Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Deep Dive: Amazon Virtual Private Cloud

2,007 views

Published on

Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define. In this talk, we discuss advanced tasks in Amazon VPC, including the implementation of VPC peering, the creation of multiple network zones, the establishment of private connections, and the use of multiple routing tables. We also provide information for current Amazon EC2-Classic network customers and help you prepare to adopt Amazon VPC.

Published in: Technology

Deep Dive: Amazon Virtual Private Cloud

  1. 1. ©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Virtual Private Cloud Deep Dive Becky Weiss, Principal Engineer – Amazon EC2 Networking
  2. 2. Related Presentations – Videos online https://www.youtube.com/user/AmazonWebServices • ARC205 – VPC Fundamentals and Connectivity • ARC401 – Black Belt Networking for Cloud Ninja – Application centric, network monitoring, management, floating IPs • ARC403 – From One to Many: Evolving VPC Design • SDD302 – A Tale of One Thousand Instances – Example of EC2-Classic customer adopting VPC • SDD419 – Amazon EC2 Networking Deep Dive – Network performance, placement groups, enhanced networking
  3. 3. aws vpc –-expert-mode
  4. 4. Elastic Network Interface Subnet A us-west-2a 172.31.0.0/20 172.31.0.5 Subnet B us-west-2b 172.31.16.0/20 Subnet C us-west-2c 172.31.32.0/20 EC2 Instance Virtual Private Cloud 172.31.32.8 EC2 Instance
  5. 5. AZ=Availability Zone
  6. 6. VPC connectivity 101
  7. 7. VPC connectivity: TL;DR • Most common case: Internet connectivity – Automatically enabled for default VPCs: You do nothing – Easy to enable for non-default VPCs: You do a little bit • There are many options, but they are optional!
  8. 8. Create VPC aws ec2 create-vpc --cidr 10.10.0.0/16 aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.1.0/24 --a us-west-2a aws ec2 create-subnet --vpc vpc-c15180a4 --cidr 10.10.2.0/24 --a us-west-2b
  9. 9. Launch instances aws ec2 run-instances --image ami-d636bde6 --sub subnet-d83d91bd --count 3 aws ec2 run-instances --image ami-d636bde6 --sub subnet-b734f6c0 --count 3
  10. 10. Routes: Local connectivity aws ec2 describe-route-tables --route- table-ids rtb-c9d737ad |+----------------------------------------------------+| ||| Routes ||| ||+-----------------------+------------+-------------+|| ||| DestinationCidrBlock | GatewayId | State || ||+-----------------------+------------+--------------|| ||| 10.10.0.0/16 | local | active || ||+-----------------------+------------+-------------+|| Traffic to the VPC’s range stays in the VPC
  11. 11. Establish public connectivity aws ec2 create-internet-gateway aws ec2 attach-internet-gateway --internet igw-5a1ae13f --vpc vpc-c15180a4 aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f Your default VPC is already configured this way
  12. 12. Routes: Internet connectivity aws ec2 describe-route-tables --route- table-ids rtb-ef36e58a |+----------------------------------------------------+| ||| Routes ||| ||+-----------------------+------------+-------------+|| ||| DestinationCidrBlock | GatewayId | State || ||+-----------------------+------------+--------------|| ||| 10.10.0.0/16 | local | active || ||| 0.0.0.0/0 | igw-5a1ae13f | active || +----------------------------------------------------+|| Everything not destined for my VPC goes to the Internet
  13. 13. Confirming your default VPC describe-account-attributes VPC only
  14. 14. VPC Endpoints for Amazon S3: Getting to Amazon S3 without the Internet
  15. 15. Amazon S3 without an Internet Gateway
  16. 16. Setting up an Amazon S3 endpoint vpc-c15180a4 rtb-ef36e58a
