Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Becky Weiss, Senior Principal Engineer, EC2 Crea...
EC2 Instance
172.31.0.128 172.31.0.129 172.31.1.24 172.31.1.27 54.4.5.6 54.2.3.4 VPC
What to Expect from the Session • Get familiar with VPC concepts • Walk through a basic VPC setup • Learn about the ways i...
Walkthrough: setting up an Internet-connected VPC
Creating an Internet-connected VPC: steps Choosing an address range Setting up subnets in Availability Zones Creating a ro...
Choosing an IP address range
CIDR notation review CIDR range example: 172.31.0.0/16 1010 1100 0001 1111 0000 0000 0000 0000
Choosing an IP address range for your VPC 172.31.0.0/16 Recommended: RFC1918 range Recommended: /16 (64K addresses)
Subnets
VPC subnets and Availability Zones 172.31.0.0/16 Availability Zone Availability Zone Availability Zone VPC subnet VPC subn...
VPC subnet recommendations • /16 VPC (64K addresses) • /24 subnets (251 addresses) • One subnet per Availability Zone
Route to the Internet
Routing in your VPC • Route tables contain rules for which packets go where • Your VPC has a default route table • … but y...
Traffic destined for my VPC stays in my VPC
Internet Gateway Send packets here if you want them to reach the Internet
Everything that isn’t destined for the VPC: Send to the Internet
Network security in VPC: Network ACLs / Security Groups
Network ACLs: Stateless firewalls English translation: Allow all traffic in Can be applied on a subnet basis
“MyWebServers” Security Group “MyBackends” Security Group Allow only “MyWebServers” Security groups follow application str...
Security groups example: web servers In English: Hosts in this group are reachable from the Internet on port 80 (HTTP)
Security groups example: backends In English: Only instances in the MyWebServers Security Group can reach instances in thi...
Security groups in VPC: additional notes • Follow the Principle of Least Privilege • VPC allows creation of egress as well...
Connectivity options for VPCs
Beyond Internet connectivity Restricting Internet access Connecting to your corporate network Connecting to other VPCs
Restricting Internet access: Routing by subnet
Routing by subnet VPC subnet VPC subnet Has route to Internet Has no route to Internet
Outbound-only Internet access: NAT gateway VPC subnet VPC subnet 0.0.0.0/0 0.0.0.0/0 Public IP: 54.161.0.39 NAT gateway
Inter-VPC connectivity: VPC peering
Example VPC peering use: shared services VPC Common/core services • Authentication/directory • Monitoring • Logging • Remo...
Security groups across peered VPCs VPC Peering 172.31.0.0/16 10.55.0.0/16 Orange Security Group Blue Security Group ALLOW
Establish a VPC peering: initiate request 172.31.0.0/16 10.55.0.0/16 Step 1 Initiate peering request
Establish a VPC peering: accept request 172.31.0.0/16 10.55.0.0/16 Step 1 Initiate peering request Step 2 Accept peering r...
Establish a VPC peering: create route 172.31.0.0/16 10.55.0.0/16Step 1 Initiate peering request Step 2 Accept peering requ...
Connecting to on-premises networks: Virtual Private Network & Direct Connect
Extend an on-premises network into your VPC VPN Direct Connect
AWS VPN basics Customer Gateway Virtual Gateway Two IPSec tunnels 192.168.0.0/16 172.31.0.0/16 192.168/16 Your networking ...
VPN and AWS Direct Connect • Both allow secure connections between your network and your VPC • VPN is a pair of IPSec tunn...
VPC and the rest of AWS
VPC and the rest of AWS AWS Services in Your VPC VPC Endpoints for Amazon S3 DNS in-VPC with Amazon Route 53 Logging VPC T...
AWS services in your VPC
Example: Amazon RDS database in your VPC Reachable via DNS Name: mydb-cluster-1 ….us-west-2.rds.amazonaws.com
Example: AWS Lambda function in your VPC
Best practices for in-VPC AWS services • Many AWS services support running in-VPC. • Use security groups for Least-Privile...
VPC Endpoints for Amazon S3
S3 and your VPC S3 Bucket Your applications Your data
AWS VPC endpoints for S3 S3 Bucket
AWS VPC endpoints for S3 S3 Bucket Route S3-bound traffic to the VPCE
IAM policy for VPC endpoints S3 Bucket IAM Policy at VPC Endpoint: Restrict actions of VPC in S3 IAM Policy at S3 Bucket: ...
DNS in a VPC
VPC DNS options Use Amazon DNS server Have EC2 auto-assign DNS hostnames to instances
Amazon Route 53 private hosted zones Private Hosted Zone example.demohostedzone.org  172.31.0.99
VPC Flow Logs: VPC traffic metadata in Amazon CloudWatch Logs
VPC Flow Logs Visibility into effects of security group rules Troubleshooting network connectivity Ability to analyze traf...
VPC Flow Logs: setup VPC traffic metadata captured in CloudWatch Logs
VPC Flow Logs data in CloudWatch Logs Who’s this? # dig +short -x 109.236.86.32 internetpolice.co. REJECT UDP Port 53 = DNS
VPC: your private network in AWS
The VPC network
VPC network security
VPC connectivity
Thank you!
Remember to complete your evaluations!
Related sessions • NET303 - Next-Gen Networking: New Capabilities for Amazon’s Virtual Private Cloud • NET304 - Moving Mou...
Upcoming SlideShare
Loading in …5
×

