Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Koen vd Biggelaar, Sr. Mgr. Solution Architectur...
EC2 instance
172.31.0.128 172.31.0.129 172.31.1.24 172.31.1.27 54.4.5.6 54.2.3.4 VPC
What to Expect from the Session • Get familiar with VPC concepts • Walk through a basic VPC setup • Learn about the ways i...
Walkthrough: Setting Up an Internet-Connected VPC
Creating an Internet-Connected VPC: Steps Choosing an address range Setting up subnets in Availability Zones Creating a ro...
Choose address ranges
CIDR Notation Review CIDR range example: 172.31.0.0/16 1010 1100 0001 1111 0000 0000 0000 0000
Choosing IP Address Ranges for Your VPC 172.31.0.0/16 Recommended: RFC1918 range Recommended: /16 (64K addresses)
Set up subnets
Choosing IP Address Ranges for Your Subnets 172.31.0.0/16 Availability Zone Availability Zone Availability Zone VPC subnet...
Auto-assign Public IP: All instances will get an automatically assigned public IP
More on Subnets • Recommended for most customers: • /16 VPC (64K addresses) • /24 subnets (251 addresses) • One subnet per...
Create a route to the Internet
Routing in Your VPC • Route tables contain rules for which packets go where • Your VPC has a default route table • …but yo...
Traffic destined for my VPC stays in my VPC
Internet Gateway Send packets here if you want them to reach the Internet
Everything that isn’t destined for the VPC: Send to the Internet
Authorizing traffic: Network ACLs, Security groups
Network ACLs = Stateless Firewall Rules
Security Groups Follow the Structure of Your Application “MyWebServers” security group “MyBackends” security group Allow o...
Security Groups = Stateful Firewall In English: Hosts in this group are reachable from the Internet on port 80 (HTTP)
Security Groups = Stateful Firewall In English: Only instances in the MyWebServers security group can reach instances in t...
Security Groups in VPCs: Additional Notes • VPC allows creation of egress as well as ingress security group rules • Best p...
Connectivity Options For VPCs
Beyond Internet Connectivity Subnet routing options Connecting to your corporate network Connecting to other VPCs
Routing on a subnet basis: Internal-facing subnets
Different Route Tables for Different Subnets VPC subnet VPC subnet Has route to Internet Has no route to Internet
Internet Access via NAT Gateway VPC subnet VPC subnet 0.0.0.0/0 0.0.0.0/0 Public IP: 54.161.0.39 NAT Gateway
Connecting to other VPCs: VPC Peering
Shared Services VPC Using VPC Peering Common/core services • Authentication/directory • Monitoring • Logging • Remote admi...
VPC Peering VPC Peering 172.31.0.0/16 10.55.0.0/16 Orange security group Blue security group ALLOW
Steps to Establish Peering: Initiate Request 172.31.0.0/16 10.55.0.0/16 Step 1 Initiate peering request
Steps to Establish Peering: Initiate Request
Steps to Establish Peering: Accept Request 172.31.0.0/16 10.55.0.0/16 Step 1 Initiate peering request Step 2 Accept peerin...
Steps to Establish Peering: Accept Request
