More Related Content
Similar to AWS Networking Fundamentals
Similar to AWS Networking Fundamentals (20)
More from Amazon Web Services
More from Amazon Web Services (20)
AWS Networking Fundamentals
- 1. S U M M I T
B A H R A I N
- 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Networking Fundamentals
Sumeeth Siriyur
Senior Solutions Architect
AWS
- 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
?
- 4. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
What is a VPC ?
- 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
IP addressing Creating
subnets
Routing in an
Amazon VPC
Security
Amazon VPC concepts & fundamentals
DNS in an
Amazon VPC
with Amazon
Route 53
VPC
- 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Choosing an IP address
range
- 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Choosing an IP address range for your Amazon VPC
172.31.0.0/16
Recommended:
RFC1918 range
Recommended:
/16
(65,536 addresses)
Avoid ranges that overlap with
other networks to which you
might connect
- 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Creating subnets in an
Amazon VPC
- 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Amazon VPC subnets and Availability Zones
172.31.0.0/16
Availability Zone Availability Zone Availability Zone
Amazon VPC subnet Amazon VPC subnet Amazon VPC subnet
172.31.0.0/24 172.31.1.0/24 172.31.2.0/24
me-south-1a me-south-1b me-south-1c
- 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
IPv6 in your Amazon VPC
• Can have a dual-stack Amazon VPC by adding an IPv6 CIDR
• Fixed sizes for Amazon VPC and subnets:
• /56 VPC (4,722,366,482,869,645,213,696 addresses)
• /64 subnets (18,446,744,073,709,551,616 addresses)
- 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Amazon VPC subnets and Availability Zones
172.31.0.0/16
Availability Zone Availability Zone Availability Zone
Amazon VPC subnet Amazon VPC subnet Amazon VPC subnet
172.31.0.0/24 172.31.1.0/24 172.31.2.0/24
me-south-1a me-south-1b me-south-1c
2600:1f16:14d:6300::/56
2600:1f16:14d:6300::/64 2600:1f16:14d:6301::/64 2600:1f16:14d:6302::/64
+ Expand
- 13. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Routing in your Amazon VPC
• Route tables contain rules for which packets go where
• Your Amazon VPC has a default route table
• But you can create and assign different route tables to different
subnets
- 15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Traffic destined for my Amazon
VPC stays in my VPC
- 16. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Amazon VPC DNS options
Use Amazon DNS server
Have EC2 auto-assign DNS
host names to instances
- 18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Amazon Route 53 private hosted zones
Private Hosted
Zone
example.demohostedzone.org à
172.31.0.99
- 19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Amazon Route 53 resolver for hybrid clouds
Route 53 Resolver
endpoints
Conditional forwarding
rules
- 20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Flow LogsNetwork Access
Control List
Security Groups
Network security
- 21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
“MyWebServers” security group
“MyBackends” security group
Allow only “MyWebServers”
Security groups follow application structure
Web Web Web Web
App App App
Allow
web
traffic
on
0.0.0.0/0
IGW
- 22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Security groups example: Web servers
Allow HTTP traffic from anywhere
- 23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Security groups example: Backends
Allow application traffic
from web servers only
- 24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Network security
Flow LogsNetwork Access
Control List
Security Groups
- 25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Security groups vs. NACLs
Security group Network ACL
Operates at instance level Operates at subnet level