AWS re:Invent 2016: Creating Your Virtual Data Center: VPC Fundamentals and Connectivity Options (NET201)

2,415 views

Published on

In this session, we walk through the fundamentals of Amazon VPC. First, we cover build-out and design fundamentals for VPC, including picking your IP space, subnetting, routing, security, NAT, and much more. We then transition into different approaches and use cases for optionally connecting your VPC to your physical data center with VPN or AWS Direct Connect. This mid-level architecture discussion is aimed at architects, network administrators, and technology decision-makers interested in understanding the building blocks that AWS makes available with Amazon VPC and how you can connect this with your offices and current data center footprint.

Published in: Technology
no profile picture user

  • Be the first to comment

Show More

AWS re:Invent 2016: Creating Your Virtual Data Center: VPC Fundamentals and Connectivity Options (NET201)

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Becky Weiss, Senior Principal Engineer, EC2 Creating Your Virtual Data Center VPC Fundamentals and Connectivity Options NET201 November 30, 2016
  2. 2. EC2 Instance
  3. 3. 172.31.0.128 172.31.0.129 172.31.1.24 172.31.1.27 54.4.5.6 54.2.3.4 VPC
  4. 4. What to Expect from the Session • Get familiar with VPC concepts • Walk through a basic VPC setup • Learn about the ways in which you can tailor your virtual network to meet your needs
  5. 5. Walkthrough: setting up an Internet-connected VPC
  6. 6. Creating an Internet-connected VPC: steps Choosing an address range Setting up subnets in Availability Zones Creating a route to the Internet Authorizing traffic to/from the VPC
  7. 7. Choosing an IP address range
  8. 8. CIDR notation review CIDR range example: 172.31.0.0/16 1010 1100 0001 1111 0000 0000 0000 0000
  9. 9. Choosing an IP address range for your VPC 172.31.0.0/16 Recommended: RFC1918 range Recommended: /16 (64K addresses)
  10. 10. Subnets
  11. 11. VPC subnets and Availability Zones 172.31.0.0/16 Availability Zone Availability Zone Availability Zone VPC subnet VPC subnet VPC subnet 172.31.0.0/24 172.31.1.0/24 172.31.2.0/24 eu-west-1a eu-west-1b eu-west-1c
  12. 12. VPC subnet recommendations • /16 VPC (64K addresses) • /24 subnets (251 addresses) • One subnet per Availability Zone
  13. 13. Route to the Internet
  14. 14. Routing in your VPC • Route tables contain rules for which packets go where • Your VPC has a default route table • … but you can assign different route tables to different subnets
  15. 15. Traffic destined for my VPC stays in my VPC
  16. 16. Internet Gateway Send packets here if you want them to reach the Internet
  17. 17. Everything that isn’t destined for the VPC: Send to the Internet
  18. 18. Network security in VPC: Network ACLs / Security Groups
  19. 19. Network ACLs: Stateless firewalls English translation: Allow all traffic in Can be applied on a subnet basis
  20. 20. “MyWebServers” Security Group “MyBackends” Security Group Allow only “MyWebServers” Security groups follow application structure
  21. 21. Security groups example: web servers In English: Hosts in this group are reachable from the Internet on port 80 (HTTP)
  22. 22. Security groups example: backends In English: Only instances in the MyWebServers Security Group can reach instances in this Security Group
  23. 23. Security groups in VPC: additional notes • Follow the Principle of Least Privilege • VPC allows creation of egress as well as ingress Security Group rules • Many application architectures lend themselves to a 1:1 relationship between security groups (who can reach me) and IAM roles (what I can do).
  24. 24. Connectivity options for VPCs
  25. 25. Beyond Internet connectivity Restricting Internet access Connecting to your corporate network Connecting to other VPCs