Steps to Establish Peering: Create Route 172.31.0.0/16 10.55.0.0/16Step 1 Initiate peering request Step 2 Accept peering r...
Connecting to your network: Virtual private network & Amazon Direct Connect
Extend your own network into your VPC VPN Direct Connect
VPN: What you need to know Customer gateway Virtual gateway Two IPSec tunnels 192.168.0.0/16 172.31.0.0/16 192.168/16 Your...
Routing to a Virtual Private Gateway In English: Traffic to my 192.168.0.0/16 network goes out the VPN tunnel
VPN vs Direct Connect • Both allow secure connections between your network and your VPC • VPN is a pair of IPSec tunnels o...
DNS in a VPC
VPC DNS Options Use Amazon DNS server Have EC2 auto-assign DNS hostnames to instances
EC2 DNS Hostnames in a VPC Internal DNS hostname: Resolves to Private IP address External DNS name: Resolves to …
EC2 DNS Hostnames Work From Anywhere: Outside Your VPC C:>nslookup ec2-52-18-10-57.eu-west-1.compute.amazonaws.com Server:...
EC2 DNS Hostnames Work From Anywhere: Inside Your VPC [ec2-user@ip-172-31-0-201 ~]$ dig ec2-52-18-10-57.eu-west-1.compute....
Route 53 Private Hosted Zones • Control DNS resolution for a domain and subdomains • DNS records take effect only inside a...
Jurjan Woltman, Architect Amazon AWS Summit May 24th, 2016 Running a Microservices Container Platform on AWS
Almost end-of life On Premise Monolith .NET No Automation Scalability limit reached Frontend Technology stack – 2012
7.000.000 PERSONAL WEBSITES TOUCHPOINTS Our Ambition
● Reactive Micro-services architecture ● Polyglot Programmming: Scala, .Net, NodeJS, Java ● Blend of SaaS & Wehkamp propri...
Why AWS ● Maturity & Feature Richness ● Ease of Use ● Development Tooling – Automation is key ● Scalability & Resilience
Availability Zone A Availability Zone C Availability Zone B Dublin One Region with Three Availability Zones
WEHKAMP.IO CIDR: 10.200.48.0/20 Blaze OTA CIDR: 10.200.16.0/20 Blaze P CIDR: 10.200.0.0/20 AWS VPC’s CIDR: 10.200.0.0/16 O...
& Automate everything - VPCs are managed by Cloudformation and Ansible
10.x.x.x/20 Public A 10.x.0.0/24 Public B 10.x.1.0/24 Public C 10.x.2.0/24 Private C 10.x.13.0/24 Private B 10.x.14.0/24 P...
10.x.x.x/20 Public A 10.x.0.0/24 Public B 10.x.1.0/24 Public C 10.x.2.0/24 Private C 10.x.13.0/24 Private B 10.x.14.0/24 P...
WEHKAMP.IO CIDR: 10.200.48.0/20 Blaze OTA CIDR: 10.200.16.0/20 Blaze P CIDR: 10.200.0.0/20 AWS VPC’s CIDR: 10.200.0.0/16 O...
Billing IAM Shared Services Back-up Audit Trail control dev acc prd label (nl.wehkamp) control dev acc prd label (be.wehka...
redundant fiber Shared Services control dev acc prd label (nl.wehkamp) control dev acc prd label (be.wehkamp) Direct Connec...
What did we learn? ● Start simple and small ● Automate everything! ● VPC’s are different than on-premise networks ● Isolat...
And there is more …
VPC Flow Logs: See All Your Traffic Visibility into effects of security group rules Troubleshooting network connectivity A...
VPC Endpoints: S3 Without an Internet Gateway
Remember to complete your evaluations!
Creating a Virtual Data Center
Upcoming SlideShare
Loading in …5
×

