Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity Options

Ugur Kira, AWS Premium Support Engineer

  • Login to see the comments

Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity Options

  1. 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Virtual Private Cloud (VPC) Networking Fundamentals and Connectivity Options Ugur KIRA Senior Cloud Support Engineer 9th April 2018
  2. 2. EC2 Instance
  3. 3. VPC
  4. 4. VPC: your private network in AWS
  5. 5. Walkthrough: setting up an Internet-connected VPC
  6. 6. Creating an Internet-connected VPC: steps Choosing an address range Setting up subnets in Availability Zones Creating a route to the Internet Authorizing traffic to/from the VPC
  7. 7. Choosing an IP address range
  8. 8. CIDR notation review CIDR range example: 1010 1100 0001 1111 0000 0000 0000 0000
  9. 9. Choosing an IPv4 address range for your VPC Recommended: RFC1918 range Recommended: /16 (64K addresses)
  10. 10. Adding a secondary IPv4 address range Primary CIDR Secondary CIDR
  11. 11. Adding a secondary IPv4 address range Primary CIDR
  12. 12. Adding a secondary IPv4 address range Primary CIDR Maximum 5 CIDRs
  13. 13. Subnets
  14. 14. VPC subnets and Availability Zones Availability Zone Availability Zone Availability Zone VPC subnet VPC subnet VPC subnet eu-west-1a eu-west-1b eu-west-1c
  15. 15. VPC subnet considerations • /16 VPC (64K IPv4 addresses) • /24 subnets (251 IPv4 addresses) • One subnet per Availability Zone • first 4 IP addresses and the last IP address in each subnet CIDR block are reserved , and cannot be assigned • For example, in a subnet with CIDR block • Network address • Reserved by AWS for the VPC router. • Reserved by AWS as DNS server IP • Reserved by AWS for future use. • Network broadcast address(Not Supported)
  16. 16. Route to the Internet
  17. 17. Routing in your VPC • Route tables contain rules for which packets go where • Your VPC has a default route table • … but you can assign different route tables to different subnets
  18. 18. Can instances with the CIDR- reach to the instances with the CIDR
  19. 19. Can instances with the CIDR- reach to the instances with the CIDR With VPC, YES!
  20. 20. Traffic destined for my VPC stays in my VPC
  21. 21. Internet Gateway Send packets here if you want them to reach the Internet
  22. 22. Everything that isn’t destined for the VPC: Send to the Internet
  23. 23. Network security in VPC: Network ACLs / Security Groups
  24. 24. Network ACLs: Stateless firewalls English translation: Allow all traffic in Can be applied on a subnet basis Rules are evaluated starting with the lowest numbered rule.
  25. 25. “MyWebServers” Security Group “MyBackends” Security Group Allow only “MyWebServers” Security Groups- Stateful Firewall
  26. 26. Security groups example: web servers In English: Hosts in this group are reachable from the Internet on port 80 (HTTP)
  27. 27. Security groups example: backends In English: Only instances in the MyWebServers Security Group can reach instances in this Security Group
  28. 28. Security groups in VPC: additional notes • Follow the Principle of Least Privilege • VPC allows creation of egress as well as ingress Security Group rules • You can only define ALLOW rule not a DENY
  29. 29. Connectivity options for VPCs
  30. 30. Beyond Internet connectivity Restricting Internet access Connecting to your corporate network Connecting to other VPCs Accessing Services Through AWS PrivateLink VPC Endpoints for Amazon S3 & DynamoDB
  31. 31. Restricting Internet access: Routing by subnet
  32. 32. Routing by subnet VPC subnet VPC subnet Public Subnet: Has route to Internet Private Subnet: Has NO route to Internet
  33. 33. Outbound-only Internet access: NAT gateway Private VPC subnet Public VPC subnet Public IP: NAT gateway
  34. 34. Inter-VPC connectivity: VPC peering
  35. 35. Example VPC peering use: shared services VPC You can create a VPC peering connection between: • your own VPCs • with a VPC in another AWS account • with a VPC in a different AWS Region Common/core services • Authentication/directory • Monitoring • Logging • Remote administration • Scanning Can VPC B access VPC C via VPC A?
  36. 36. Security groups across peered VPCs VPC Peering Orange Security Group Blue Security Group ALLOW You can create inbound or outbound rules for your VPC security groups to reference security groups in the peered VPC
  37. 37. Establish a VPC peering: initiate request Step 1 Initiate peering request
  38. 38. Establish a VPC peering: accept request Step 1 Initiate peering request Step 2 Accept peering request
  39. 39. Establish a VPC peering: create route 1 Initiate peering request Step 2 Accept peering request Step 3 Create routes In English: Traffic destined for the peered VPC should go to the peering
  40. 40. Connecting to on-premises networks: Virtual Private Network & Direct Connect
  41. 41. Extend an on-premises network into your VPC VPN Direct Connect
  42. 42. AWS VPN basics Customer Gateway Virtual Gateway Two IPSec tunnels 192.168/16 Your networking device
  43. 43. VPN and AWS Direct Connect • Both allow secure connections between your network and your VPC • VPN is a pair of IPSec tunnels over the Internet • DirectConnect is a dedicated line with lower per-GB data transfer rates • For highest availability: Use both
  44. 44. VPC Endpoints for DynamoDB VPC Endpoints for Amazon S3 VPC Endpoint Services (AWS PrivateLink)
  45. 45. S3, DynamoDB and your VPC S3 Bucket Your applications Your data DynamoDB Table
  46. 46. AWS VPC endpoints S3 BucketDynamoDB Table
  47. 47. VPC Endpoint-S3 S3 Bucket Route S3-bound traffic to the VPCE
  48. 48. DynamoDB DynamoDB Table
  49. 49. IAM policy for VPC endpoints S3 Bucket IAM Policy at VPC Endpoint - Endpoint Policy: Restrict actions of VPC in S3 IAM Policy at S3 Bucket: Make accessible from VPC Endpoint only
  50. 50. Accessing Services Through AWS PrivateLink
  51. 51. AWS PrivateLink • privately connect your VPC to supported AWS services, services hosted by other AWS accounts (VPC endpoint services) • do not require an internet gateway, NAT device, public IP address, AWS Direct Connect connection, or VPN connection to communicate with the service *(without using public IPs, and without requiring the traffic to traverse across the Internet) • Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Kinesis Streams, EC2 Systems Manager … • Even You can create your own application in your VPC and configure it as an AWS PrivateLink-powered service
  52. 52. VPC Endpoint Services (AWS PrivateLink) Running Internal Web Services in a private subnet Using an interface endpoint to access the services in subnet B. Subnets should not overlap!
  53. 53. VPC and the rest of AWS DNS in-VPC with Amazon Route 53 Logging VPC Traffic with VPC Flow Logs
  54. 54. VPC DNS options Use Amazon DNS server Have EC2 auto-assign DNS hostnames to instances
  55. 55. Amazon Route 53 private hosted zones Private Hosted Zone 
  56. 56. VPC Flow Logs: VPC traffic metadata in Amazon CloudWatch Logs
  57. 57. VPC Flow Logs Visibility into effects of security group rules Troubleshooting network connectivity Ability to analyze traffic
  58. 58. VPC Flow Logs: setup VPC traffic metadata captured in CloudWatch Logs
  59. 59. VPC Flow Logs data in CloudWatch Logs Who’s this? # dig +short -x REJECT UDP Port 53 = DNS
  60. 60. THANK YOU