Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Kevin Miller, EC2 Networking
May 21, 2015
Deep D...
Related Presentations – Videos online
https://www.youtube.com/user/AmazonWebServices
ARC205 – VPC Fundamentals and Connect...
aws vpc –-expert-mode
Topics today
Virtual networking options
EC2-Classic
Simple to get started –
all instances have
Internet connectivity,
auto-assigned pri...
Virtual networking options
EC2-Classic
Simple to get started –
all instances have
Internet connectivity,
auto-assigned pri...
Confirming your default VPC
describe-account-attributes
VPC only
Routing and private connections
Implementing a hybrid architecture
Corporate Data Center
Create VPC
Corporate Data Center
aws ec2 create-vpc --cidr 10.10.0.0/16
aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10...
Create VPN connection
Corporate Data Center
aws ec2 create-vpn-gateway --type ipsec.1
aws ec2 attach-vpn-gateway --vpn vgw...
Launch instances
Corporate Data Center
aws ec2 run-instances --image ami-d636bde6 --sub subnet-d83d91bd --count 3
aws ec2 ...
Using AWS Direct Connect
Corporate Data Center
aws directconnect create-connection --loc EqSE2 --b 1Gbps --conn My_First
a...
Configuring route table
Corporate Data Center
192.168.0.0/16
aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gat...
Remote connectivity best practices
Corporate Data Center
Availability Zone Availability Zone
Each VPN connection
consists ...
Remote connectivity best practices
Corporate Data Center
Availability Zone Availability Zone
A pair of VPN
connections (4 ...
Remote connectivity best practices
Corporate Data Center
Availability Zone Availability Zone
Redundant AWS Direct
Connect ...
VPC with private and public connectivity
Corporate Data Center
192.168.0.0/16
aws ec2 create-internet-gateway
aws ec2 atta...
Automatic route propagation from VGW
Corporate Data Center
192.168.0.0/16
aws ec2 delete-route --ro rtb-ef36e58a --dest 19...
Isolating connectivity by subnet
Corporate
192.168.0.0/16
aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.3.0/24 --a...
Software VPN for VPC-to-VPC connectivity
# VPC A
aws ec2 modify-network-interface-attribute --net eni-f832afcc --no-source...
Software VPN for VPC-to-VPC connectivity
Software VPN
between these
instances
Software VPN for VPC-to-VPC connectivity
Enabling communication
between instances in these
subnets; adding routes to the
d...
Software firewall to the Internet
Routing all traffic from subnets
to the Internet via a firewall is
conceptually similar
...
VPC Peering
Shared services VPC using VPC peering
Common/core services
• Authentication/directory
• Monitoring
• Logging
• Remote admi...
Provides infrastructure zoning
Dev: VPC B
Test: VPC C
Production: VPC D
VPC peering for VPC-to-VPC connectivity
aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc6...
VPC peering across accounts
aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63
--peer-own...
VPC peering – Additional considerations
Security groups – use IP prefixes to allow access
No “transit” capability for VPN,...
VPC peering with software firewall