  26. 26. Restricting Internet access: Routing by subnet
  27. 27. Routing by subnet VPC subnet VPC subnet Has route to Internet Has no route to Internet
  28. 28. Outbound-only Internet access: NAT gateway VPC subnet VPC subnet 0.0.0.0/0 0.0.0.0/0 Public IP: 54.161.0.39 NAT gateway
  29. 29. Inter-VPC connectivity: VPC peering
  30. 30. Example VPC peering use: shared services VPC Common/core services • Authentication/directory • Monitoring • Logging • Remote administration • Scanning
  31. 31. Security groups across peered VPCs VPC Peering 172.31.0.0/16 10.55.0.0/16 Orange Security Group Blue Security Group ALLOW
  32. 32. Establish a VPC peering: initiate request 172.31.0.0/16 10.55.0.0/16 Step 1 Initiate peering request
  33. 33. Establish a VPC peering: accept request 172.31.0.0/16 10.55.0.0/16 Step 1 Initiate peering request Step 2 Accept peering request
  34. 34. Establish a VPC peering: create route 172.31.0.0/16 10.55.0.0/16Step 1 Initiate peering request Step 2 Accept peering request Step 3 Create routes In English: Traffic destined for the peered VPC should go to the peering
  35. 35. Connecting to on-premises networks: Virtual Private Network & Direct Connect
  36. 36. Extend an on-premises network into your VPC VPN Direct Connect
  37. 37. AWS VPN basics Customer Gateway Virtual Gateway Two IPSec tunnels 192.168.0.0/16 172.31.0.0/16 192.168/16 Your networking device
  38. 38. VPN and AWS Direct Connect • Both allow secure connections between your network and your VPC • VPN is a pair of IPSec tunnels over the Internet • DirectConnect is a dedicated line with lower per-GB data transfer rates • For highest availability: Use both
  39. 39. VPC and the rest of AWS
  40. 40. VPC and the rest of AWS AWS Services in Your VPC VPC Endpoints for Amazon S3 DNS in-VPC with Amazon Route 53 Logging VPC Traffic with VPC Flow Logs
  41. 41. AWS services in your VPC
  42. 42. Example: Amazon RDS database in your VPC Reachable via DNS Name: mydb-cluster-1 ….us-west-2.rds.amazonaws.com
  43. 43. Example: AWS Lambda function in your VPC
  44. 44. Best practices for in-VPC AWS services • Many AWS services support running in-VPC. • Use security groups for Least-Privilege network access. • For best availability, use multiple Availability Zones. Examples: • Multi-zone RDS deployments • Use a zonal mount point for EFS access
  45. 45. VPC Endpoints for Amazon S3
  46. 46. S3 and your VPC S3 Bucket Your applications Your data
  47. 47. AWS VPC endpoints for S3 S3 Bucket
  48. 48. AWS VPC endpoints for S3 S3 Bucket Route S3-bound traffic to the VPCE
  49. 49. IAM policy for VPC endpoints S3 Bucket IAM Policy at VPC Endpoint: Restrict actions of VPC in S3 IAM Policy at S3 Bucket: Make accessible from VPC Endpoint only
  50. 50. DNS in a VPC
  51. 51. VPC DNS options Use Amazon DNS server Have EC2 auto-assign DNS hostnames to instances
  52. 52. Amazon Route 53 private hosted zones Private Hosted Zone example.demohostedzone.org  172.31.0.99
  53. 53. VPC Flow Logs: VPC traffic metadata in Amazon CloudWatch Logs
  54. 54. VPC Flow Logs Visibility into effects of security group rules Troubleshooting network connectivity Ability to analyze traffic
  55. 55. VPC Flow Logs: setup VPC traffic metadata captured in CloudWatch Logs
  56. 56. VPC Flow Logs data in CloudWatch Logs Who’s this? # dig +short -x 109.236.86.32 internetpolice.co. REJECT UDP Port 53 = DNS
  57. 57. VPC: your private network in AWS
  58. 58. The VPC network
  59. 59. VPC network security
  60. 60. VPC connectivity
  61. 61. Thank you!
  62. 62. Remember to complete your evaluations!
  63. 63. Related sessions • NET303 - Next-Gen Networking: New Capabilities for Amazon’s Virtual Private Cloud • NET304 - Moving Mountains: Netflix’s Migration Into VPC • NET401 - Another Day, Another Billion Packets • NET402 - Deep Dive: AWS Direct Connect and VPN • NET404 - Making Every Packet Count

×