Creating Your Virtual Data Center
•
2 likes•312 views
Find out more about the VPC fundamentals and connectivity options
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Creating Your Virtual Data Center
Similar to Creating Your Virtual Data Center (20)
More from Amazon Web Services
More from Amazon Web Services (20)
Recently uploaded
Recently uploaded (20)
Creating Your Virtual Data Center
- 1. Juan AF Morales, Quby John Segers, AWS Solutions Architect May 23, 2017 Creating Your Virtual Data Center VPC Fundamentals and Connectivity Options
- 2. EC2 Instance
- 4. What to expect from the session Get familiar with Amazon Virtual Private Cloud concepts. Walk through a basic VPC setup. Learn about tailoring your virtual network to meet your needs. Hear from a customer: Quby.
- 6. Steps to create an internet-connected VPC Choosing an address range Setting up subnets in Availability Zones Creating a route to the Internet Authorizing traffic to/from the VPC
- 7. Choosing an IP address range
- 8. Choosing an IP address range for your VPC 172.31.0.0/16 Recommended: RFC1918 range Recommended: /16 (64k addresses) Avoid ranges that overlap with other networks to which you might connect.
- 9. Subnets
- 10. VPC subnets and Availability Zones 172.31.0.0/16 Availability Zone Availability Zone Availability Zone VPC subnet VPC subnet VPC subnet 172.31.0.0/24 172.31.1.0/24 172.31.2.0/24 eu-west-1a eu-west-1b eu-west-1c
- 11. VPC subnet recommendations • Distribute IP space evenly across Availability Zones. • Use at least 2 AZs/subnets to enable multi-AZ application deployments. • Use /24 subnets (251 addresses).
- 12. Route to the Internet
- 13. Routing in your VPC • Route tables contain rules for which packets go where. • Your VPC has a default route table that is applied to all subnets in the VPC. • You can assign different route tables to different subnets to override the default.
- 14. Traffic destined for my VPC stays in my VPC
- 15. Internet Gateway Send packets here if you want them to reach the Internet
- 16. Everything that isn’t destined for the VPC: Send to the Internet
- 17. Network security in VPC: Network ACLs / Security Groups
- 18. Network ACLs: Stateless firewalls English translation: Allow all traffic in Can be applied on a subnet basis
- 19. “MyWebServers” Security Group “MyBackends” Security Group Allow only “MyWebServers” Security groups follow application structure
- 20. Security groups example: web servers In English: Hosts in this group are reachable from the Internet on port 80 (HTTP)
- 21. Security groups example: backends In English: Only instances in the MyWebServers Security Group can reach instances in this Security Group
- 22. Security groups in VPC: additional notes • Follow the Principle of Least Privilege • VPC allows creation of egress as well as ingress Security Group rules • Many application architectures lend themselves to a 1:1 relationship between security groups (who can reach me) and IAM roles (what I can do).
- 23. Connectivity options for VPCs
- 24. Routing by subnet VPC subnetVPC subnet Has route to Internet Has no route to Internet
- 25. Outbound-only Internet access: NAT gateway VPC subnet VPC subnet 0.0.0.0/0 0.0.0.0/0 Public IP: 54.161.0.39 NAT gateway
- 26. Extend an on-premises network into your VPC VPN Direct Connect
- 27. AWS VPN basics Customer Gateway Virtual Gateway Two IPSec tunnels 192.168.0.0/16 172.31.0.0/16 192.168/16 Your networking device
- 28. VPN and AWS Direct Connect • Both allow secure connections between your network and your VPC. • VPN is a pair of IPSec tunnels over the Internet. • Direct Connect is a dedicated line with lower per-GB data transfer rates. • For highest availability: use both.
- 29. Inter-VPC connectivity: VPC peering Common/core services • Authentication/directory • Monitoring • Logging • Remote administration • Scanning
- 30. Customer case study - Quby
- 31. Juan AF Morales – DevOps Engineer at Quby Very Plain Connectivity (or how Quby simplified networking with AWS VPC)
- 32. Hello ^_^ Quby: Creator of Toon® Juan AF Morales • Born Spanish, living in the Netherlands. • Developer – ASM to Python • Ops – Big IT to no-ops • Started working with Development companies in 2010
- 33. One for the past
- 34. Moving to the Cloud – overall architecture App VPC OpenVPN VPCs
- 35. Moving to the Cloud – VPN VPCs VPN VPC Detail - The VPN terminators allow the devices to connect using public endpoints - A strong swan instance links to the App VPC
- 36. Moving to the Cloud – Application VPC App VPC Detail - Backend Services in private subnets - Marathon-lb and front-facing Services live in the public subnets - A strong swan instance links to the VPN VPC
- 37. Moving to the Cloud – Automation to the rescue VPN VPC is Huge - The code required to maintain this is insane.
- 38. Moving to the Cloud – Automation to the rescue No way I will write 50k LoC. That’s what machines are for.
- 39. Infra as code - Not all Infra as code is created equal - Always know what’s running in production
- 40. The After • Simplification • No hardware refresh • No more arcane network gear issues. • Manageability • Full DC Disaster recovery • On-boarding new customers is easy
- 41. The Future - RUN AWAY from OpenVPN. - Keep running. - Use HTTPS and MQTT instead of VPNs. Similar security level, more reliable, better performance, and SCALABLE (Open VPN is not, not really). - …
- 42. Summary of what we discussed Availability Zone Virtual Private Cloud AWS Cloud Public Subnet Virtual Private Cloud Availability Zone Private Subnet Availability Zone VPN Only Subnet Application Servers Web Server Web Server NAT Corporate Network R Database Servers Internet
- 43. John Segers - @jplsegers Juan Morales - @juanantoniofm