VPC A - 10.10.0.0/16 VPC B - 10.20.0.0/16
# Default routing table directs Peer traffic ...
Enhanced Networking
Latency: Packets per second
Instance 1 Instance 2
...........
Packet processing in Amazon EC2:
VIF
Virtualization layer
eth0
eth1
Instance Virtual NICs
Physical NIC
Packet processing in Amazon EC2:
SR-IOV
eth0
Instance
VF Driver
eth1
VF
Virtualization layer
Physical NIC
Inter-instance latency
SR-IOV: Is this thing on?
It may already be!
For many newer AMIs, enhanced networking is
already on:
Newest Amazon Linux A...
SRIOV: Is this thing on? (Linux)
No Yes!
[ec2-user@ip-10-0-3-70
~]$ ethtool -i eth0
driver: vif
version:
firmware-version:...
SRIOV: Is this thing on? (Windows)
No Yes!
AMI/instance support for SR-IOV
C3, C4, I2, D2, R3 instance families: 23 types
HVM virtualization type
Required kernel ver...
Walkthrough: Enabling enhanced networking
(Amazon Linux)
amzn-ami-hvm-2012.03.1.x86_64-ebs
hvm
Walkthrough: Enabling enhanced networking
(Amazon Linux)
--attribute
sriovNetSupport
InstanceId i-37c5d1d9
Not yet!
Walkthrough: Enabling enhanced networking
(Amazon Linux)
[ec2-user@ip-10-0-3-125 ~]$ sudo yum update
OS update
Walkthrough: Enabling enhanced networking
(Amazon Linux)
reboot-instances
Reboot
(OS update)
Walkthrough: Enabling enhanced networking
(Windows)
Walkthrough: Enabling enhanced networking
(Windows)
Add to Windows driver store
Walkthrough: Enabling enhanced networking
All EBS-backed instances
stop-instances
Stop the instance
Walkthrough: Enabling enhanced networking
All EBS-backed instances
stop-instances
--sriov-net-support
simple
Enable SRIOV
...
Walkthrough: Enabling enhanced networking
All EBS-backed instances
start-instances
Start
Walkthrough: Enabling enhanced networking
All EBS-backed instances
start-instances
--attribute
sriovNetSupport
InstanceId ...
VPC Endpoints for Amazon S3
VPC Endpoints for Amazon S3
Highly reliable
Designed for the largest workloads
Use S3 from VPC without an Internet
Gateway...
VPC Endpoints for Amazon S3
‘mypics’
Bucket
Instance VPC
Router
region
VPC Endpoint
vpce-abcd1234
Creating a VPC Endpoint
ec2-create-vpc-endpoint
VPC Endpoints for Amazon S3
‘mypics’
Bucket
Instance VPC
Router
region
VPC Endpoint
vpce-abcd1234
Application resolves myp...
VPC Endpoints for Amazon S3
‘mypics’
Bucket
Instance VPC
Router
region
VPC Endpoint
vpce-abcd1234
Destination Target
pl-1a...
VPC Endpoints for Amazon S3
‘mypics’
Bucket
Instance VPC
Router
region
VPC Endpoint
vpce-abcd1234
IAM Policy on VPC Endpoi...
VPC Endpoint Policy
VPC Endpoints for Amazon S3
‘mypics’
Bucket
Instance VPC
Router
region
VPC Endpoint
vpce-abcd1234
IAM Policy on VPC Endpoi...
VPC Endpoints for Amazon S3
‘mypics’
Bucket
Instance VPC
Router
region
VPC Endpoint
vpce-abcd1234
IAM Policy on bucket ‘my...
S3 Bucket Policy
AWS Summit – Chicago: An exciting, free cloud conference designed to educate and inform new
customers about the AWS platfo...
CTA Script
- If you are interested in learning more about how to navigate the cloud to grow
your business - then attend th...
Thank You!!
Upcoming SlideShare
Loading in …5
×

AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud

5,016 views

Published on

If you are interested to know more about AWS Chicago Summit, please use the following to register: http://amzn.to/1RooPPL

Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define. In this webinar, we discuss advanced networking features in Amazon VPC, including VPC Peering, Enhanced Networking, ClassicLink, and private connectivity.

Learning Objectives:
• Learn how to enable Enhanced Networking to reduce latency
• Understand the use cases for advanced VPC features including VPC Peering
• For EC2-Classic customers, learn how ClassicLink enables you to adopt VPC incrementally

Who Should Attend:
• DevOps Engineers and System Architects responsible for VPC design and implementation

Published in: Technology

AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud

  1. 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Kevin Miller, EC2 Networking May 21, 2015 Deep Dive: Virtual Private Cloud
  2. 2. Related Presentations – Videos online https://www.youtube.com/user/AmazonWebServices ARC205 – VPC Fundamentals and Connectivity ARC401 – Black Belt Networking for Cloud Ninja • Application centric, network monitoring, management, floating IPs ARC403 – From One to Many: Evolving VPC Design SDD302 – A Tale of One Thousand Instances • Example of EC2-Classic customer adopting VPC SDD419 – Amazon EC2 Networking Deep Dive • Network performance, placement groups, enhanced networking
  3. 3. aws vpc –-expert-mode
  4. 4. Topics today
  5. 5. Virtual networking options EC2-Classic Simple to get started – all instances have Internet connectivity, auto-assigned private and public IP addresses Inbound security groups Default VPC The best of both Get started using the EC2-Classic experience If and when needed, begin using any VPC feature you require VPC Advanced virtual networking services: ENIs and multiple IPs routing tables egress security groups network ACLs private connectivity Enhanced networking And more to come...
  6. 6. Virtual networking options EC2-Classic Simple to get started – all instances have Internet connectivity, auto-assigned private and public IP addresses Inbound security groups Default VPC The best of both Get started using the EC2-Classic experience If and when needed, begin using any VPC feature you require VPC Advanced virtual networking services: ENIs and multiple IPs routing tables egress security groups network ACLs private connectivity Enhanced networking And more to come... All accounts created after 12/4/2013 support VPC only and have a default VPC in each region
  7. 7. Confirming your default VPC describe-account-attributes VPC only
  8. 8. Routing and private connections
  9. 9. Implementing a hybrid architecture Corporate Data Center
  10. 10. Create VPC Corporate Data Center aws ec2 create-vpc --cidr 10.10.0.0/16 aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.1.0/24 --a us-west-2a aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.2.0/24 --a us-west-2b
  11. 11. Create VPN connection Corporate Data Center aws ec2 create-vpn-gateway --type ipsec.1 aws ec2 attach-vpn-gateway --vpn vgw-f9da06e7 --vpc vpc-c15180a4 aws ec2 create-customer-gateway --type ipsec.1 --public 54.64.1.2 --bgp 6500 aws ec2 create-vpn-connection --vpn vgw-f9da06e7 --cust cgw-f4d905ea --t ipsec.1
  12. 12. Launch instances Corporate Data Center aws ec2 run-instances --image ami-d636bde6 --sub subnet-d83d91bd --count 3 aws ec2 run-instances --image ami-d636bde6 --sub subnet-b734f6c0 --count 3
  13. 13. Using AWS Direct Connect Corporate Data Center aws directconnect create-connection --loc EqSE2 --b 1Gbps --conn My_First aws directconnect create-private-virtual-interface --conn dxcon-fgp13h2s --new virtualInterfaceName=Foo, vlan=10, asn=60, authKey=testing, amazonAddress=192.168.0.1/24, customerAddress=192.168.0.2/24, virtualGatewayId=vgw-f9da06e7
  14. 14. Configuring route table Corporate Data Center 192.168.0.0/16 aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id vgw-f9da06e7 Each VPC has a single routing table at creation time, used by all subnets
  15. 15. Remote connectivity best practices Corporate Data Center Availability Zone Availability Zone Each VPN connection consists of 2 IPSec tunnels. Use BGP for failure recovery.
  16. 16. Remote connectivity best practices Corporate Data Center Availability Zone Availability Zone A pair of VPN connections (4 IPSec tunnels total) protects against failure of your customer gateway