Supports allow rules only Supports allow and deny rules
Is stateful: return traffic is automatically
allowed regardless of any rules
Is stateless: return traffic must be explicitly
allowed by rules
All rules evaluated before deciding whether to
allow traffic
Rules evaluated in order when deciding whether
to allow traffic
Applies only to instances explicitly associated
with the security group
Automatically applies to all instances launched
into associated subnets
Doesn’t filter traffic to or from link-local addresses (169.254.0.0/16) or AWS-reserved IPv4
addresses; these are the first four IPv4 addresses of the subnet (including the Amazon VPC DNS
server)
- 26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Network security
Flow LogsNetwork Access
Control List
Security Groups
- 27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Amazon VPC
Flow Logs
AZ 2AZ 1
• Visibility
• Troubleshooting
• Analyze traffic
Amazon S3 Amazon CloudWatch Logs
Amazon VPC Flow Logs
- 28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Amazon VPC Flow Logs: Setup
VPC traffic metadata
captured in Amazon S3
or Amazon CloudWatch Logs
- 29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Amazon VPC Flow Logs format
- 30. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Internet
connectivity
Connecting to
other Amazon
VPCs
Connecting to your
on-premises network
Connecting your Amazon VPC
or not
- 32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Internet connectivity or not
- 33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
NAT
InstanceB
10.1.1.11/24
Instance BNAT-GW
NAT-GW
0.0.0.0/0
AWS Region
Availability Zone 2Availability Zone 1
Private subnet
The
Internet
Private subnet
Public subnet
InstanceA
Public subnet
Amazon S3
VPC CIDR 10.1.0.0/16
10.1.0.11/24
InstanceC
10.1.2.11/24
InstanceD
10.1.3.11/24
+ Expand + IPv6
IGW
10.1.0.0/16 Local
0.0.0.0/0 IGW
Destination Target
10.1.0.0/16 Local
Destination Target
EIP - 10.1.0.11 : 54.23.12.43
EIP - 10.1.1.11 : 54.19.12.23
Let’s take a closer look
Amazon
DynamoDB
AWS
Lambda
Amazon
SQS
Amazon
SNS
AWS IoT
Greengrass
VPC
- 34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Connecting to other
Amazon VPCs
VPC Peering AWS Transit Gateway
- 35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC peering
• Full private IP connectivity between
two Amazon VPCs
• Can peer VPCs across Regions
• Amazon VPCs can be in different
accounts
• Amazon VPC CIDR ranges must not
overlap
10.0.0.0/16
VPCA VPCB
VPCC VPCD
10.2.0.0/16
10.1.0.0/16
10.3.0.0/16
- 36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Establish VPC peering: Initiate request
Step 1
Initiate peering
request
172.31.0.0/16 10.55.0.0/16
- 37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Establish VPC peering: Accept request
Step 1
Initiate peering
request
Step 2
Accept peering
request
172.31.0.0/16 10.55.0.0/16
- 38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Establish VPC peering: Create a route
Step 1
Initiate peering
request
Step 2
Accept peering
request
Step 3
172.31.0.0/16 10.55.0.0/16
Traffic destined for the peered Amazon VPC
should go to the peering
- 39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC Peering AWS Transit Gateway
and beyond…
Connecting to other VPCs
- 40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
AWS VPN
connection
Customer
gateway
Amazon VPC Amazon VPC
AWS Direct
Connect Gateway
VPC peering
VPC peering VPC peering
Amazon VPC Amazon VPCVPC peering
VPN
connection
AWS VPN
connection
VPC peering
Before AWS Transit Gateway…
- 41. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
1
3
2 4
VPC VPC
VPC
VPCVPC
B Local
A
C PCX-2
D PCX-3
E PCX-4
Destination Target
A B
C
D E
PCX-1
- 42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
AWS Transit
Gateway
Amazon VPCAmazon VPC
Amazon VPCAmazon VPC
Customer
gateway
AWS VPN
connection
AWS Direct
Connect Gateway
(coming soon)
With AWS Transit Gateway…
