In this session, we will walk through the fundamentals of Amazon Virtual Private Cloud (VPC). First, we will cover build-out and design fundamentals for VPC, including picking your IP space, subnetting, routing, security, NAT, and much more. We will then transition into different approaches and use cases for optionally connecting your VPC to your physical data center with VPN or AWS Direct Connect. This mid-level architecture discussion is aimed at architects, network administrators, and technology decision-makers interested in understanding the building blocks AWS makes available with VPC and how you can connect this with your offices and current data center footprint.
9. Internal
User
VPN Gateway
Router / Firewall
Corporate Data Center
http://internal-app
Web
VPN over
the Internet
10. Active Directory
Network configuration
Encryption
Backup appliances
Your on-premises apps
Users and access rules
Your private network
HSM appliance
Cloud backups
Your cloud apps
AWS Direct Connect
Corporate data centers
11. Web
Server
Application
Server
DB
Server
Data Volume
EC2 Web
Server
EC2
Application
Server
EC2 DB
Server
Amazon Elastic Block
Store (EBS) Data Volume
Data Mirroring /
Replication
Amazon Elastic
Compute Cloud
(EC2) instances are
stopped. Instances
can be restarted if
primary application
goes down.
Smaller EC2
instance for DB
but can be
stopped and
restarted as a
larger EC2
instance.
Amazon Route 53
User
Corporate Data Center
Repoint DNS in an
Outage
15. Subnet
Availability Zone A
Subnet
Availability Zone B
10.1.1.0/24 10.1.10.0/24
VPC CIDR: 10.1.0.0 /16
16. Subnet
Availability Zone A
Subnet
Availability Zone B
10.1.1.0/24 10.1.10.0/24
Internet
Gateway
VPC CIDR: 10.1.0.0 /16
AWS Public Internet
API Endpoints
17. Subnet
Availability Zone A
Subnet
Availability Zone B
10.1.1.0/24 10.1.10.0/24
VPC CIDR: 10.1.0.0 /16
Internal
User
VPN Gateway
Customer Gateway
Corporate Data Center
VPN over
the Internet
18. Subnet
Availability Zone A
Subnet
Availability Zone B
10.1.1.0/24 10.1.10.0/24
VPC CIDR: 10.1.0.0 /16
Internal
User
VPN Gateway
Customer Gateway
Corporate Data Center
VPN over
the Internet
19. • By default, every subnet
can talk to every other
subnet
• Enabled by a virtual router
that sits in a star topology
between all subnets
• VPC DHCP service hands
out a .1 default gateway to
each instance coming up in
a subnet (in a /24 subnet)
Public Subnet
Availability Zone A
Private Subnet
Public Subnet
Availability Zone B
Private Subnet
Instance A
10.1.1.11 /24
Instance C
10.1.3.33 /24
Instance B
10.1.2.22 /24
Instance D
10.1.4.44 /24
VPC CIDR: 10.1.0.0 /16
.1
.1 .1
.1
20. Subnet
Availability Zone A
Subnet
Availability Zone B
10.1.1.0/24 10.1.10.0/24
Internet
Gateway
VPC CIDR: 10.1.0.0 /16
AWS Public Internet
API Endpoints
Route Table
Destination Target
10.1.0.0/16 local
0.0.0.0/0 igw
21. Subnet
Availability Zone A
Subnet
Availability Zone B
10.1.1.0/24 10.1.10.0/24
VPC CIDR: 10.1.0.0 /16
Internal User
VPN Gateway
Customer Gateway
Corporate Data Center
VPN over
the Internet
22. Availability Zone A Availability Zone B
Subnet: 10.1.1.0/24
Internet
Gateway
VPC CIDR: 10.1.0.0 /16
AWS Public Internet
API Endpoints
Route Table
Destination Target
10.1.0.0/16 local
0.0.0.0/0 igw
Subnet: 10.1.10.0/24
EIP EIP
23. Availability Zone A Availability Zone B
Subnet: 10.1.1.0/24
Internet
Gateway
VPC CIDR: 10.1.0.0 /16
AWS Public Internet
API Endpoints
Route Table
Destination Target
10.1.0.0/16 local
0.0.0.0/0 igw
Subnet: 10.1.10.0/24
ENI
(eth0)
ENI
(eth0)
24. Availability Zone A Availability Zone B
VPC CIDR: 10.1.0.0 /16
VPC Subnet with ACL VPC Subnet with ACL
VPC Subnet with ACL
25. Availability Zone A Availability Zone B
Subnet: 10.1.1.0/24
VPC CIDR: 10.1.0.0 /16
Subnet: 10.1.10.0/24
Security Group
27. VPC Public Subnet VPC Private Subnet
NAT Instance
Public: 54.200.129.18
Private: 10.1.1.11 /24
Web Server
Public: 54.200.129.29
Private: 10.1.1.12 /24
Database Server
Private: 10.1.10.3 /24
Database Server
Private: 10.1.10.4 /24
Database Server
Private: 10.1.10.5 /24
Route Table
Destination Target
10.1.0.0/16 local
0.0.0.0/0 igw
AWS Public
API Endpoints
VPC 10.1.0.0/16
VPN or Direct Connect
Route Table
Destination Target
10.1.0.0/16 local
172.16.0.0/8 vgw
0.0.0.0/0 NAT
IGW VGW
CGW
28.
