4. What to expect from the session
ď Get familiar with Amazon Virtual Private Cloud concepts.
ď Walk through a basic VPC setup.
ď Learn about tailoring your virtual network to meet your
needs.
ď Hear from a customer: Quby.
6. Steps to create an internet-connected VPC
Choosing an
address
range
Setting up
subnets in
Availability
Zones
Creating a
route to the
Internet
Authorizing
traffic to/from
the VPC
8. Choosing an IP address range for your VPC
172.31.0.0/16
Recommended:
RFC1918 range
Recommended:
/16 (64k addresses)
Avoid ranges that overlap with
other networks to which you
might connect.
10. VPC subnets and Availability Zones
172.31.0.0/16
Availability Zone Availability Zone Availability Zone
VPC subnet VPC subnet VPC subnet
172.31.0.0/24 172.31.1.0/24 172.31.2.0/24
eu-west-1a eu-west-1b eu-west-1c
11. VPC subnet recommendations
⢠Distribute IP space evenly
across Availability Zones.
⢠Use at least 2 AZs/subnets to enable
multi-AZ application deployments.
⢠Use /24 subnets (251 addresses).
13. Routing in your VPC
⢠Route tables contain rules for which
packets go where.
⢠Your VPC has a default route table that is
applied to all subnets in the VPC.
⢠You can assign different route tables to
different subnets to override the default.
20. Security groups example: web servers
In English: Hosts in this group are reachable
from the Internet on port 80 (HTTP)
21. Security groups example: backends
In English: Only instances in the MyWebServers
Security Group can reach instances in this
Security Group
22. Security groups in VPC: additional notes
⢠Follow the Principle of Least Privilege
⢠VPC allows creation of egress as well as ingress
Security Group rules
⢠Many application architectures lend themselves to a 1:1
relationship between security groups (who can reach
me) and IAM roles (what I can do).
28. VPN and AWS Direct Connect
⢠Both allow secure connections
between your network and your VPC.
⢠VPN is a pair of IPSec tunnels over
the Internet.
⢠Direct Connect is a dedicated line
with lower per-GB data transfer rates.
⢠For highest availability: use both.
31. Juan AF Morales â DevOps Engineer at Quby
Very Plain Connectivity
(or how Quby simplified networking with AWS VPC)
32. Hello ^_^
Quby: Creator of ToonÂŽ
Juan AF Morales
⢠Born Spanish, living in the
Netherlands.
⢠Developer â ASM to Python
⢠Ops â Big IT to no-ops
⢠Started working with
Development companies in
2010
34. Moving to the Cloud â overall architecture
App VPC
OpenVPN VPCs
35. Moving to the Cloud â VPN VPCs
VPN VPC Detail
- The VPN
terminators allow
the devices to
connect using
public endpoints
- A strong swan
instance links to
the App VPC
36. Moving to the Cloud â Application VPC
App VPC Detail
- Backend Services
in private subnets
- Marathon-lb and
front-facing
Services live in
the public subnets
- A strong swan
instance links to
the VPN VPC
37. Moving to the Cloud â Automation to the rescue
VPN VPC is Huge
- The code required to
maintain this is insane.
38. Moving to the Cloud â Automation to the rescue
No way I will write 50k LoC.
Thatâs what machines are for.
39. Infra as code
- Not all Infra as code is created equal
- Always know whatâs running in production
40. The After
⢠Simplification
⢠No hardware refresh
⢠No more arcane network gear issues.
⢠Manageability
⢠Full DC Disaster recovery
⢠On-boarding new customers is easy
41. The Future
- RUN AWAY from OpenVPN.
- Keep running.
- Use HTTPS and MQTT instead of VPNs. Similar security
level, more reliable, better performance, and SCALABLE
(Open VPN is not, not really).
- âŚ
42. Summary of what we discussed
Availability Zone
Virtual Private Cloud
AWS Cloud
Public Subnet
Virtual Private Cloud
Availability Zone
Private Subnet
Availability Zone
VPN Only Subnet
Application Servers
Web Server Web Server
NAT
Corporate
Network
R
Database Servers
Internet
43. John Segers - @jplsegers
Juan Morales - @juanantoniofm