Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Creating Your Virtual Data Center: VPC Fundamentals

483 views

Published on

In this session, we will walk through the fundamentals of Amazon Virtual Private Cloud (VPC). First, we will cover build-out and design fundamentals for VPC, including picking your IP space, subnetting, routing, security, NAT, and much more. We will then transition into different approaches and use cases for optionally connecting your VPC to your physical data center with VPN or AWS Direct Connect. This mid-level architecture discussion is aimed at architects, network administrators, and technology decision-makers interested in understanding the building blocks AWS makes available with VPC and how you can connect this with your offices and current data center footprint.

Published in: Technology
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Creating Your Virtual Data Center: VPC Fundamentals

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Dr Andrew Kane SolutionsArchitect AWS London Summit – 7th July 2016 Creating Your Virtual Data Center Amazon VPC Fundamentals and Connectivity Options
  2. 2. EC2 Instance
  3. 3. EC2 Instance
  4. 4. VPC
  5. 5. 172.31.0.128 172.31.0.129 172.31.1.24 172.31.1.27 VPC
  6. 6. 172.31.0.128 172.31.0.129 172.31.1.24 172.31.1.27 VPC
  7. 7. 172.31.0.128 172.31.0.129 172.31.1.24 172.31.1.27 54.4.5.6 54.2.3.4 VPC
  8. 8. What to Expect from the Session • Get familiar with VPC concepts • Walk through a basic VPC setup • Learn about the ways in which you can tailor your virtual network to meet your needs
  9. 9. Walkthrough: setting up an Internet-connected VPC
  10. 10. Creating an Internet-connected VPC: steps Choosing an address range Setting up subnets in Availability Zones Creating a route to the Internet Authorizing traffic to/from the VPC
  11. 11. Choose address ranges
  12. 12. CIDR notation review CIDR range example: 172.31.0.0/16
  13. 13. CIDR range example: 172.31.0.0/16 1010 1100 0001 1111 0000 0000 0000 0000 CIDR notation review
  14. 14. CIDR notation review CIDR range example: 172.31.0.0/16 1010 1100 0001 1111 0000 0000 0000 0000
  15. 15. Choosing IP address ranges for your VPC 172.31.0.0/16
  16. 16. Choosing IP address ranges for your VPC 172.31.0.0/16 Recommended: RFC1918 range
  17. 17. Choosing IP address ranges for your VPC 172.31.0.0/16 Recommended: RFC1918 range Recommended: /16 (64K addresses)
  18. 18. Choosing IP address ranges for your VPC 172.31.0.0/16 Recommended: RFC1918 range Recommended: /16 (64K addresses)
  19. 19. Set up subnets
  20. 20. Choosing IP address ranges for your subnets 172.31.0.0/16
  21. 21. Choosing IP address ranges for your subnets 172.31.0.0/16 Availability Zone Availability Zone Availability Zone eu-west-1a eu-west-1b eu-west-1c
  22. 22. Choosing IP address ranges for your subnets 172.31.0.0/16 Availability Zone Availability Zone Availability Zone VPC subnet VPC subnet VPC subnet eu-west-1a eu-west-1b eu-west-1c
  23. 23. Choosing IP address ranges for your subnets 172.31.0.0/16 Availability Zone Availability Zone Availability Zone VPC subnet VPC subnet VPC subnet 172.31.0.0/24 172.31.1.0/24 172.31.2.0/24 eu-west-1a eu-west-1b eu-west-1c
  24. 24. Auto-assign Public IP: All instances will get an automatically assigned public IP
  25. 25. More on subnets • Recommended for most customers: • /16 VPC (64K addresses) • /24 Subnets (251 addresses) • One subnet per Availability Zone • When might you do something else?
  26. 26. Create a route to the Internet
  27. 27. Routing in your VPC • Route tables contain rules for which packets go where • Your VPC has a default route table • … but you can assign different route tables to different subnets
  28. 28. Traffic destined for my VPC stays in my VPC
  29. 29. Internet Gateway Send packets here if you want them to reach the Internet
  30. 30. Everything that isn’t destined for the VPC: Send to the Internet
  31. 31. Authorizing traffic: network ACLs security groups
  32. 32. Network ACLs = stateless firewall rules
  33. 33. Network ACLs = stateless firewall rules Can be applied on a subnet basis
  34. 34. Network ACLs = stateless firewall rules Can be applied on a subnet basis
