In this session, we will walk through the fundamentals of Amazon Virtual Private Cloud (VPC). First, we will cover build-out and design fundamentals for VPC, including picking your IP space, subnetting, routing, security, NAT, and much more. We will then transition into different approaches and use cases for optionally connecting your VPC to your physical data center with VPN or AWS Direct Connect. This mid-level architecture discussion is aimed at architects, network administrators, and technology decision-makers interested in understanding the building blocks AWS makes available with VPC and how you can connect this with your offices and current data center footprint.

8. Object Storage
CDN
User
Web
DNS
http://www.example.com
Internet Gateway

9. Internal
User
VPN Gateway
Router / Firewall
Corporate Data Center
http://internal-app
Web
VPN over
the Internet

10. Active Directory
Network configuration
Encryption
Backup appliances
Your on-premises apps
Users and access rules
Your private network
HSM appliance
Cloud backups
Your cloud apps
AWS Direct Connect
Corporate data centers

11. Web
Server
Application
Server
DB
Server
Data Volume
EC2 Web
Server
EC2
Application
Server
EC2 DB
Server
Amazon Elastic Block
Store (EBS) Data Volume
Data Mirroring /
Replication
Amazon Elastic
Compute Cloud
(EC2) instances are
stopped. Instances
can be restarted if
primary application
goes down.
Smaller EC2
instance for DB
but can be
stopped and
restarted as a
larger EC2
instance.
Amazon Route 53
User
Corporate Data Center
Repoint DNS in an
Outage

13. Route table Elastic network
interface
Amazon VPC Router
Internet
gateway
Customer
gateway
Virtual
private
gateway
VPN
connection
Subnet
Elastic IP

14. Availability Zone A
Availability Zone B
VPC CIDR: 10.1.0.0 /16

15. Subnet
Availability Zone A
Subnet
Availability Zone B
10.1.1.0/24 10.1.10.0/24
VPC CIDR: 10.1.0.0 /16

16. Subnet
Availability Zone A
Subnet
Availability Zone B
10.1.1.0/24 10.1.10.0/24
Internet
Gateway
VPC CIDR: 10.1.0.0 /16
AWS Public Internet
API Endpoints

17. Subnet
Availability Zone A
Subnet
Availability Zone B
10.1.1.0/24 10.1.10.0/24
VPC CIDR: 10.1.0.0 /16
Internal
User
VPN Gateway
Customer Gateway
Corporate Data Center
VPN over
the Internet

18. Subnet
Availability Zone A
Subnet
Availability Zone B
10.1.1.0/24 10.1.10.0/24
VPC CIDR: 10.1.0.0 /16
Internal
User
VPN Gateway
Customer Gateway
Corporate Data Center
VPN over
the Internet

19. • By default, every subnet
can talk to every other
subnet
• Enabled by a virtual router
that sits in a star topology
between all subnets
• VPC DHCP service hands
out a .1 default gateway to
each instance coming up in
a subnet (in a /24 subnet)
Public Subnet
Availability Zone A
Private Subnet
Public Subnet
Availability Zone B
Private Subnet
Instance A
10.1.1.11 /24
Instance C
10.1.3.33 /24
Instance B
10.1.2.22 /24
Instance D
10.1.4.44 /24
VPC CIDR: 10.1.0.0 /16
.1
.1 .1
.1

20. Subnet
Availability Zone A
Subnet
Availability Zone B
10.1.1.0/24 10.1.10.0/24
Internet
Gateway
VPC CIDR: 10.1.0.0 /16
AWS Public Internet
API Endpoints
Route Table
Destination Target
10.1.0.0/16 local
0.0.0.0/0 igw

21. Subnet
Availability Zone A
Subnet
Availability Zone B
10.1.1.0/24 10.1.10.0/24
VPC CIDR: 10.1.0.0 /16
Internal User
VPN Gateway
Customer Gateway
Corporate Data Center
VPN over
the Internet

22. Availability Zone A Availability Zone B
Subnet: 10.1.1.0/24
Internet
Gateway
VPC CIDR: 10.1.0.0 /16
AWS Public Internet
API Endpoints
Route Table
Destination Target
10.1.0.0/16 local
0.0.0.0/0 igw
Subnet: 10.1.10.0/24
EIP EIP

