Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS networking fundamentals

In this session, we walk through the fundamentals of Amazon VPC. First, we cover build-out and design fundamentals for VPCs, including picking your IP space, subnetting, routing, security, NAT, and much more. We then transition to different approaches and use cases for optionally connecting your VPC to your physical data center with VPN or AWS Direct Connect. This mid-level architecture discussion is aimed at architects, network administrators, and technology decision makers interested in understanding the building blocks that AWS makes available with Amazon VPC. Learn how you can connect VPCs with your offices and current data center footprint.

AWS networking fundamentals

  1. 1. S U M M I T L o n don
  2. 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Networking fundamentals Perry Wald & Tom Adamski AWS Solutions Architects
  3. 3. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Introductory - 200 “These sessions provide an overview of AWS services and features, and they assume that attendees are new to the topic. These sessions highlight basic use cases, features, functions, and benefits."
  4. 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
  5. 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Default VPC 172.31.0.128 172.31.0.129 172.31.1.24 172.31.1.27 54.4.5.6 54.2.3.4 Amazon Virtual Private Cloud (Amazon VPC) Subnet in availability zone (AZ) 1 Subnet in availability zone (AZ) 2 /16 IPv4 CIDR block (172.31.0.0/16). /20 default subnet Connected Internet Gateway Security Group (SG) Network Access Control List (NACL)
  6. 6. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  7. 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T IP addressing Creating subnets Routing in a VPC Security VPC concepts & fundamentals
  8. 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Choosing an IP address range
  9. 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Choosing an IP address range for your VPC 172.31.0.0/16 RFC1918 range: • 10.0.0.0/8 • 172.16.0.0/12 • 192.168.0.0/16 Recommended: /16 (65,536 addresses) Avoid ranges that overlap with other networks to which you might connect
  10. 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Creating subnets in a VPC
  11. 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T VPC subnets and Availability Zones 172.31.0.0/16 Availability Zone Availability Zone Availability Zone VPC subnet VPC subnet VPC subnet 172.31.0.0/24 172.31.1.0/24 172.31.2.0/24 eu-west-1a eu-west-1b eu-west-1c
  12. 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T IPv6 in your VPC • Can have a dual-stack VPC by adding an IPv6 CIDR • Fixed sizes for VPC and subnets: • /56 VPC (4,722,366,482,869,645,213,696 addresses) • /64 subnets (18,446,744,073,709,551,616 addresses)
  13. 13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T VPC subnets and Availability Zones 172.31.0.0/16 Availability Zone Availability Zone Availability Zone VPC subnet VPC subnet VPC subnet 172.31.0.0/24 172.31.1.0/24 172.31.2.0/24 eu-west-1a eu-west-1b eu-west-1c 2600:1f16:14d:6300::/56 2600:1f16:14d:6300::/64 2600:1f16:14d:6301::/64 2600:1f16:14d:6302::/64
  14. 14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Routing in a VPC
  15. 15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Routing in your VPC • Route tables contain rules for which packets go where • Your VPC has a default route table • But, you can create and assign different route tables to different subnets
  16. 16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Traffic destined for my VPC stays in my VPC
  17. 17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T But what about the Internet?
  18. 18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Internet gateway Destination Target 172.31.0.0/16 local 0.0.0.0/0 igw_id Inbound internet access 198.51.100.3 NAT gateway 198.51.100.4 Destination Target 172.31.0.0/16 local 0.0.0.0/0 Nat_gw_id Outbound internet access
  19. 19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Network security Flow logsNetwork access control list Security groups
  20. 20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Network security Flow logsNetwork access control list Security groups
  21. 21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T “MyWebServers” security group “MyBackends” security group Allow only “MyWebServers” Security groups follow application structure
  22. 22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Security groups example: Web servers Allow HTTP traffic from anywhere
  23. 23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Security groups example: Backends Allow application traffic from web servers only
  24. 24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Network security Flow logsNetwork access control list Security groups
  25. 25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Security groups vs. NACLs Security group Network ACL Operates at instance level Operates at subnet level Supports allow rules only Supports allow and deny rules Is stateful: return traffic is automatically allowed regardless of any rules Is stateless: return traffic must be explicitly allowed by rules All rules evaluated before deciding whether to allow traffic Rules evaluated in order when deciding whether to allow traffic Applies only to instances explicitly associated with the security group Automatically applies to all instances launched into associated subnets Doesn’t filter traffic to or from link-local addresses (169.254.0.0/16) or AWS-reserved IPv4 addresses; these are the first four IPv4 addresses of the subnet (including the Amazon VPC DNS server)
  26. 26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Network security Flow logsNetwork access control list Security groups
  27. 27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T VPC flow logs AZ 2AZ 1 • Visibility • Troubleshooting • Analyze traffic flow
  28. 28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T VPC flow logs: Setup VPC traffic metadata captured in Amazon S3 or Amazon CloudWatch Logs
  29. 29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T VPC flow logs format
  30. 30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T VPC flow logs format Accept ssh from public address 210.21.226.2
  31. 31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T DNS in a VPC
  32. 32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T VPC DNS options Use Amazon DNS server Have EC2 auto-assign DNS host names to instances
  33. 33. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  34. 34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Connecting to other VPCs Connecting to your on-premises network Connecting your VPC