  17. 17. Routes: Amazon S3 connectivity aws ec2 describe-route-tables --route-table-ids rtb-ef36e58a |+-------------------------------------------------------------------+| ||| Routes ||| ||+-----------------------+-----------------------------------------+|| ||| DestinationCidrBlock | DestinationPrefixListId | GatewayId || ||+-----------------------+-------------------------+----------------|| ||| 10.10.0.0/16 | | local || ||| | pl-68a54001 | vpce-a610f4cf || +-------------------------+-------------------------+---------------+||
  18. 18. The Amazon S3 Prefix List -------------------------------------------------- | DescribePrefixLists | +------------------------------------------------+ || PrefixLists || |+---------------+------------------------------+| || PrefixListId | PrefixListName || |+---------------+------------------------------+| || pl-68a54001 | com.amazonaws.us-west-2.s3 || |+---------------+------------------------------+| ||| Cidrs ||| ||+--------------------------------------------+|| ||| 54.231.160.0/19 ||| ||+--------------------------------------------+|| IP range for Amazon S3 Changes over time & managed by AWS
  19. 19. IAM policy: Amazon S3 bucket { "Version": "2012-10-17", "Statement": [ { "Sid": "Only my VPC Endpoint can access this bucket", "Principal": "*", "Action": "s3:*", "Effect": "Deny", "Resource": ["arn:aws:s3:::bucket-of-awesome", "arn:aws:s3:::bucket-of-awesome/*"], "Condition": { "StringNotEquals": { "aws:sourceVpce": "vpce-a610f4cf" } } } ] } aws s3api put-bucket-policy --bucket bucket-of-awesome -- policy file:///tmp/bucket_policy_for_vpce.json In English: Deny access to this bucket to all but this VPC endpoint
  20. 20. IAM policy: VPC endpoint { "Statement": [ { "Sid": "Access to bucket-of-awesome", "Principal": "*", "Action": [ "s3:GetObject", "s3:PutObject" ], "Effect": "Allow", "Resource": ["arn:aws:s3:::bucket-of-awesome", "arn:aws:s3:::bucket-of-awesome/*"] } ] } vpc-c15180a4 rtb-ef36e58a --policy-document file:///tmp/vpce_policy_document.json In English: This VPC endpoint is allowed only to Get/Put to bucket-of-awesome VPC Endpoint IAM policy can be modified after the fact.
  21. 21. VPC Peering: Getting between VPCs without the Internet
  22. 22. Shared services VPC using VPC peering • Common/core services – Authentication/directory – Monitoring – Logging – Remote administration – Scanning
  23. 23. VPC peering for VPC-to-VPC connectivity aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63 aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87 VPC A> aws ec2 create-route --ro rtb-ef36e58a --des 10.20.0.0/16 --vpc-peer pcx-ee56be87 VPC B> aws ec2 create-route --ro rtb-67a2b31c --des 10.10.0.0/16 --vpc-peer pcx-ee56be87 VPC A - 10.10.0.0/16 vpc-c15180a4 VPC B - 10.20.0.0/16 vpc-062dfc63
  24. 24. VPC peering across accounts aws ec2 create-vpc-peering-connection --vpc-id vpc-c15180a4 --peer-vpc vpc-062dfc63 --peer-owner 472752909333 # In owner account 472752909333 aws ec2 accept-vpc-peering-connection --vpc-peer pcx-ee56be87 VPC A - 10.10.0.0/16 vpc-c15180a4 VPC B - 10.20.0.0/16 vpc-062dfc63 Account ID 472752909333
  25. 25. VPC peering – Additional considerations • Security groups not supported across peerings • Data transfer between VPCs metered at inter-AZ rate • No “transit” capability for VPN, AWS Direct Connect, or third-party VPCs • Peer VPC address ranges cannot overlap
  26. 26. VPN and AWS DirectConnect: Getting between VPC and your data center
  27. 27. VPN connection Corporate Data Center aws ec2 create-vpn-gateway --type ipsec.1 aws ec2 attach-vpn-gateway --vpn vgw-f9da06e7 --vpc vpc-c15180a4 aws ec2 create-customer-gateway --type ipsec.1 --public 54.64.1.2 --bgp 6500 aws ec2 create-vpn-connection --vpn vgw-f9da06e7 --cust cgw-f4d905ea --t ipsec.1