23. Availability Zone A Availability Zone B
Subnet: 10.1.1.0/24
Internet
Gateway
VPC CIDR: 10.1.0.0 /16
AWS Public Internet
API Endpoints
Route Table
Destination Target
10.1.0.0/16 local
0.0.0.0/0 igw
Subnet: 10.1.10.0/24
ENI
(eth0)
ENI
(eth0)

24. Availability Zone A Availability Zone B
VPC CIDR: 10.1.0.0 /16
VPC Subnet with ACL VPC Subnet with ACL
VPC Subnet with ACL

25. Availability Zone A Availability Zone B
Subnet: 10.1.1.0/24
VPC CIDR: 10.1.0.0 /16
Subnet: 10.1.10.0/24
Security Group

26. Route
Table
Route
Table
Internet
Gateway
Virtual Private
Gateway
Virtual Router
VPC 10.1.0.0/16

27. VPC Public Subnet VPC Private Subnet
NAT Instance
Public: 54.200.129.18
Private: 10.1.1.11 /24
Web Server
Public: 54.200.129.29
Private: 10.1.1.12 /24
Database Server
Private: 10.1.10.3 /24
Database Server
Private: 10.1.10.4 /24
Database Server
Private: 10.1.10.5 /24
Route Table
Destination Target
10.1.0.0/16 local
0.0.0.0/0 igw
AWS Public
API Endpoints
VPC 10.1.0.0/16
VPN or Direct Connect
Route Table
Destination Target
10.1.0.0/16 local
172.16.0.0/8 vgw
0.0.0.0/0 NAT
IGW VGW
CGW

29. Examples of “high blast radius” VPC API calls that should be restricted:
AttachInternetGateway
AssociateRouteTable
CreateRoute
DeleteCustomerGateway
DeleteInternetGateway
DeleteNetworkAcl
DeleteNetworkAclEntry
DeleteRoute
DeleteRouteTable
DeleteDhcpOptions
ReplaceNetworkAclAssociation
DisassociateRouteTable

30. •Consider future AWS region expansion
•Consider future connectivity to your internal networks
•Consider applications your VPC will host
•Consider subnet design
•VPC can be /16 down to /28
•CIDR cannot be modified after creation
•Overlapping IP spaces = future headache

32. VPC Subnet
Elastic Network
interface
Security Group
Network ACL

33. Instance
VPC Subnet with NACL

37. • Problem
If my instance fails or I need to upgrade it, I need to push traffic to
another instance with the same public and private IP addresses
and same network interface
• Solution
Deploy your application in VPC and use an ENI on eth1 that can
be moved between instances and retain same MAC, public, and
private IP addresses
• Pros
– Since we are moving the ENI, DNS will not need to be updated
– Fallback is as easy as moving the ENI back to the original
instance
– Anything pointing to the public or private IP on the instance will
not need to be updated
– ENIs can be moved across instances in a subnet Virtual Private Cloud
EC2 EC2
Availability Zone
VPC Subnet
Amazon Route 53
ENI (eth1)

38. •Tagging strategy should be part of early design
•Project code, cost center, environment, version, team, business unit
•Tag resources right after creation
•Tags supported for resource permissions
•AWS Billing also supports tags
•Tight IAM controls on the creation and editing of tags

40. Use Amazon EC2 run resource permissions to control:
•What AMI can be launched
•What VPC or subnet can be targeted
•What security groups must be in place
•Which VPCs allow peering
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_IAM.html
For more policy examples:

41. http://blogs.aws.amazon.com/security/post/Tx2KPWZJJ4S26H6/Demystifying-EC2-Resource-Level- Permissions

42. 1.Backhaul through your own corporate firewall?
2.Public route with public IP
3.Using NAT
1.Advanced patterns
1.Creating an HA NAT
2.Using a proxy layer

43. Availability Zone A
Private Subnet
Private Subnet
AWS Region
Virtual Private Gateway
VPN Connection
Customer Data Center
Intranet
App
Intranet
App
Availability Zone B
Amazon S3
Customer
Border Router
Customer Gateway
Internet
Internet
Route Table
Destination
Target
10.1.0.0/16
local
0.0.0.0/0
vgw