Creating a Virtual Data Center

2,718 views

Published on

In this session, we will walk through the fundamentals of Amazon Virtual Private Cloud (VPC). First, we will cover build-out and design fundamentals for VPC, including picking your IP space, subnetting, routing, security, NAT, and much more. We will then transition into different approaches and use cases for optionally connecting your VPC to your physical data center with VPN or AWS Direct Connect. This mid-level architecture discussion is aimed at architects, network administrators, and technology decision-makers interested in understanding the building blocks AWS makes available with VPC and how you can connect this with your offices and current data center footprint.

Published in: Technology
no profile picture user

  • Login to see the comments

Creating a Virtual Data Center

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Koen vd Biggelaar, Sr. Mgr. Solution Architecture, AWS Jurjan Woltman, Architect, Wehkamp May 2016 Creating Your Virtual Data Center VPC Fundamentals and Connectivity Options
  2. 2. EC2 instance
  3. 3. 172.31.0.128 172.31.0.129 172.31.1.24 172.31.1.27 54.4.5.6 54.2.3.4 VPC
  4. 4. What to Expect from the Session • Get familiar with VPC concepts • Walk through a basic VPC setup • Learn about the ways in which you can tailor your virtual network to meet your needs • Get a customer story • And there is more
  5. 5. Walkthrough: Setting Up an Internet-Connected VPC
  6. 6. Creating an Internet-Connected VPC: Steps Choosing an address range Setting up subnets in Availability Zones Creating a route to the Internet Authorizing traffic to/from the VPC
  7. 7. Choose address ranges
  8. 8. CIDR Notation Review CIDR range example: 172.31.0.0/16 1010 1100 0001 1111 0000 0000 0000 0000
  9. 9. Choosing IP Address Ranges for Your VPC 172.31.0.0/16 Recommended: RFC1918 range Recommended: /16 (64K addresses)
  10. 10. Set up subnets
  11. 11. Choosing IP Address Ranges for Your Subnets 172.31.0.0/16 Availability Zone Availability Zone Availability Zone VPC subnet VPC subnet VPC subnet 172.31.0.0/24 172.31.1.0/24 172.31.2.0/24 eu-west-1a eu-west-1b eu-west-1c
  12. 12. Auto-assign Public IP: All instances will get an automatically assigned public IP
  13. 13. More on Subnets • Recommended for most customers: • /16 VPC (64K addresses) • /24 subnets (251 addresses) • One subnet per Availability Zone
  14. 14. Create a route to the Internet
  15. 15. Routing in Your VPC • Route tables contain rules for which packets go where • Your VPC has a default route table • …but you can assign different route tables to different subnets
  16. 16. Traffic destined for my VPC stays in my VPC
  17. 17. Internet Gateway Send packets here if you want them to reach the Internet
  18. 18. Everything that isn’t destined for the VPC: Send to the Internet
  19. 19. Authorizing traffic: Network ACLs, Security groups
  20. 20. Network ACLs = Stateless Firewall Rules
  21. 21. Security Groups Follow the Structure of Your Application “MyWebServers” security group “MyBackends” security group Allow only “MyWebServers”
  22. 22. Security Groups = Stateful Firewall In English: Hosts in this group are reachable from the Internet on port 80 (HTTP)
  23. 23. Security Groups = Stateful Firewall In English: Only instances in the MyWebServers security group can reach instances in this security group
  24. 24. Security Groups in VPCs: Additional Notes • VPC allows creation of egress as well as ingress security group rules • Best practice: Whenever possible, specify allowed traffic by reference (other security groups) • Many application architectures lend themselves to a 1:1 relationship between security groups (who can reach me) and IAM roles (what I can do).
  25. 25. Connectivity Options For VPCs
  26. 26. Beyond Internet Connectivity Subnet routing options Connecting to your corporate network Connecting to other VPCs
  27. 27. Routing on a subnet basis: Internal-facing subnets
  28. 28. Different Route Tables for Different Subnets VPC subnet VPC subnet Has route to Internet Has no route to Internet
  29. 29. Internet Access via NAT Gateway VPC subnet VPC subnet 0.0.0.0/0 0.0.0.0/0 Public IP: 54.161.0.39 NAT Gateway
  30. 30. Connecting to other VPCs: VPC Peering
  31. 31. Shared Services VPC Using VPC Peering Common/core services • Authentication/directory • Monitoring • Logging • Remote administration • Scanning
  32. 32. VPC Peering VPC Peering 172.31.0.0/16 10.55.0.0/16 Orange security group Blue security group ALLOW
  33. 33. Steps to Establish Peering: Initiate Request 172.31.0.0/16 10.55.0.0/16 Step 1 Initiate peering request
  34. 34. Steps to Establish Peering: Initiate Request
  35. 35. Steps to Establish Peering: Accept Request 172.31.0.0/16 10.55.0.0/16 Step 1 Initiate peering request Step 2 Accept peering request
  36. 36. Steps to Establish Peering: Accept Request
