• Save
Securing your AWS Resources with Amazon VPC - AWS Summit 2012 - NYC
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Securing your AWS Resources with Amazon VPC - AWS Summit 2012 - NYC

on

  • 4,569 views

 

Statistics

Views

Total Views
4,569
Views on SlideShare
4,471
Embed Views
98

Actions

Likes
6
Downloads
0
Comments
1

1 Embed 98

http://www.scoop.it 98

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Websiteprecis: The AWS Virtual Private Cloud (VPC) is fast becoming the networking option of choice for enterprise and government customers because it provides a powerful set of virtual networking capabilities. VPC allows you to isolate, control, connect, and empower your systems at the network level. Did you know that, for example, that VPC allows you to attach a single EC2 instance to multiple private subnets? To create DMZs, control subnet routing, and enable totally private interconnects with your on-premises systems? To deploy dedicated, isolated, single tenant hardware for your virtual machines within the public cloud? Come learn about the extensive set of features specific to VPC that you should know about before your next cloud deployment.
  • Mention that there will be demos along the way.
  • Data egress charges are a measure of the packet flows across the public IP address at the network edge (i.e., gray lines in the slide), even if the packets return into EC2. Internal to internal traffic and internal to AWS service endpoints traffic is all free. [Will add more valid public IPs to the animation later]Example valid ranges:216.182.224.0/20 (216.182.224.0 - 216.182.239.255) 72.44.32.0/19 (72.44.32.0 - 72.44.63.255) 67.202.0.0/18 (67.202.0.0 - 67.202.63.255) 75.101.128.0/17 (75.101.128.0 - 75.101.255.255) 174.129.0.0/16 (174.129.0.0 - 174.129.255.255) 204.236.192.0/18 (204.236.192.0 - 204.236.255.255) 184.73.0.0/16 (184.73.0.0 – 184.73.255.255) NEW
  • “User-defined” is important because it can be a private OR a public address space. If public, must be routed to/from customer gateway / VPN tunnel.
  • Egress ControlYou control what the instances can talk toE.g.; Let the instance initiate communication with the yum repository, but don’t let it browse anywhere else.Network TopologyCreate subnets (public vs. privately accessible)Route traffic down VPN or out to the InternetNetwork Address TranslationPrivate subnet instances with no public IP can still establish connections to the Internet3rd party Appliance and applicationsLeverage software appliances and security applicationsMultiple InterfacesLaunch or configure instances with a second network interface

Securing your AWS Resources with Amazon VPC - AWS Summit 2012 - NYC Presentation Transcript