44. • Problem
EC2 instances need access to the Internet
• Solution
– Either attach an EIP or have a public IP added at launch
– Create a route from the subnet where you are deploying
your instances to the IGW
• Pros
Your devices can access the Internet and AWS public endpoints
• Notes
Your security group can prohibit inbound traffic from the Internet
so your instances can reach the Internet but cannot be reached
publicly from outside your VPC
Virtual Private Cloud
EC2 / NAT
Availability Zone
VPC Public Subnet
Internet Gateway
Internet
Elastic or Public IP
Amazon S3
bucket
Route Table
Destination Target
10.1.0.0/16 local
0.0.0.0/0 igw

45. • Problem
EC2 instances in a private subnet need access to the Internet
to call APIs, for downloads, and for updates to software
packages and the OS
• Solution
Deploy a NAT server on an EC2 instance that will provide
Internet access to servers in private subnets
• Pros
– Your devices are not publicly addressable but still have
Internet access
– NAT gives instances in private subnet capability to access
AWS services and APIs outside of VPC
Virtual Private Cloud
EC2 / NAT
Availability Zone
VPC Public Subnet
VPC Private Subnet
Internet Gateway
Internet
EC2 EC2
Route Table
Destination Target
10.1.0.0/16 local
0.0.0.0/0 NAT

46. •Redundant IPSEC tunnels
•Supports BGP and static routing
•Redundant customer gateways

47. Virtual Private Cloud
Availability Zone Availability Zone
VPC Subnet VPC Subnet
Customer Gateway
Customer Network
VPN
Router Virtual Private Gateway

48. Virtual Private Cloud
Availability Zone Availability Zone
VPC Subnet VPC Subnet
Customer Gateway
Customer Network
New York
VPN
Router Virtual Private Gateway
Customer Gateway
Customer Network
Chicago
VPN
Customer Gateway
Customer Network
Los Angeles
VPN

49. Virtual Private Cloud
Availability Zone Availability Zone
VPC Subnet VPC Subnet
IPSEC
VPN
Virtual Private Gateway
Router
72.21.209.193
Router
72.21.209.225
Tunnel 1 Tunnel 2
Customer Gateway
xxx.xxx.xxx.xxx
Customer Network
IPSEC
VPN

50. Virtual Private Cloud
Availability Zone Availability Zone
VPC Subnet VPC Subnet
Tunnel 1
Virtual Private Gateway
Router
72.21.209.193
Router
72.21.209.225
Customer Gateway
xxx.xxx.xxx.xxx
Customer Network
Customer Gateway
xxx.xxx.xxx.yyy
Tunnel 2 Tunnel 2
Tunnel 1

52. 10.1.0.0/16
10.0.0.0/16
•VPCs within same region
Peer
request
Peer
accept
•Same or different accounts
•IP space cannot overlap
•Only one between any two VPCs

53. •Alternative to using the Internet to access AWS cloud services
•Private network connection between AWS and your data center
•Can reduce costs, increase bandwidth, and provide a more consistent network experience than Internet-based connections
•Two different Direct Connect scenarios
–Direct Connect from Coloat Direct Connect POP Site
–Direct Connect from remote site

55. http://aws.amazon.com/directconnect/partners/

56. Direct Connect
Location
Customer Data Center
Customer Office
Customer Office
Customer Office
Customer Data Center

57. Customer Data Center
AWS Direct Connect
location
AWS Direct Connect private virtual interface connects to VGW on VPC
•1 PVI per VPC
•802.1Q VLAN tags isolate traffic across AWS Direct Connect
Private layer 2 circuit or cross-connect
One or multiple (redundant)
Hosted: 50–500 Mbps
Dedicated: 1 Gbps or 10 Gbps
Simplify with AWS Direct Connect
Public-Facing
Web App
AWS
Region
Prod
QA
Dev
Internal
Company Apps
Internal
Company Apps
Internal
Company Apps
PVI1
PVI2
PVI3
PVI4
PVI5
AWS Public
API Endpoints

60. Please give us your feedback on this session.
Complete session evaluations and earn re:Invent swag.
http://bit.ly/awsevals