- 43. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
B Local
0.0.0.0/0
Destination Target
VPC VPC
A B
TGW
VPC
C
AWS
Transit
Gateway
1 2
3 4
AWS Transit Gateway Route Table
VPC A: Attachment 1
VPC B: Attachment 2
VPC C: Attachment 3
On-premises: AWS VPN 4
RT1
RT2
On Premises
With AWS Transit Gateway…
- 44. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Attachment
The connection from an
Amazon VPC and AWS
VPN to an AWS Transit
Gateway
Association
The route table used to
route packets coming from
an attachment (from an
Amazon VPC and AWS VPN)
Propagation
The route table where the
attachment’s routes are
installed
- 45. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC
VPC
VPC
Alpha
AWS
Transit
Gateway
X
Y
Associations
RT1
Z
Propagations
Beta from Y
Alpha from X
Beta from Y
Alpha from X
10.1.0.0/16
Beta
10.2.0.0/16
Gamma
10.3.0.0/16
Gamma from Z Gamma from Z
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
10.3.0.0/16 via Z
10.1.0.0/16 Local
0.0.0.0/0 AWS Transit Gateway
Destination Target
10.1.0.0/16 Local
0.0.0.0/0 IGW
Destination Target
10.0.0.0/8 AWS Transit Gateway
AWS Transit Gateway Route(s) Table
- 46. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC
VPC
VPC
Alpha
After: AWS Transit Gateway
AWS
Transit
Gateway
X
Y
Associations
RT1
Z
Propagations
Beta from Y
Alpha from X
Beta from Y
Alpha from X
10.1.0.0/16
Beta
10.2.0.0/16
Gamma
10.3.0.0/16
Gamma from Z Gamma from Z
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
10.3.0.0/16 via Z
10.8.0.0/16 10.9.0.0/16
10.8.0.0/16 via X
10.9.0.0/16 via X
AWS Transit Gateway Route(s) Table
- 47. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
After: AWS Transit Gateway – the console
- 48. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Unicorn TGW
This TGW is Awesome
After: AWS Transit Gateway – the console
- 49. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
After: AWS Transit Gateway – the console
- 50. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
AWS Transit Gateways per
account/AWS Transit Gateway
attachments per Amazon VPC
5
Maximum burstable
bandwidth per attachment
50Gbps
- 51. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Maximum bandwidth per VPN
connection
1.25Gbps
*With ECMP, you can distribute traffic over multiple tunnels,
e.g. 8 tunnels = 10 Gbps
*
- 52. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Routes per AWS Transit
Gateway
10,000
Number of AWS Transit
Gateway attachments per
Region per account
5,000
!!!
- 53. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Cross Region connectivity?
AWS Transit Gateway is a Region-
level construct today
- 54. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Connecting to on-premises
networks:
AWS VPN AWS Direct Connect
- 55. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
On premises
IPsec Tunnel 1 - Primary
IPsec Tunnel 2 - Secondary
Virtual private
gateway
VGW
IPsec tunnel over
the internet
Customer
gateway
CGW
The Internet
- 56. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
On premises
IPsec Tunnel 1 - Primary
IPsec Tunnel 2- Secondary
IPsec tunnel over
the internet
The internet
AWS Transit
Gateway
Customer
gateway
CGW
- 57. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Attachment
to Amazon
VPC
TLS-based tunnel
over the Internet
User with open
VPN client
Client VPN
Endpoint
Client
The
Internet
On premises
Amazon S3 Amazon
DynamoDB
- 58. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Connecting to on-premises
networks:
AWS VPN AWS Direct Connect
- 59. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Customer or
partner cage
Service provider
network
AWS Direct Connect
AWS Region
On premises
AWS Direct Connect location
AWS cage
Cross connect
10.0.0.0/16
192.168.0.0/16
Private VIF
Public VIF
VGW
- 60. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Customer or
partner cage
Service provider
network
AWS Direct Connect—what’s that?