  28. 28. Using AWS Direct Connect Corporate Data Center aws directconnect create-connection --loc EqSE2 --b 1Gbps --conn My_First aws directconnect create-private-virtual-interface --conn dxcon-fgp13h2s --new virtualInterfaceName=Foo, vlan=10, asn=60, authKey=testing, amazonAddress=192.168.0.1/24, customerAddress=192.168.0.2/24, virtualGatewayId=vgw-f9da06e7 Redundant VPN connection
  29. 29. Automatic route propagation from VGW Corporate Data Center 192.168.0.0/16 aws ec2 delete-route --ro rtb-ef36e58a --dest 192.168.0.0/16 aws ec2 enable-vgw-route-propagation --ro rtb-ef36e58a --gateway-id vgw-f9da06e7 Used to automatically update routing table(s) with routes present in the virtual private gateway (VGW)
  30. 30. Configuring route table Corporate Data Center 192.168.0.0/16 aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id vgw-f9da06e7
  31. 31. VPC with private and public connectivity Corporate Data Center 192.168.0.0/16 aws ec2 create-internet-gateway aws ec2 attach-internet-gateway --internet igw-5a1ae13f --vpc vpc-c15180a4 aws ec2 delete-route --ro rtb-ef36e58a --dest 0.0.0.0/0 aws ec2 create-route --ro rtb-ef36e58a --dest 0.0.0.0/0 --gateway-id igw-5a1ae13f aws ec2 create-route --ro rtb-ef36e58a --dest 192.168.0.0/16 --gateway-id vgw-f9da06e7
  32. 32. Remote connectivity best practices Corporate Data Center Availability Zone Availability Zone Each VPN connection consists of 2 IPSec tunnels. Use Border Gateway Protocol (BGP) for failure recovery.
  33. 33. Remote connectivity best practices Corporate Data Center Availability Zone Availability Zone A pair of VPN connections (4 IPSec tunnels total) protects against failure of your customer gateway
  34. 34. Remote connectivity best practices Corporate Data Center Availability Zone Availability Zone Redundant AWS Direct Connect connections with VPN backup
  35. 35. ClassicLink Getting between VPC and EC2-Classic
  36. 36. ClassicLink is relevant to you if: • You have a significant deployment on EC2-Classic • You want a phased migration to VPC to take advantage of: – New instance types – Enhanced networking – VPC security benefits (Amazon S3 endpoints, etc.) – Features (VPC Flow Logs, etc.)
  37. 37. What ClassicLink does: words • Connectivity over private IP address between linked instances in EC2-Classic and VPC • Classic instances can take membership in VPC Security Groups
  38. 38. What ClassicLink does: pictures Security Group: MyWebServers Security Group: MyBackends VPC Security Group: MyWebServers VPC Security Group: MyBackends
  39. 39. ClassicLink APIs & CLI
  40. 40. Enabling ClassicLink vpc-4325f426 To use ClassicLink the VPC must have this feature enabled. Can be restricted with IAM policy.
  41. 41. Attaching a EC2-Classic instance to a VPC i-2b3ecd1c vpc-4325f426 sg-da107fbf Link this specific instance to the VPC using the specified VPC security groups
  42. 42. Migration VPC: Keep it simple • Internet connectivity • One subnet per AZ • Similar Security Groups
  43. 43. Elastic Load Balancing (ELB) supports ClassicLink Security Group: MyWebServers VPC Security Group: MyWebServers
  44. 44. ClassicLink – Component stages • Start with AWS-managed infrastructure – RDS, ElastiCache, Redshift • Next ELB • Then instances EC2-Classic ClassicLink RDS DB Instance ElastiCache Cache Node Elastic Load Balancer RDS DB Instance ElastiCache Cache Node Elastic Load Balancer
  45. 45. ClassicLink RDS DB Instance Route53 ELB
  46. 46. ClassicLink RDS DB Instance ELB Route53
  47. 47. ClassicLink RDS DB Instance ELB Route53
  48. 48. ClassicLink RDS DB Instance ELB Route53
  49. 49. ClassicLink RDS DB Instance ELB Route53
  50. 50. ClassicLink RDS DB Instance Route53