  35. 35. Network ACLs = stateless firewall rules English translation: Allow all traffic in Can be applied on a subnet basis
  36. 36. Security groups follow the structure of your application “MyWebServers” Security Group “MyBackends” Security Group Allow only “MyWebServers”
  37. 37. Security groups = stateful firewall
  38. 38. Security groups = stateful firewall In English: Hosts in this group are reachable from the Internet on port 80 (HTTP)
  39. 39. Security groups = stateful firewall
  40. 40. Security groups = stateful firewall In English: Only instances in the MyWebServers security group can reach instances in this security group
  41. 41. Security groups in VPCs: additional notes • VPC allows creation of egress as well as ingress security group rules • Best practice: Whenever possible, specify allowed traffic by reference (other security groups) • Many application architectures lend themselves to a 1:1 relationship between security groups (who can reach me) and IAM roles (what I can do).
  42. 42. Connectivity options for VPCs
  43. 43. Beyond Internet connectivity Subnet routing options Connecting to your corporate network Connecting to other VPCs
  44. 44. Routing on a subnet basis: Internal-facing subnets
  45. 45. Different route tables for different subnets VPC subnet VPC subnet Has route to Internet Has no route to Internet
  46. 46. Internet access via NAT Gateway VPC subnet VPC subnet
  47. 47. Internet access via NAT Gateway VPC subnet VPC subnet 0.0.0.0/0
  48. 48. Internet access via NAT Gateway VPC subnet VPC subnet 0.0.0.0/0 0.0.0.0/0
  49. 49. Internet access via NAT Gateway VPC subnet VPC subnet 0.0.0.0/0 0.0.0.0/0 NAT Gateway
  50. 50. Internet access via NAT Gateway VPC subnet VPC subnet 0.0.0.0/0 0.0.0.0/0 Public IP: 54.161.0.39 NAT Gateway
  51. 51. Internet access via NAT Gateway VPC subnet VPC subnet 0.0.0.0/0 0.0.0.0/0 Public IP: 54.161.0.39 NAT Gateway
  52. 52. Connecting to other VPCs: VPC peering
  53. 53. Shared services: VPC using VPC peering Common/core services • Authentication/directory • Monitoring • Logging • Remote administration • Scanning
  54. 54. VPC peering VPC Peering 172.31.0.0/16 10.55.0.0/16
  55. 55. VPC peering VPC Peering 172.31.0.0/16 10.55.0.0/16 Orange Security Group Blue Security Group ALLOW
  56. 56. Steps to establish a peering: initiate request 172.31.0.0/16 10.55.0.0/16
  57. 57. Steps to establish a peering: initiate request 172.31.0.0/16 10.55.0.0/16 Step 1 Initiate peering request
  58. 58. Steps to establish a peering: initiate request
  59. 59. Steps to establish a peering: accept request 172.31.0.0/16 10.55.0.0/16 Step 1 Initiate peering request
  60. 60. Steps to establish a peering: accept request 172.31.0.0/16 10.55.0.0/16 Step 1 Initiate peering request Step 2 Accept peering request
  61. 61. Steps to establish a peering: accept request
  62. 62. Steps to establish a peering: accept request
  63. 63. Steps to establish a peering: create route 172.31.0.0/16 10.55.0.0/16Step 1 Initiate peering request Step 2 Accept peering request
  64. 64. Steps to establish a peering: create route 172.31.0.0/16 10.55.0.0/16Step 1 Initiate peering request Step 2 Accept peering request Step 3 Create routes
  65. 65. Steps to establish a peering: create route 172.31.0.0/16 10.55.0.0/16Step 1 Initiate peering request Step 2 Accept peering request Step 3 Create routes
  66. 66. Steps to establish a peering: create route 172.31.0.0/16 10.55.0.0/16Step 1 Initiate peering request Step 2 Accept peering request Step 3 Create routes In English: Traffic destined for the peered VPC should go to the peering
  67. 67. Connecting to your network: Virtual Private Network & Direct Connect
  68. 68. Extend your own network into your VPC VPN Direct Connect
  69. 69. VPN: What you need to know 192.168.0.0/16 172.31.0.0/16
  70. 70. VPN: What you need to know Customer Gateway 192.168.0.0/16 172.31.0.0/16 Your networking device
  71. 71. VPN: What you need to know Customer Gateway Virtual Gateway 192.168.0.0/16 172.31.0.0/16 Your networking device
  72. 72. VPN: What you need to know Customer Gateway Virtual Gateway Two IPSec tunnels 192.168.0.0/16 172.31.0.0/16 Your networking device
  73. 73. VPN: What you need to know Customer Gateway Virtual Gateway Two IPSec tunnels 192.168.0.0/16 172.31.0.0/16 192.168/16 Your networking device