AWS Region
On premises
AWS Direct Connect location
AWS cage
Cross connect
10.0.0.0/16
192.168.0.0/16
Private VIF
Public VIF
10.2.0.0/16
VGW
VGW
Private VIF
- 61. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Customer or
partner cage
Service provider
network
AWS Direct Connect Gateway
AWS Region
On premises
AWS Direct Connect location
AWS cage
Cross connect
10.0.0.0/16
192.168.0.0/16
Private VIF
10.2.0.0/16
VGW
VGW
O n e P r i v a t e V I F à M a n y V P C s
AWS Direct
Connect
Gateway
- 62. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Customer or
partner cage
Service provider
network
AWS Direct Connect Gateway
AWS Region 1
On premises
AWS Direct Connect location
AWS cage
Cross connect
10.0.0.0/16
192.168.0.0/16
Private VIF
10.2.0.0/16
VGW
VGW
O n e P r i v a t e V I F à M a n y V P C s
AWS Region 2
AWS Direct
Connect
Gateway
- 63. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Customer or
partner cage
Service provider
network
AWS Direct Connect Gateway
AWS Account 1
On premises
AWS Direct Connect location
AWS cage
Cross connect
10.0.0.0/16
192.168.0.0/16
Private VIF
10.2.0.0/16
VGW
VGW
O n e P r i v a t e V I F à M a n y V P C s
AWS Account 2
AWS Direct
Connect
Gateway
Multi-account AWS Direct
Connect Gateway
NEW
- 64. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 65. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC sharing VPC endpoints and
AWS PrivateLink
…more AWS networking
AWS Global
Accelerator
- 66. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Amazon VPC sharing
Before
- 67. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPCVPC
A l p h a
10.3.0.0/16
B e t a
10.2.0.0/16
G a m m a
10.1.0.0/16
VPC
VPCVPC
I g u a n a
10.6.0.0/16
S t e v e
10.5.0.0/16
S u e
10.4.0.0/16
VPC
AWS Lambda Amazon EC2
Amazon RedshiftAmazon RDS
Amazon EC2
Amazon EC2
Prod 1Dev
Test
Prod2
Prod 3 Prod 4
- 68. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Amazon VPC sharing
After
- 69. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPCVPC
A l p h a
10.3.0.0/16
B e t a
10.2.0.0/16
G a m m a
10.1.0.0/16
VPC
I g u a n a
10.6.0.0/16
S t e v e
10.5.0.0/16
S u e
10.4.0.0/16
AWS Lambda Amazon EC2
Amazon RedshiftAmazon RDS
Amazon EC2
Amazon EC2
Prod 1Dev
Test
Prod2
Prod 3 Prod 4
VPC VPC VPC
- 70. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPCVPC
A l p h aB e t a
10.2.0.0/16
G a m m a
10.1.0.0/16
I g u a n aS t e v eS u e
AWS Lambda Amazon EC2
Amazon RedshiftAmazon RDS
Amazon EC2
Amazon EC2
Prod 1Dev
Test
Prod2
Prod 3 Prod 4
Owner
Participant
Owner
Participant Participant
Participant
- 71. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Why use Amazon VPC sharing?
Preserve IP space
Use fewer IPv4 CIDRs
Interconnectivity
No VPC Peering required
B i l l i n g a n d S e c u r i t y
C o n t i n u e t o e n j o y s e g r e g a t i o n
w i t h m u l t i p l e a c c o u n t s
S e p a r a t i o n o f d u t i e s
A c e n t r a l t e a m c a n c r e a t e a n d
m a n a g e y o u r A m a z o n V P C
S a m e A Z c o s t f o r d a t a t r a n s f e r i s n i l
- 72. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Amazon VPC endpoints
Interface
Amazon VPC
endpoints
Gateway
Amazon VPC
endpoints
AWS
PrivateLink
- 73. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
NAT
InstanceB
10.1.1.11/24
Instance BNAT-GW
NAT-GW
0.0.0.0/0
AWS Region
Availability Zone 2Availability Zone 1
Private subnet
The
Internet
Private subnet
Public subnet
InstanceA
Public subnet
Amazon S3
VPC CIDR 10.1.0.0/16
10.1.0.11/24
InstanceC
10.1.2.11/24
InstanceD
10.1.3.11/24
