VPC NAT gateway Public Route Table Lambda function Private Subnet 1A Private Subnet 1A Private Subnet 2A Private Subnet 2A Private Route Table 1 Private Route Table 2 VPC VGW 10.0.0.0/16

Dual Stack (IPv4 & IPv6) AWS Region AWS Public Services AZ A AZ B Amazon S3 Public Subnet A Public Subnet B Amazon DynamoDB Public Route Table Lambda function Private Subnet 1A Private Subnet 1A Private Subnet 2A Private Subnet 2A Private Route Table 1 Private Route Table 2 + VPC 10.0.0.0/16 2001:DB8::/56

Dual Stack (IPv4 & IPv6) AWS Region AWS Public Services AZ A AZ B Amazon S3 Public Subnet A Public Subnet B Amazon DynamoDB Public Route Table Lambda function Private Subnet 1A Private Subnet 1A Private Subnet 2A Private Subnet 2A AWS assigned /56 Private Route Table 1 Private Route Table 2 IPv6 address space + VPC 10.0.0.0/16 2001:DB8::/56

Focusing on IPv6 - /64s Everywhere AWS Region AWS Public Services AZ A AZ B Amazon S3 Public Subnet A Public Subnet B /64 /64 Amazon DynamoDB Public Route Table Lambda function Private Subnet 1A Private Subnet 1A /64 /64 Private Subnet 2A Private Subnet 2A /64 /64 AWS assigned /56 Private Route Table 1 Private Route Table 2 IPv6 address space VPC 10.0.0.0/16 2001:DB8::/56

Focusing on IPv6 (Public Subnet Routing) AWS Region AWS Public Services AZ A AZ B Amazon S3 Public Subnet A Public Subnet B /64 /64 Amazon DynamoDB Public Route Table Lambda function Private Subnet 1A Private Subnet 1A /64 /64 Private Subnet 2A Private Subnet 2A /64 /64 AWS assigned /56 Private Route Table 1 Private Route Table 2 IPv6 address space VPC 10.0.0.0/16 2001:DB8::/56

Focusing on IPv6 (Private Subnet Routing) Egress Only Gateway AWS Region AWS Public Services Egress Only GW AZ A AZ B Amazon S3 Public Subnet A Public Subnet B /64 /64 Amazon DynamoDB Public Route Table Lambda function Private Subnet 1A Private Subnet 1A /64 /64 Private Subnet 2A Private Subnet 2A /64 /64 AWS assigned /56 Private Route Table 1 Private Route Table 2 IPv6 address space VPC 10.0.0.0/16 2001:DB8::/56

Focusing on IPv6 ( External Private Routing ) AWS Region AWS Public Services Egress Only GW AZ A AZ B Amazon S3 Public Subnet A Public Subnet B /64 /64 Amazon DynamoDB Public Route Table Lambda function Private Subnet 1A Private Subnet 1A /64 /64 Private Subnet 2A Private Subnet 2A /64 /64 Private Route Table 1 Private Route Table 2 AWS assigned /56 IPv6 address space VPC VGW 10.0.0.0/16 2001:DB8::/56

Dual Stack – All together Egress Only Gateway AWS Region AWS Public Services Egress Only GW AZ A AZ B Amazon S3 Public Subnet A Public Subnet B Amazon DynamoDB VPC NAT gateway VPC NAT gateway Public Route Table Lambda function Private Subnet 1A Private Subnet 1A Web Web Server Server Private Subnet 2A Private Subnet 2A DB DB Server Server Private Route Table 1 Private Route Table 2 AWS assigned /56 IPv6 address space VPC + VGW 10.0.0.0/16 2001:DB8::/56

Some CloudFormation IPv6 nonsense

Some CloudFormation IPv6 nonsense What the docs say: Ipv6TestSubnetCidrBlock: Type: "AWS::EC2::SubnetCidrBlock" Properties: Ipv6CidrBlock: !Ref Ipv6SubnetCidrBlock SubnetId: !Ref Ipv6TestSubnet

Some CloudFormation IPv6 nonsense What the docs say: Ipv6TestSubnetCidrBlock: Type: "AWS::EC2::SubnetCidrBlock" Properties: Ipv6CidrBlock: !Ref Ipv6SubnetCidrBlock SubnetId: !Ref Ipv6TestSubnet

Some CloudFormation IPv6 nonsense What the docs say: Ipv6TestSubnetCidrBlock: Type: "AWS::EC2::SubnetCidrBlock" Properties: Ipv6CidrBlock: !Ref Ipv6SubnetCidrBlock SubnetId: !Ref Ipv6TestSubnet

Some CloudFormation IPv6 nonsense What the docs say: Ipv6TestSubnetCidrBlock: Type: "AWS::EC2::SubnetCidrBlock" Properties: Ipv6CidrBlock: !Ref Ipv6SubnetCidrBlock SubnetId: !Ref Ipv6TestSubnet