  37. 37. Steps to Establish Peering: Create Route 172.31.0.0/16 10.55.0.0/16Step 1 Initiate peering request Step 2 Accept peering request Step 3 Create routes In English: Traffic destined for the peered VPC should go to the peering
  38. 38. Connecting to your network: Virtual private network & Amazon Direct Connect
  39. 39. Extend your own network into your VPC VPN Direct Connect
  40. 40. VPN: What you need to know Customer gateway Virtual gateway Two IPSec tunnels 192.168.0.0/16 172.31.0.0/16 192.168/16 Your networking device
  41. 41. Routing to a Virtual Private Gateway In English: Traffic to my 192.168.0.0/16 network goes out the VPN tunnel
  42. 42. VPN vs Direct Connect • Both allow secure connections between your network and your VPC • VPN is a pair of IPSec tunnels over the Internet • Direct Connect is a dedicated line with lower per-GB data transfer rates • For highest availability: Use both
  43. 43. DNS in a VPC
  44. 44. VPC DNS Options Use Amazon DNS server Have EC2 auto-assign DNS hostnames to instances
  45. 45. EC2 DNS Hostnames in a VPC Internal DNS hostname: Resolves to Private IP address External DNS name: Resolves to …
  46. 46. EC2 DNS Hostnames Work From Anywhere: Outside Your VPC C:>nslookup ec2-52-18-10-57.eu-west-1.compute.amazonaws.com Server: globaldnsanycast.amazon.com Address: 10.4.4.10 Non-authoritative answer: Name: ec2-52-18-10-57.eu-west-1.compute.amazonaws.com Address: 52.18.10.57 Outside your VPC: PublicIP address
  47. 47. EC2 DNS Hostnames Work From Anywhere: Inside Your VPC [ec2-user@ip-172-31-0-201 ~]$ dig ec2-52-18-10-57.eu-west-1.compute.amazonaws.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.38.amzn1 <<>>ec2-52-18-10-57.eu-west-1.compute.amazonaws.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36622 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL:0 ;; QUESTIONSECTION: ;ec2-52-18-10-57.eu-west-1.compute.amazonaws.com. IN A ;; ANSWER SECTION: ec2-52-18-10-57.eu-west-1.compute.amazonaws.com. 60 IN A 172.31.0.137 ;; Query time: 2 msec ;; SERVER: 172.31.0.2#53(172.31.0.2) ;; WHEN: Wed Sep 9 22:32:56 2015 ;; MSG SIZE rcvd: 81 Inside your VPC: Private IP address
  48. 48. Route 53 Private Hosted Zones • Control DNS resolution for a domain and subdomains • DNS records take effect only inside associated VPCs • Can use it to override DNS records “on the outside”
  49. 49. Jurjan Woltman, Architect Amazon AWS Summit May 24th, 2016 Running a Microservices Container Platform on AWS
  50. 50. Almost end-of life On Premise Monolith .NET No Automation Scalability limit reached Frontend Technology stack – 2012
  51. 51. 7.000.000 PERSONAL WEBSITES TOUCHPOINTS Our Ambition
  52. 52. ● Reactive Micro-services architecture ● Polyglot Programmming: Scala, .Net, NodeJS, Java ● Blend of SaaS & Wehkamp proprietary services ● Services expose RESTAPI’s over HTTP/JSON ● Open for integration, internally and externally ● Support for Multi-instances e.g, countries, labels ● And last but not least: Scalable & Resilient Infrastructure
  53. 53. Why AWS ● Maturity & Feature Richness ● Ease of Use ● Development Tooling – Automation is key ● Scalability & Resilience
  54. 54. Availability Zone A Availability Zone C Availability Zone B Dublin One Region with Three Availability Zones
  55. 55. WEHKAMP.IO CIDR: 10.200.48.0/20 Blaze OTA CIDR: 10.200.16.0/20 Blaze P CIDR: 10.200.0.0/20 AWS VPC’s CIDR: 10.200.0.0/16 On Premise VPN Connections Three VPCs to split Development & Production
  56. 56. & Automate everything - VPCs are managed by Cloudformation and Ansible
  57. 57. 10.x.x.x/20 Public A 10.x.0.0/24 Public B 10.x.1.0/24 Public C 10.x.2.0/24 Private C 10.x.13.0/24 Private B 10.x.14.0/24 Private A 10.x.15.0/24 VIF • /20 per VPC • /24 per Subnet • Public & Private per AZ
  58. 58. 10.x.x.x/20 Public A 10.x.0.0/24 Public B 10.x.1.0/24 Public C 10.x.2.0/24 Private C 10.x.13.0/24 Private B 10.x.14.0/24 Private A 10.x.15.0/24 VIF Mesos Container Platform Cassandra Elastic Search • Our platform is deployed in 3 AZ’s • Pick middleware / tools which are aware
  59. 59. WEHKAMP.IO CIDR: 10.200.48.0/20 Blaze OTA CIDR: 10.200.16.0/20 Blaze P CIDR: 10.200.0.0/20 AWS VPC’s CIDR: 10.200.0.0/16 On Premise VPN Connections Three VPC’s to split Development & Production
  60. 60. Billing IAM Shared Services Back-up Audit Trail control dev acc prd label (nl.wehkamp) control dev acc prd label (be.wehkamp) Reporting Account & VPC REDESIGN ● Single Responsibility ● Security ● Fault-Tolerant ● Shared Resources
  61. 61. redundant fiber Shared Services control dev acc prd label (nl.wehkamp) control dev acc prd label (be.wehkamp) Direct Connect Replace VPN by Direct Connect
  62. 62. What did we learn? ● Start simple and small ● Automate everything! ● VPC’s are different than on-premise networks ● Isolation & strong (naming) conventions
  63. 63. And there is more …
  64. 64. VPC Flow Logs: See All Your Traffic Visibility into effects of security group rules Troubleshooting network connectivity Ability to analyze traffic
  65. 65. VPC Endpoints: S3 Without an Internet Gateway
  66. 66. Remember to complete your evaluations!

×