  17. 17. Remote connectivity best practices Corporate Data Center Availability Zone Availability Zone Redundant AWS Direct Connect connections with VPN backup
  18. 18. VPC with private and public connectivity Corporate Data Center 192.168.0.0/16 aws ec2 create-internet-gateway aws ec2 attach-internet-gateway --internet igw-5a1ae13f --vpc vpc-c15180a4 aws ec2 delete-route --ro rtb-ef36e58a --dest 0.0.0.0/0 aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f aws ec2 create-route --ro rtb-ef36e58a --dest 192.168.0.0/16 --gateway-id vgw-f9da06e7
  19. 19. Automatic route propagation from VGW Corporate Data Center 192.168.0.0/16 aws ec2 delete-route --ro rtb-ef36e58a --dest 192.168.0.0/16 aws ec2 enable-vgw-route-propagation --ro rtb-ef36e58a --gateway-id vgw-f9da06e7 Used to automatically update routing table(s) with routes present in the VGW
  20. 20. Isolating connectivity by subnet Corporate 192.168.0.0/16 aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.3.0/24 --a us-west-2b aws ec2 create-route-table --vpc vpc-c15180a4 aws ec2 associate-route-table --ro rtb-fc61b299 --subnet subnet-60975a17 aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f Subnet with connectivity only to other instances and the Internet via the IGW
  21. 21. Software VPN for VPC-to-VPC connectivity # VPC A aws ec2 modify-network-interface-attribute --net eni-f832afcc --no-source-dest-check aws ec2 create-route --ro rtb-ef36e58a --dest 10.20.0.0/16 --instance-id i-f832afcc # VPC B aws ec2 modify-network-interface-attribute --net eni-9c1b693a --no-source-dest-check aws ec2 create-route --ro rtb-67a2b31c --dest 10.10.0.0/16 –-instance-id i-9c1b693a
  22. 22. Software VPN for VPC-to-VPC connectivity Software VPN between these instances
  23. 23. Software VPN for VPC-to-VPC connectivity Enabling communication between instances in these subnets; adding routes to the default routing table
  24. 24. Software firewall to the Internet Routing all traffic from subnets to the Internet via a firewall is conceptually similar # Default routing table directs traffic to the NAT/firewall instance aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --instance-id i-f832afcc # Routing table for 10.10.3.0/24 directs to the Internet aws ec2 create-route --ro rtb-67a2b31c --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f
  25. 25. VPC Peering
  26. 26. Shared services VPC using VPC peering Common/core services • Authentication/directory • Monitoring • Logging • Remote administration • Scanning
  27. 27. Provides infrastructure zoning Dev: VPC B Test: VPC C Production: VPC D
  28. 28. VPC peering for VPC-to-VPC connectivity aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63 aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87 VPC A> aws ec2 create-route --ro rtb-ef36e58a --des 10.20.0.0/16 --vpc-peer pcx-ee56be87 VPC B> aws ec2 create-route --ro rtb-67a2b31c --des 10.10.0.0/16 --vpc-peer pcx-ee56be87 VPC A - 10.10.0.0/16 vpc-c15180a4 VPC B - 10.20.0.0/16 vpc-062dfc63
  29. 29. VPC peering across accounts aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63 --peer-owner 472752909333 # In owner account 472752909333 aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87 VPC A - 10.10.0.0/16 vpc-c15180a4 VPC B - 10.20.0.0/16 vpc-062dfc63 Account ID 472752909333
  30. 30. VPC peering – Additional considerations Security groups – use IP prefixes to allow access No “transit” capability for VPN, AWS Direct Connect, or 3rd VPCs • Example: Cannot access VPC C from VPC A via VPC B • Workaround: Create a direct peering from VPC A to VPC C Peer VPC address ranges cannot overlap • But, you can peer with 2+ VPCs that themselves overlap • Use subnets/routing tables to pick the VPC to use
  31. 31. VPC peering with software firewall VPC A - 10.10.0.0/16 VPC B - 10.20.0.0/16 # Default routing table directs Peer traffic to the NAT/firewall instance aws ec2 create-route --ro rtb-ef36e58a --dest 10.20.0.0/16 --instance-id i-f832afcc # Routing table for 10.10.3.0/24 directs to the Peering aws ec2 create-route --ro rtb-67a2b31c --dest 10.20.0.0/16 --vpc-peer pcx-ee56be87
  32. 32. Enhanced Networking
  33. 33. Latency: Packets per second Instance 1 Instance 2 ...........
  34. 34. Packet processing in Amazon EC2: VIF Virtualization layer eth0 eth1 Instance Virtual NICs Physical NIC
  35. 35. Packet processing in Amazon EC2: SR-IOV eth0 Instance VF Driver eth1 VF Virtualization layer Physical NIC