  51. 51. ClassicLink RDS DB Instance Route53
  52. 52. ClassicLink – Additional considerations • VPC address ranges for use with ClassicLink – 10.0.0.0/15, or any other range outside 10.0.0.0/8 – Why? EC2-Classic instance private IP addresses are in 10.2.0.0 – 10.255.255.255 • VPC also can’t have extra route table entries to 10.0.0.0/8 • ClassicLink instances use EC2-Classic for all Internet traffic. No access from VPN/Direct Connect or a VPC peer to a ClassicLink instance. • ClassicLink must be enabled after instance launch (Run) or Start • VPC instance DNS names do not resolve from EC2-Classic, and vice- versa
  53. 53. VPC Flow Logs: What’s going on inside my VPC?
  54. 54. See all of the traffic at your instances • Visibility into effects of Security Group rules • Troubleshooting network connectivity • Ability to analyze traffic
  55. 55. Getting set up: CloudWatch Logs MyVPCFlowLogs Your flow logs will go here
  56. 56. Getting set up: IAM Role { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "vpc-flow-logs.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } VpcFlowLogsRole VPC Flow Logs has permission to assume this role
  57. 57. Getting set up: IAM Role, continued { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": "*" } ] } aws iam put-role-policy --role-name VpcFlowLogsRole --policy-name AccessToCloudWatchLogs --policy-document file:///tmp/inline_policy_document.json Grant VPC Flow Logs access to your CloudWatch Logs
  58. 58. Getting set up: VPC Flow Logs MyVPCFlowLogs 111122223333:role/VpcFlowLogsRole ----------------------------------------------------------------- | CreateFlowLogs | +-------------+-------------------------------------------------+ | ClientToken| 2VVt8sDNhVI3ZXy32ICeCU7MGykMPkQ5kzsdzHcXnk4= | +-------------+-------------------------------------------------+ || FlowLogIds || |+-------------------------------------------------------------+| || fl-ea995892 || |+-------------------------------------------------------------+| Can be VPC, Subnet, or NetworkInterface Can be ACCEPT, REJECT, or ALL
  59. 59. Reading your VPC Flow Logs MyVpcFlowLogs ------------------------------------------------------------------------------------------------------------ | DescribeLogStreams | +--------------------------------------------------------------------------------------------------------- + || logStreams || |+---------------------+----------------------------------------------------------------------------------+| || arn | arn:aws:logs:us-east-1:111122223333:log-group:MyVPCFlowLogs:log-stream:eni- 97ee1c31-accept || || creationTime | 1434203061652 || || firstEventTimestamp| 1434202443000 || || lastEventTimestamp | 1434202917000 || || lastIngestionTime | 1434203662454 || || logStreamName | eni-97ee1c31-accept || || storedBytes | 0 || || uploadSequenceToken| 49540113925456550918981667094152056847848616976877379954 || |+---------------------+----------------------------------------------------------------------------------+| ACCEPT logs for my Network Interface
  60. 60. Interpreting your VPC Flow Logs eni-97ee1c31-accept ... 2 111122223333 eni-97ee1c31 132.163.4.101 10.0.1.95 123 123 17 9 684 1434202443 1434203036 ACCEPT OK 2 111122223333 eni-97ee1c31 10.0.1.95 218.65.30.217 22 40534 6 13 3201 1434202567 1434202615 ACCEPT OK 2 111122223333 eni-97ee1c31 10.0.1.95 12.130.116.82 80 28110 6 5 343 1434203039 1434203096 ACCEPT OK Source IP address, Dest IP address Source port, dest port Packets, Bytes
  61. 61. Your Feedback is Important to AWS Please complete the session evaluation. Tell us what you think!
  62. 62. CHICAGO
  63. 63. CHICAGO ©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved.

×