  74. 74. Routing to a Virtual Private Gateway
  75. 75. Routing to a Virtual Private Gateway In English: Traffic to my 192.168.0.0/16 network goes out the VPN tunnel
  76. 76. VPN vs Direct Connect • Both allow secure connections between your network and your VPC • VPN is a pair of IPSec tunnels over the Internet • Direct Connect is a dedicated line with lower per-GB data transfer rates • For highest availability: Use both
  77. 77. DNS in a VPC
  78. 78. VPC DNS options
  79. 79. VPC DNS options
  80. 80. VPC DNS options Use Amazon DNS server
  81. 81. VPC DNS options Use Amazon DNS server Have EC2 auto-assign DNS hostnames to instances
  82. 82. EC2 DNS hostnames in a VPC
  83. 83. EC2 DNS hostnames in a VPC Internal DNS hostname: Resolves to Private IP address
  84. 84. EC2 DNS hostnames in a VPC Internal DNS hostname: Resolves to Private IP address External DNS name: Resolves to…
  85. 85. EC2 DNS hostnames work from anywhere: outside your VPC C:>nslookup ec2-52-18-10-57.eu-west-1.compute.amazonaws.com Non-authoritative answer: Name: ec2-52-18-10-57.eu-west-1.compute.amazonaws.com Address: 52.18.10.57
  86. 86. EC2 DNS hostnames work from anywhere: outside your VPC C:>nslookup ec2-52-18-10-57.eu-west-1.compute.amazonaws.com Non-authoritative answer: Name: ec2-52-18-10-57.eu-west-1.compute.amazonaws.com Address: 52.18.10.57 Outside your VPC: Public IP address
  87. 87. EC2 DNS hostnames work from anywhere: inside your VPC [ec2-user@ip-172-31-0-201 ~]$ dig ec2-52-18-10-57.eu-west-1.compute.amazonaws.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.38.amzn1 <<>> ec2-52-18-10-57.eu-west-1.compute.amazonaws.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36622 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ec2-52-18-10-57.eu-west-1.compute.amazonaws.com. IN A ;; ANSWER SECTION: ec2-52-18-10-57.eu-west-1.compute.amazonaws.com. 60 IN A 172.31.0.137 ;; Query time: 2 msec ;; SERVER: 172.31.0.2#53(172.31.0.2) ;; WHEN: Wed Sep 9 22:32:56 2015 ;; MSG SIZE rcvd: 81
  88. 88. EC2 DNS hostnames work from anywhere: inside your VPC [ec2-user@ip-172-31-0-201 ~]$ dig ec2-52-18-10-57.eu-west-1.compute.amazonaws.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.38.amzn1 <<>> ec2-52-18-10-57.eu-west-1.compute.amazonaws.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36622 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ec2-52-18-10-57.eu-west-1.compute.amazonaws.com. IN A ;; ANSWER SECTION: ec2-52-18-10-57.eu-west-1.compute.amazonaws.com. 60 IN A 172.31.0.137 ;; Query time: 2 msec ;; SERVER: 172.31.0.2#53(172.31.0.2) ;; WHEN: Wed Sep 9 22:32:56 2015 ;; MSG SIZE rcvd: 81 Inside your VPC: Private IP address
  89. 89. Amazon Route 53 private hosted zones • Control DNS resolution for a domain and subdomains • DNS records take effect only inside associated VPCs • Can use it to override DNS records “on the outside”
  90. 90. Creating an Amazon Route 53 private hosted zone
  91. 91. Creating an Amazon Route 53 private hosted zone Private hosted zone
  92. 92. Creating an Amazon Route 53 private hosted zone Private hosted zone Associated with one or more VPCs
  93. 93. Creating an Amazon Route 53 DNS record Private Hosted Zone example.demohostedzone.org à 172.31.0.99
  94. 94. Querying private hosted zone records https://aws.amazon.com/amazon-linux-ami/2015.03-release-notes/ [ec2-user@ip-172-31-0-201 ~]$ dig example.demohostedzone.org ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.38.amzn1 <<>> example.demohostedzone.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26694 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;example.demohostedzone.org. IN A ;; ANSWER SECTION: example.demohostedzone.org. 60 IN A 172.31.0.99 ;; Query time: 2 msec ;; SERVER: 172.31.0.2#53(172.31.0.2) ;; WHEN: Wed Sep 9 00:13:33 2015 ;; MSG SIZE rcvd: 60
  95. 95. … And more
  96. 96. VPC Flow Logs: See all your traffic Visibility into effects of security group rules Troubleshooting network connectivity Ability to analyze traffic
  97. 97. Amazon VPC endpoints:Amazon S3 without an Internet Gateway
  98. 98. Amazon VPC endpoints:Amazon S3 without an Internet Gateway
  99. 99. Amazon VPC endpoints:Amazon S3 without an Internet Gateway
  100. 100. Thank you!

×