Find out more about the VPC fundamentals and connectivity options

1. Juan AF Morales, Quby
John Segers, AWS Solutions Architect
May 23, 2017
Creating Your Virtual Data Center
VPC Fundamentals and Connectivity Options

2. EC2 Instance

3. 172.31.0.128
172.31.0.129
172.31.1.24
172.31.1.27
54.4.5.6
54.2.3.4
VPC

4. What to expect from the session
 Get familiar with Amazon Virtual Private Cloud concepts.
 Walk through a basic VPC setup.
 Learn about tailoring your virtual network to meet your
needs.
 Hear from a customer: Quby.

5. VPC setup walkthrough

6. Steps to create an internet-connected VPC
Choosing an
address
range
Setting up
subnets in
Availability
Zones
Creating a
route to the
Internet
Authorizing
traffic to/from
the VPC

7. Choosing an IP address range

8. Choosing an IP address range for your VPC
172.31.0.0/16
Recommended:
RFC1918 range
Recommended:
/16 (64k addresses)
Avoid ranges that overlap with
other networks to which you
might connect.

9. Subnets

10. VPC subnets and Availability Zones
172.31.0.0/16
Availability Zone Availability Zone Availability Zone
VPC subnet VPC subnet VPC subnet
172.31.0.0/24 172.31.1.0/24 172.31.2.0/24
eu-west-1a eu-west-1b eu-west-1c

11. VPC subnet recommendations
• Distribute IP space evenly
across Availability Zones.
• Use at least 2 AZs/subnets to enable
multi-AZ application deployments.
• Use /24 subnets (251 addresses).

12. Route to the Internet

13. Routing in your VPC
• Route tables contain rules for which
packets go where.
• Your VPC has a default route table that is
applied to all subnets in the VPC.
• You can assign different route tables to
different subnets to override the default.

14. Traffic destined for my VPC
stays in my VPC

15. Internet Gateway
Send packets here if you want
them to reach the Internet

16. Everything that isn’t destined for the VPC:
Send to the Internet

17. Network security in VPC:
Network ACLs / Security Groups

18. Network ACLs: Stateless firewalls
English translation: Allow all traffic in
Can be applied on a subnet basis

19. “MyWebServers” Security Group
“MyBackends” Security Group
Allow only “MyWebServers”
Security groups follow application structure

20. Security groups example: web servers
In English: Hosts in this group are reachable
from the Internet on port 80 (HTTP)

21. Security groups example: backends
In English: Only instances in the MyWebServers
Security Group can reach instances in this
Security Group

22. Security groups in VPC: additional notes
• Follow the Principle of Least Privilege
• VPC allows creation of egress as well as ingress
Security Group rules
• Many application architectures lend themselves to a 1:1
relationship between security groups (who can reach
me) and IAM roles (what I can do).

23. Connectivity options for VPCs

24. Routing by subnet
VPC subnetVPC subnet
Has route to Internet
Has no route to Internet

25. Outbound-only Internet access: NAT gateway
VPC subnet VPC subnet
0.0.0.0/0
0.0.0.0/0
Public IP: 54.161.0.39
NAT gateway

26. Extend an on-premises network into your VPC
VPN
Direct Connect

27. AWS VPN basics
Customer
Gateway
Virtual
Gateway
Two IPSec tunnels
192.168.0.0/16 172.31.0.0/16
192.168/16
Your networking device

28. VPN and AWS Direct Connect
• Both allow secure connections
between your network and your VPC.
• VPN is a pair of IPSec tunnels over
the Internet.
• Direct Connect is a dedicated line
with lower per-GB data transfer rates.
• For highest availability: use both.

29. Inter-VPC connectivity: VPC peering
Common/core services
• Authentication/directory
• Monitoring
• Logging
• Remote administration
• Scanning

30. Customer case study - Quby

31. Juan AF Morales – DevOps Engineer at Quby
Very Plain Connectivity
(or how Quby simplified networking with AWS VPC)

32. Hello ^_^
Quby: Creator of Toon®
Juan AF Morales
• Born Spanish, living in the
Netherlands.
• Developer – ASM to Python
• Ops – Big IT to no-ops
• Started working with
Development companies in
2010

33. One for the past

34. Moving to the Cloud – overall architecture
App VPC
OpenVPN VPCs

35. Moving to the Cloud – VPN VPCs
VPN VPC Detail
- The VPN
terminators allow
the devices to
connect using
public endpoints
- A strong swan
instance links to
the App VPC

36. Moving to the Cloud – Application VPC
App VPC Detail
- Backend Services
in private subnets
- Marathon-lb and
front-facing
Services live in
the public subnets
- A strong swan
instance links to
the VPN VPC

37. Moving to the Cloud – Automation to the rescue
VPN VPC is Huge
- The code required to
maintain this is insane.

38. Moving to the Cloud – Automation to the rescue
No way I will write 50k LoC.
That’s what machines are for.

39. Infra as code
- Not all Infra as code is created equal
- Always know what’s running in production

40. The After
• Simplification
• No hardware refresh
• No more arcane network gear issues.
• Manageability
• Full DC Disaster recovery
• On-boarding new customers is easy

41. The Future
- RUN AWAY from OpenVPN.
- Keep running.
- Use HTTPS and MQTT instead of VPNs. Similar security
level, more reliable, better performance, and SCALABLE
(Open VPN is not, not really).
- …

42. Summary of what we discussed
Availability Zone
Virtual Private Cloud
AWS Cloud
Public Subnet
Virtual Private Cloud
Availability Zone
Private Subnet
Availability Zone
VPN Only Subnet
Application Servers
Web Server Web Server
NAT
Corporate
Network
R
Database Servers
Internet

43. John Segers - @jplsegers
Juan Morales - @juanantoniofm