29. Examples of “high blast radius” VPC API calls that should be restricted:
AttachInternetGateway
AssociateRouteTable
CreateRoute
DeleteCustomerGateway
DeleteInternetGateway
DeleteNetworkAcl
DeleteNetworkAclEntry
DeleteRoute
DeleteRouteTable
DeleteDhcpOptions
ReplaceNetworkAclAssociation
DisassociateRouteTable
30. •Consider future AWS region expansion
•Consider future connectivity to your internal networks
•Consider applications your VPC will host
•Consider subnet design
•VPC can be /16 down to /28
•CIDR cannot be modified after creation
•Overlapping IP spaces = future headache
37. • Problem
If my instance fails or I need to upgrade it, I need to push traffic to
another instance with the same public and private IP addresses
and same network interface
• Solution
Deploy your application in VPC and use an ENI on eth1 that can
be moved between instances and retain same MAC, public, and
private IP addresses
• Pros
– Since we are moving the ENI, DNS will not need to be updated
– Fallback is as easy as moving the ENI back to the original
instance
– Anything pointing to the public or private IP on the instance will
not need to be updated
– ENIs can be moved across instances in a subnet Virtual Private Cloud
EC2 EC2
Availability Zone
VPC Subnet
Amazon Route 53
ENI (eth1)
38. •Tagging strategy should be part of early design
•Project code, cost center, environment, version, team, business unit
•Tag resources right after creation
•Tags supported for resource permissions
•AWS Billing also supports tags
•Tight IAM controls on the creation and editing of tags
39.
40. Use Amazon EC2 run resource permissions to control:
•What AMI can be launched
•What VPC or subnet can be targeted
•What security groups must be in place
•Which VPCs allow peering
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_IAM.html
For more policy examples:
42. 1.Backhaul through your own corporate firewall?
2.Public route with public IP
3.Using NAT
1.Advanced patterns
1.Creating an HA NAT
2.Using a proxy layer
43. Availability Zone A
Private Subnet
Private Subnet
AWS Region
Virtual Private Gateway
VPN Connection
Customer Data Center
Intranet
App
Intranet
App
Availability Zone B
Amazon S3
Customer
Border Router
Customer Gateway
Internet
Internet
Route Table
Destination
Target
10.1.0.0/16
local
0.0.0.0/0
vgw
44. • Problem
EC2 instances need access to the Internet
• Solution
– Either attach an EIP or have a public IP added at launch
– Create a route from the subnet where you are deploying
your instances to the IGW
• Pros
Your devices can access the Internet and AWS public endpoints
• Notes
Your security group can prohibit inbound traffic from the Internet
so your instances can reach the Internet but cannot be reached
publicly from outside your VPC
Virtual Private Cloud
EC2 / NAT
Availability Zone
VPC Public Subnet
Internet Gateway
Internet
Elastic or Public IP
Amazon S3
bucket
Route Table
Destination Target
10.1.0.0/16 local
0.0.0.0/0 igw
45. • Problem
EC2 instances in a private subnet need access to the Internet
to call APIs, for downloads, and for updates to software
packages and the OS
• Solution
Deploy a NAT server on an EC2 instance that will provide
Internet access to servers in private subnets
• Pros
– Your devices are not publicly addressable but still have
Internet access
– NAT gives instances in private subnet capability to access
AWS services and APIs outside of VPC
Virtual Private Cloud
EC2 / NAT
Availability Zone
VPC Public Subnet
VPC Private Subnet
Internet Gateway
Internet
EC2 EC2
Route Table
Destination Target
10.1.0.0/16 local
0.0.0.0/0 NAT
52. 10.1.0.0/16
10.0.0.0/16
•VPCs within same region
Peer
request
Peer
accept
•Same or different accounts
•IP space cannot overlap
•Only one between any two VPCs
53. •Alternative to using the Internet to access AWS cloud services
•Private network connection between AWS and your data center
•Can reduce costs, increase bandwidth, and provide a more consistent network experience than Internet-based connections
•Two different Direct Connect scenarios
–Direct Connect from Coloat Direct Connect POP Site
–Direct Connect from remote site
56. Direct Connect
Location
Customer Data Center
Customer Office
Customer Office
Customer Office
Customer Data Center
57. Customer Data Center
AWS Direct Connect
location
AWS Direct Connect private virtual interface connects to VGW on VPC
•1 PVI per VPC
•802.1Q VLAN tags isolate traffic across AWS Direct Connect
Private layer 2 circuit or cross-connect
One or multiple (redundant)
Hosted: 50–500 Mbps
Dedicated: 1 Gbps or 10 Gbps
Simplify with AWS Direct Connect
Public-Facing
Web App
AWS
Region
Prod
QA
Dev
Internal
Company Apps
Internal
Company Apps
Internal
Company Apps
PVI1
PVI2
PVI3
PVI4
PVI5
AWS Public
API Endpoints
58.
59.
60. Please give us your feedback on this session.
Complete session evaluations and earn re:Invent swag.
http://bit.ly/awsevals