+ Expand + IPv6
IGWVPCE
10.1.0.0/16 Local
0.0.0.0/0 IGW
S3.prefix.list VPCE-123
Destination Target
10.1.0.0/16 Local
DDB.prefix.list VPCE-123
Destination Target
EIP - 10.1.0.11 : 54.23.12.43
EIP - 10.1.1.11 : 54.19.12.23
Amazon
DynamoDB
VPC
VPCE =
Virtual Private Endpoint
(Type: Gateway)
- 74. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPC endpoints
Interface VPC
endpoints
Gateway VPC
endpoints
AWS
PrivateLink
- 75. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Amazon API Gateway
AWS CloudFormation
Amazon CloudWatch
Amazon CloudWatch Events
Amazon CloudWatch Logs
AWS CodeBuild
AWS Config
Amazon EC2 API
Elastic Load Balancing API
AWS KMS
Amazon Kinesis Data Streams
Amazon SageMaker runtime
AWS Secrets Manager
AWS STS
AWS Service Catalog
Amazon SNS
AWS Systems Manager
NAT
InstanceB
10.1.1.11/24
NAT-GW
AWS Region
Availability Zone 2Availability Zone 1
Private subnet Private subnet
Public subnet
InstanceA
Public subnet
VPC CIDR 10.1.0.0/16
10.1.0.11/24
InstanceC
10.1.2.11/24
InstanceD
10.1.3.11/24
+ Expand + IPv6
VPC
22+ services now
supported over AWS
PrivateLink
ec2.eu-west-1.amazonaws.com
ENI1: 10.1.0.15
ENI2: 10.1.1.23
ec2.eu-west-1.amazonaws.com
ENI1: 10.1.0.15
ENI2: 10.1.1.23
AWS PrivateLink can
reach public services,
privately from your VPC
No routes needed
(almost)
10.1.0.0/16 Local
Destination Target
10.1.0.0/16 Local
Destination Target
+ More
- 76. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
How it works
AWS PrivateLink
Type: Gateway
Type: Interface
- 77. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Amazon VPC endpoints
Interface
Amazon VPC
endpoints
Gateway
Amazon VPC
endpoints
AWS
PrivateLink
- 78. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
And now AWS PrivateLink
for service providers
Customer VPC
Service Provider VPC
Application, e.g. SaaSVPC
NLB
AWS
PrivateLink
VPC
VPC Endpoint: vpce-2222.foo.amazon.com
- 79. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
AWS Global Accelerator
- 80. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Before
- 81. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPCVPC
AWS Region 1 AWS Region 2
- 82. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
After
- 83. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
VPCVPC
AWS Region 1 AWS Region 2
3.10.3.1253.10.3.125
- 84. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 85. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
NAT
InstanceB
10.1.1.11/24
Instance BNAT-GW
NAT-GW
0.0.0.0/0
AWS Region
Availability Zone 2Availability Zone 1
Private subnet
VGW
VPC
peering
VPC
Flow Logs
VPN
The
internet
Private subnet
Public subnet
InstanceA
Public subnet
Amazon S3
VPC CIDR 10.1.0.0/16
10.1.0.11/24
InstanceC
10.1.2.11/24
InstanceD
10.1.3.11/24
DXGW
+ Expand + IPv6
IGWVPCE
10.1.0.0/16 Local
0.0.0.0/0 IGW
S3.prefix.list VPCE-123
On premises VGW
VPC-B PCX-123
Destination Target
Intra or
inter
region
10.1.0.0/16 Local
S3.prefix.list VPCE-123
On premises VGW
VPC-B PCX-123
Destination Target
AWS PrivateLink
service provider VPC
NLB
On premises
VPC-B
EIP - 10.1.0.11 : 54.23.12.43
EIP - 10.1.1.11 : 54.19.12.23
Amazon
DynamoDB
AWS
Lambda
AWS Direct
Connect
Amazon
SQS
Amazon
SNS
AWS IoT
Amazon
CloudWatch
AWS
PrivateLink
VPC
VPC
VPC
Transit GW
VPC
VPC
On premises
AWS PrivateLink-
enabled services
Other Routes TGW
Other Routes TGW
Amazon S3
AWS Global Accelerator
- 86. Thank you!
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sumeeth Siriyur
Senior Solution Architect
AWS
- 87. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.