  36. 36. Inter-instance latency
  37. 37. SR-IOV: Is this thing on? It may already be! For many newer AMIs, enhanced networking is already on: Newest Amazon Linux AMIs Windows Server 2012 R2 AMI No need to configure
  38. 38. SRIOV: Is this thing on? (Linux) No Yes! [ec2-user@ip-10-0-3-70 ~]$ ethtool -i eth0 driver: vif version: firmware-version: bus-info: vif-0 … [ec2-user@ip-10-0-3-70 ~]$ ethtool -i eth0 driver: ixgbevf version: 2.14.2+amzn firmware-version: N/A bus-info: 0000:00:03.0 …
  39. 39. SRIOV: Is this thing on? (Windows) No Yes!
  40. 40. AMI/instance support for SR-IOV C3, C4, I2, D2, R3 instance families: 23 types HVM virtualization type Required kernel version • Linux: 2.6.32+ • Windows: Server 2008 R2+ Appropriate VF driver • Linux: ixgbevf 2.14.2+ module • Windows: Intel® 82599 Virtual Function driver
  41. 41. Walkthrough: Enabling enhanced networking (Amazon Linux) amzn-ami-hvm-2012.03.1.x86_64-ebs hvm
  42. 42. Walkthrough: Enabling enhanced networking (Amazon Linux) --attribute sriovNetSupport InstanceId i-37c5d1d9 Not yet!
  43. 43. Walkthrough: Enabling enhanced networking (Amazon Linux) [ec2-user@ip-10-0-3-125 ~]$ sudo yum update OS update
  44. 44. Walkthrough: Enabling enhanced networking (Amazon Linux) reboot-instances Reboot (OS update)
  45. 45. Walkthrough: Enabling enhanced networking (Windows)
  46. 46. Walkthrough: Enabling enhanced networking (Windows) Add to Windows driver store
  47. 47. Walkthrough: Enabling enhanced networking All EBS-backed instances stop-instances Stop the instance
  48. 48. Walkthrough: Enabling enhanced networking All EBS-backed instances stop-instances --sriov-net-support simple Enable SRIOV Cannot be undone
  49. 49. Walkthrough: Enabling enhanced networking All EBS-backed instances start-instances Start
  50. 50. Walkthrough: Enabling enhanced networking All EBS-backed instances start-instances --attribute sriovNetSupport InstanceId i-37c5d1d9 Value simple We’re on
  51. 51. VPC Endpoints for Amazon S3
  52. 52. VPC Endpoints for Amazon S3 Highly reliable Designed for the largest workloads Use S3 from VPC without an Internet Gateway or NAT instance Additional security controls
  53. 53. VPC Endpoints for Amazon S3 ‘mypics’ Bucket Instance VPC Router region VPC Endpoint vpce-abcd1234
  54. 54. Creating a VPC Endpoint ec2-create-vpc-endpoint
  55. 55. VPC Endpoints for Amazon S3 ‘mypics’ Bucket Instance VPC Router region VPC Endpoint vpce-abcd1234 Application resolves mypics.s3.amazonaws.com DNS responds with the usual IP addresses for Amazon S3 Application connects to the chosen IP address
  56. 56. VPC Endpoints for Amazon S3 ‘mypics’ Bucket Instance VPC Router region VPC Endpoint vpce-abcd1234 Destination Target pl-1a2b3c4d vpce-abcd1234 Prefix List com.amazonaws.us-west-1.s3
  57. 57. VPC Endpoints for Amazon S3 ‘mypics’ Bucket Instance VPC Router region VPC Endpoint vpce-abcd1234 IAM Policy on VPC Endpoint vpe-abcd1234 Allow access to bucket A Deny access to other buckets
  58. 58. VPC Endpoint Policy
  59. 59. VPC Endpoints for Amazon S3 ‘mypics’ Bucket Instance VPC Router region VPC Endpoint vpce-abcd1234 IAM Policy on VPC Endpoint vpe-abcd1234 Allow access to bucket A Deny access to other buckets
  60. 60. VPC Endpoints for Amazon S3 ‘mypics’ Bucket Instance VPC Router region VPC Endpoint vpce-abcd1234 IAM Policy on bucket ‘mypics’ Allow access from vpce-abcd1234 Deny all other
  61. 61. S3 Bucket Policy
  62. 62. AWS Summit – Chicago: An exciting, free cloud conference designed to educate and inform new customers about the AWS platform, best practices and new cloud services. Details • July 1, 2015 • Chicago, Illinois • @ McCormick Place Featuring • New product launches • 36+ sessions, labs, and bootcamps • Executive and partner networking Registration is now open • Come and see what AWS and the cloud can do for you.
  63. 63. CTA Script - If you are interested in learning more about how to navigate the cloud to grow your business - then attend the AWS Summit Chicago, July 1st. - Register today to learn from technical sessions led by AWS engineers, hear best practices from AWS customers and partners, and participate in some of the 30+ paid sessions and labs. - Simply go to https://aws.amazon.com/summits/chicago/?trkcampaign=summit_chicago_bootc amps&trk=Webinar_slide to register today. - Registration is FREE. TRACKING CODE: - Listed above.
  64. 64. Thank You!!

×