  • 1. Networking and SecuritySecuring Your AWS Resourceswith Amazon’s Virtual Private CloudMark RylandSolutions ArchitectAWS Public Sector team
  • 2. AgendaReview: EC2 standard networking• Power and limitsEC2 networking with Virtual Private Cloud• Key concepts• New capabilities• Common use casesDirectConnect and VPC
  • 3. EC2 Standard NetworkingDistinct private/internal and public/external IPs• True 1:1 NAT (no port translation)• “Split-brained” DNSSecurity groups control ingressElastic IPs: fixed public IPs
  • 4. Internet EC2 instances dynamically assigned private IP addresses from the one large internal Amazon IP address range 10.134.2.3 10.1.2.3 10.218.5.17 10.27.45.16 10.243.3.5 10.8.55.5 10.141.9.810.99.42.97 10.155.6.7 10.131.7.28 10.6.78.201Zone 1a10.16.22.33 Availability Availability Zone 1b Customer 1 Customer 2 Customer 3
  • 5. 23.20.151.66 23.20.146.1 23.20.103.11 72.43.2.77 23.19.11.5 72.43.22.45 Internet 72.43.22.5 23.20.148.59 72.44.32.9 72.44.21.7 23.19.10.51 72.43.1.7 EC2 instances dynamically assigned public IP addresses on border network from Amazon’s public IP address blocks 10.134.2.3 10.1.2.3 10.218.5.17 10.27.45.16 10.243.3.5 10.8.55.5 10.141.9.810.99.42.97 10.155.6.7 10.131.7.28 10.6.78.201Zone 1a10.16.22.33 Availability Availability Zone 1b Customer 1 Customer 2 Customer 3
  • 6. Value and Limits of Standard Networking Security groups • Ingress only • Limited dynamism • Different from subnet-based controls • Mental model issue No private networking, DMZs, or NAT/PAT No consistent / “fixed” IP addrs for instances
  • 7. Introducing AWS Virtual Private CloudUser-defined virtual IP networking for EC2Private or mixed private/public addressing andingress/egressRe-use of proven and well-understoodnetworking concepts and technologies
  • 8. VPC Capabilities in a NutshellUser-defined address space up to /16Up to 20* user-defined subnets up to /16User-defined:• Virtual routing, DHCP servers, and NAT instances• Internet gateways, private, customer gateways, and VPN tunnelsPrivate IPs stable once assignedElastic Network Interfaces
  • 9. Internet VPC customers can launch instances in their own isolated network 10.134.2.3 10.1.2.3 10.218.5.17 10.27.45.16 10.243.3.5 10.8.55.5 10.141.9.810.99.42.97 10.155.6.7 10.131.7.28 10.6.78.201Zone 1a10.16.22.33 Availability Availability Zone 1b Customer 1 Customer 2 Customer 3 VPC Customer
  • 10. Internet VPCcan assign your launch instances thetheir own isolated network You customers can own IP range to in VPC network 10.0.1.5 10.0.1.6 10.0.0.510.0.0.6 10.0.1.8 10.0.3.5 10.0.1.25 10.0.3.17 Availability Zone 1a Availability Zone 1b VPC Customer
  • 11. Internet Instances can belong to different subnets. VPC Subnet VPC Subnet 10.0.0.5 10.0.1.5 10.0.1.6 VPC Subnet10.0.0.6 10.0.1.8 10.0.3.5 10.0.1.25 10.0.3.17 Availability Zone 1a Availability Zone 1b VPC Customer
  • 12. Internet Add access control lists to your subnets. VPC Subnet VPC Subnet 10.0.0.5 10.0.1.5 10.0.1.6 VPC Subnet10.0.0.6 10.0.1.8 10.0.3.5 10.0.1.25 10.0.3.17 Availability Zone 1a Availability Zone 1b VPC Customer
  • 13. InternetAdd a Virtual Private Gateway to your VPC to make it an extension of yourdatacenter. All traffic to and from the VPC traverses the VPN Connection. VPC Subnet VPC Subnet 10.0.0.5 10.0.1.5 10.0.1.6 VPC Subnet 10.0.0.6 10.0.1.8 10.0.3.5 10.0.1.25 10.0.3.17 Availability Zone 1a Virtual Private GatewayZone 1b Availability VPN Connection Customer Gateway Customer Data Center
  • 14. Internet Add an Internet Gateway to let instances talk directly to the Internet Internet Gateway VPC Subnet VPC Subnet 10.0.0.5 10.0.1.5 10.0.1.6 VPC Subnet10.0.0.6 10.0.1.8 10.0.3.5 10.0.1.25 10.0.3.17 Availability Zone 1a Virtual Private GatewayZone 1a Availability VPN Connection Customer Gateway Customer Data Center
  • 15. Enhanced Security CapabilitiesNetwork topology, routing, and subnet ACLsSecurity group enhancements• Egress control; dynamic (re)assignment; richer protocol supportMultiple network interfaces per instanceCompletely private networking via VPNSupport for dedicated instances
  • 16. Common Use CasesMixing public and private resources• E.g., web-facing hosts with DMZ subnets, control plane subnetsWorkloads that expect fixed IPs and/or multiple NICsAWS cloud as private extension of on-premises network• Accessible from on-premises hosts• No change to addressing• No change to Internet threat/risk posture
  • 17. Rich Capabilities in VPCELB, AutoScaling, and CloudWatchRelational Database Service (MySQL engine, for now)Elastic MapReduceCloudFormationAnd many others, with more to come…“Blackbox” services with public endpoints reachable viaInternet gateway (or VPN)
  • 18. DirectConnect: Private X-Connect to AWS Dedicated bandwidth to AWS border network in 1gbps or 10gbps chunks Full access to public endpoints, EC2 standard, VPCs • VLAN tagging maps to public side or VPCs Benefits: • Faster / more consistent throughput • Increased isolation and control Great companion technology to VPC
  • 19. Networking and SecuritySecuring Your AWS Resourceswith Amazon’s Virtual Private CloudQuestions and answers