  35. 35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Connecting to other VPCs VPC Peering Transit Gateway
  36. 36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Connecting to other VPCs VPC Peering Transit Gateway
  37. 37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T VPC peering
  38. 38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T VPC peering • Full private IP connectivity between two VPCs • Can peer VPCs across regions • VPCs can be in different accounts • VPC CIDR ranges must not overlap
  39. 39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Establish a VPC peering: Initiate request Step 1 Initiate peering request 172.31.0.0/16 10.55.0.0/16
  40. 40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Establish a VPC peering: Accept request Step 1 Initiate peering request Step 2 Accept peering request 172.31.0.0/16 10.55.0.0/16
  41. 41. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Establish a VPC peering: Create a route Step 1 Initiate peering request Step 2 Accept peering request Step 3 172.31.0.0/16 10.55.0.0/16 Traffic destined for the peered VPC should go to the peering
  42. 42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Connecting to other VPCs VPC Peering Transit Gateway
  43. 43. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Before Transit Gateway …
  44. 44. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T With Transit Gateway …
  45. 45. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T With Transit Gateway … Traffic destined for any VPC in 172.16.0.0/12 range should go via TGW Route back to our VPC
  46. 46. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T With Transit Gateway … Centralized private IP connectivity between multiple VPCs VPCs must be in the same region as Transit Gateway VPCs can be in different accounts
  47. 47. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T VPC peering or TGW? VPC Peering Transit Gateway VPC LIMIT 125 peerings 5,000 attachments BANDWIDTH LIMIT N/A (intra-region) 50Gbps per VPC attachment MANAGEMENT Decentralised Centralised COST DIMENSIONS Data Transfer Data Transfer & Attachment
  48. 48. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Connecting to on-premises networks: AWS VPN AWS Direct Connect
  49. 49. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Extend an on-premises network into your VPC AWS VPN AWS Direct Connect
  50. 50. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS VPN basics customer gateway virtual private gateway Two IPSec tunnels192.168.0.0/16 172.31.0.0/16 192.168/16 Your networking device VPN connection
  51. 51. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Direct Connect basics AWS Direct Connect location Customer or partner cage AWS cage Customer network 192.168.0.0/16 AWS services virtual private gateway 172.31.0.0/16 Private virtual interface (VLAN) Public virtual interface (VLAN)
  52. 52. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Direct Connect – Multiple VPCs AWS Direct Connect location Customer or partner cage AWS cage Customer network 192.168.0.0/16 Private virtual interface (VLAN) AWS Direct Connect Gateway
  53. 53. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Before Transit Gateway … Customer network Customer network Customer Gateway Direct Connect Gateway
  54. 54. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T With Transit Gateway … Customer network Customer network Direct Connect Gateway Customer Gateway
  55. 55. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T With Transit Gateway … Customer network Customer network Direct Connect Gateway Customer Gateway Route to on-premise via VPN (or Direct Connect) Route to on-premise via TGW
  56. 56. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T What about DNS?
  57. 57. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Amazon Route 53 Resolver for hybrid clouds Conditional forwarding rules
  58. 58. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  59. 59. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T VPC Sharing VPC endpoints and AWS PrivateLink …more AWS networking Amazon Global Accelerator
  60. 60. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Sharing VPC resources
  61. 61. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T VPC Sharing – owner account NACL NACL Infrastructure account
  62. 62. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T VPC Sharing – participant account Account Web Account DB Account APP
  63. 63. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Why VPC sharing? P r e s e r v e I P s p a c e U s e f e w e r I P v 4 C I D R s I n t e r c o n ne c tiv it y N o V P C P e e r i n g r e q u i r e d B i l l i n g a n d S e c u r i t y C o n t i n u e t o e n j o y s e g r e g a t i o n w i t h m u l t i p l e a c c o u n t s S e p a r a t i o n o f d u t i e s A c e n t r a l t e a m c a n c r e a t e a n d m a n a g e y o u r A m a z o n V P C S a m e A Z c o s t f o r d a t a t r a n s f e r i s n i l !
  64. 64. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T VPC endpoints Interface VPC endpoints PrivateLinkGateway VPC endpoints
  65. 65. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Gateway VPC endpoints: Amazon S3 and DynamoDB S3 bucket Route S3-bound traffic to the VPC endpoint
  66. 66. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Interface VPC endpoints Private IP: 172.31.1.6 Private IP: 172.31.2.10 AWS Services APIs *service*.eu-west-1.amazonaws.com
  67. 67. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS PrivateLink: VPC endpoint services Endpoint vpce-1234 Private IP: 10.10.1.6
  68. 68. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Amazon Global Accelerator
  69. 69. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Introducing AWS Global Accelerator Global Accelerator AWS ApplicationsClient
  70. 70. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Local ISP Network A B C D E F Access Application! Accessing your application is not this straightforward!It can take many networks to reach the application Paths to and from the application may differ Each hop impacts performance and can introduce risk Introducing AWS Global Accelerator
  71. 71. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Local ISP AWS Network Accessing your web applications with AWS Global Accelerator Adding AWS Global Accelerator removes these inefficiencies Leverages the Global AWS Network Resulting in improved performance
  72. 72. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  73. 73. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T DATACENTER
  74. 74. Thank you! S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Perry Wald perrwald@amazon.co.uk Tom Adamski tomada@amazon.co.uk
  75. 75. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

×