Some CloudFormation IPv6 nonsense What the docs say: What you need to do: Ipv6TestSubnetCidrBlock: Ipv6TestSubnetCidrBlock: Type: 'AWS::EC2::SubnetCidrBlock' Properties: Type: "AWS::EC2::SubnetCidrBlock" Ipv6CidrBlock: 'Fn::Join': Properties: - '00' - - 'Fn::Select': Ipv6CidrBlock: !Ref Ipv6SubnetCidrBlock - '0' - 'Fn::Split': SubnetId: !Ref Ipv6TestSubnet - '00::/56' - 'Fn::Select': - '0' - 'Fn::GetAtt': - Vpc - Ipv6CidrBlocks - '::/64' SubnetId: Ref: PubSubnet1a DependsOn: VpcIpv6CidrBlock

Some CloudFormation IPv6 nonsense What the docs say: What you need to do: Ipv6TestSubnetCidrBlock: Ipv6TestSubnetCidrBlock: Type: 'AWS::EC2::SubnetCidrBlock' Properties: Type: "AWS::EC2::SubnetCidrBlock" Ipv6CidrBlock: 'Fn::Join': Properties: - '00' - - 'Fn::Select': Ipv6CidrBlock: !Ref Ipv6SubnetCidrBlock - '0' - 'Fn::Split': SubnetId: !Ref Ipv6TestSubnet - '00::/56' - 'Fn::Select': - '0' Look up the /56 - 'Fn::GetAtt': CIDR Block - Vpc - Ipv6CidrBlocks - '::/64' SubnetId: Ref: PubSubnet1a DependsOn: VpcIpv6CidrBlock

Some CloudFormation IPv6 nonsense What the docs say: What you need to do: Ipv6TestSubnetCidrBlock: Ipv6TestSubnetCidrBlock: Type: 'AWS::EC2::SubnetCidrBlock' Properties: Type: "AWS::EC2::SubnetCidrBlock" Ipv6CidrBlock: 'Fn::Join': Properties: - '00' Split on 00::/56 - - 'Fn::Select': Ipv6CidrBlock: !Ref Ipv6SubnetCidrBlock - '0' and grab the 1 st - 'Fn::Split': SubnetId: !Ref Ipv6TestSubnet part - '00::/56' - 'Fn::Select': - '0' - 'Fn::GetAtt': - Vpc - Ipv6CidrBlocks - '::/64' SubnetId: Ref: PubSubnet1a DependsOn: VpcIpv6CidrBlock

Some CloudFormation IPv6 nonsense What the docs say: What you need to do: Ipv6TestSubnetCidrBlock: Ipv6TestSubnetCidrBlock: Type: 'AWS::EC2::SubnetCidrBlock' Properties: Type: "AWS::EC2::SubnetCidrBlock" Ipv6CidrBlock: 'Fn::Join': Properties: - '00' - - 'Fn::Select': Ipv6CidrBlock: !Ref Ipv6SubnetCidrBlock Join your chosen: - '0' • Subnet ‘ hextet ’, - 'Fn::Split': SubnetId: !Ref Ipv6TestSubnet - '00::/56' • AWS assigned prefix & - 'Fn::Select': • /::64 - '0' - 'Fn::GetAtt': - Vpc - Ipv6CidrBlocks - '::/64' SubnetId: Ref: PubSubnet1a DependsOn: VpcIpv6CidrBlock

Auditing (VPC Flow Logs)

Auditing (VPC Flow Logs) elastic network elastic network adapter adapter flow logs

So we’re done?

BIG

BIG

BIG

BIG

BIG No! There’s more!

You can have lots of VPCs Baby Baby Baby Baby Baby Baby

Baby Baby Baby So why have multiple VPCs? Baby Baby Baby

Baby Baby Baby So why have multiple VPCs? Baby Baby Baby Question: “Why have multiple AWS accounts?”

Why have multiple accounts?

Why have multiple accounts? • Damage limitation

Why have multiple accounts? • Damage limitation • Control/Autonomy

Why have multiple accounts? • Damage limitation • Control/Autonomy

Why have multiple accounts? • Damage limitation • Control/Autonomy • Regulation

Why have multiple accounts? • Damage limitation • Control/Autonomy • Regulation • Disaster Recovery

“But I need my resources to communicate with those in other VPCs!”

Use VPC Peering A B

VPC Peering

VPC peering got much better in the last year!

VPC peering got much better in the last year! • Reference Security Groups in peered VPCs

Reference Security Groups in peered VPCs e.g. VPC A Security Group ID sg-000001a allows inbound port 80 from Security Group ID sg-000001b which is applied to resources in VPC B A B

VPC peering got much better in the last year! • Reference Security Groups in peered VPCs • Resolve DNS in peered VPCs

Resolve DNS in peered VPCs e.g. When VPC A resolves ‘ec2 -35-176-15-190.eu-west- 2.compute.amazonaws.com’ which lives in VPC B, it resolves to 10.10.0.162 not 35.176.15.190 A B