DevNetOps: Automating large-scale hybrid cloud architectures - AWS Summit Cape Town 2018

© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Bradley Acar
Solutions Architect, Enterprise, Sub-Saharan Africa
DevNetOps - Automating Large-scale
Hybrid Cloud Architectures

Firstly, let’s take a look at our global infrastructure

Amazon Global Network
• Redundant private capacity
between all Regions except China
• All traffic between AWS Regions
makes use of the Amazon Global
Network
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Region
AWS Global Infrastructure:
• A Region (18) is a physical location in the world where we
have presence. Regions consist of multiple Availability Zones
• Availability Zones (55) consist of one or more discrete data
centers, each with redundant power, networking, and
connectivity, housed in separate facilities. Applications and
Data are replicated in real time and consistent in the different
AZs
1
N
2 1
N
2
1
N
2
Low-latency
ensures real
data replication
Distance
ensures
high
availability
1
N
2
1
N
2 1
N
2
1
N
2
1
N
2
1
N
2 1
N
2
1
N
2 1
N
2
1
N
2 1
N
2
1
N
2 1
N
2
1
N
2 1
N
2 1
N
2 1
N
2
1
N
2 1
N
2 1
N
2 1
N
2
1
N
2
1
N
2 1
N
2
1
N
2
1
N
2 1
N
2
1
N
2
1
N
2 1
N
2
1
N
2
1
N
2 1
N
2
1
N
2
1
N
2 1
N
2
1
N
2
1
N
2 1
N
2
1
N
2
AWS Regions (18)
AZs (55)
1
N
2 1
N
2
1
N
2
1
N
2
N. Virginia
Ohio
N. California
Oregon
Mumbai
Seoul
Singapore
Sydney
Tokyo
Canada
Beijing
Frankfurt
Ireland
London
São Paulo GovCloud (US-West)
1
N
2 1
N
2
Ningxia
1
N
2 1
N
2
1
N
2
Paris
Ensuring High Availability

Next, a quick recap of Amazon Virtual Private Cloud

“A virtual network that
closely resembles a
traditional network that
you'd operate in your own
data center”
What is a
Virtual Private Cloud (VPC)?
Instance
Availability Zone
Instance
Availability Zone

Traditional Network
VPN VPN
WAN
Fiber
Applications Applications

VPN VPN
(VPC Peering)
WAN
Fiber
(AWS Direct Connect)
Applications Applications
AWS Network

VPC CIDR 10.1.0.0/16
Availability Zone A Availability Zone B
Public Subnet Public Subnet
Private Subnet Private Subnet
Instance A
10.1.1.11 /24
Instance B
10.1.2.22 /24
Instance C
10.1.3.33 /24
Instance D
10.1.4.44 /24
10.1.1.0/16
10.1.2.0/16
10.1.3.0/16

VPN
WAN
AWS Direct
Connect
Transit VPCVPN
WAN
AWS Direct
Connect
Transit VPC
Shared Services
VPC Peering
Authentication,
Security, Logging
Shared Services
VPC Peering
Authentication,
Security, Logging
Many VPCs

• Less accounts and networks to setup
• Tighter control within the account or
VPC
• Identity and Access
Management (IAM)
• Strict security groups and
routing
• Identifying resources with tags
• Billing and ownership complexity
• Larger account or VPC blast radius
• User privileges, AWS limits
• More accounts and infrastructure to setup
• Tighter control of provisioning and
standards
• Automation of infrastructure
• AWS Direct Connect and VPN
standards
• Subnet and routing standards
• Simpler billing
• Smaller blast radius for users and networks
• Larger blast radius for shared
infrastructure and services
S m a l l e r V P C s o r a c c o u n t sL a r g e r V P C s o r a c c o u n t s
Account and VPC Segmentation

• Automation of infrastructure
• AWS Direct Connect and VPN
standards
• Subnet and routing standards
• Identity and Access
Management (IAM)
• Strict security groups and
routing
• Identifying resources with tags
S m a l l e r V P C s o r a c c o u n t sL a r g e r V P C s o r a c c o u n t s
Account and VPC Segmentation
Infrastructure and NetworkingPolicy and IAM

How?
We’ll compare VPC designs that:
• Scale
• Connect multiple VPCs together
• Provide automation
With these design patterns:
Transit VPC
VPN
WAN
AWS Direct
Connect
Transit VPC
Transit VPC
with firewalls
AWS Direct
Connect
WAN
Shared Services Multi-Region
Options
VGW
VGW
VGW
VGW
VGW
VGW
VGW
VGW

Our Starting Point
VPN
WAN
AWS Direct
Connect
Virtual private
gateway
Dev Prod

Challenge: Adding more VPCs
VPN
WAN
AWS Direct
Connect
Lots of connections
Dev Prod Dev Prod Dev Prod

Challenge: Peering VPCs
VPN
WAN
AWS Direct
Connect
VPC to VPC connections?

Challenge: Peering VPCs
VPN
WAN
AWS Direct
Connect
Connect Dev and Prod
VPC Peering
Connect the blue environment
How does this scale?
Let’s:

Transit VPC
VPN
WAN
AWS Direct
Connect
Transit VPC

Familiarity and visibility Firewall insertion Encryption everywhere
Centralization Higher scale Inter-region connectivity
Benefits of the Transit VPC
VPN
WAN
AWS Direct
Connect
Transit VPC

VPN
WAN
AWS Direct
Connect
Transit VPC
Transit VPC
Architecture

Transit VPC: Hub
Availability Zone 1
Subnet 1
VPN Instance
Availability Zone 2
Subnet 2
VPN Instance
• Instances running VPN software
• Deployed in two Availability Zones
Internet gateway

Transit VPC: Routing
Virtual Private
Gateway (VGW)
VGW
VGW
Virtual Private
Network (VPN)
Border Gateway
Protocol (BGP)
Transit VPC
10.0.0.0/16
10.1.0.0/16
The VGW advertises the VPC CIDR to the
VPN instance (10.1.0.0/16)
Customer Gateway
(CGW)
So far, this works exactly like a typical VPN

Transit VPC: Routing
Virtual Private
Gateway (VGW)
VGW
VGW
Virtual Private
Network (VPN)
Transit VPC
10.0.0.0/16
10.1.0.0/16
VGW
VGW
10.2.0.0/16
Route Table
Destination Target
10.2.0.0/16 Local
10.1.0.0/0 VGW
Route Table
Destination Target
10.2.0.0/16 Local
0.0.0.0/0 VGW
Internet
The VPN Instances
advertise routes to each
VGW. This can be a default
route or individual routes.

Why Doesn’t Peering Work?
VPC Peering
Transit VPC
10.0.0.0/16
10.1.0.0/16 10.2.0.0/16
Route Table
Destination Target
10.2.0.0/16 Local
10.1.0.0/0 VGW
Route Table
Destination Target
10.2.0.0/16 Local
0.0.0.0/0 PCX
Internet

Why Doesn’t Peering Work?
VPC Peering
Transit VPC
10.0.0.0/16
10.1.0.0/16 10.2.0.0/16
Route Table
Destination Target
10.2.0.0/16 Local
10.1.0.0/0 VGW
Route Table
Destination Target
10.2.0.0/16 Local
0.0.0.0/0 PCX
Internet
Destination: Internet Traffic must either originate or
terminate on a network
interface in the VPC
Transitive Routing

Why Does VPN Work?
Transit VPC
10.0.0.0/16
10.1.0.0/16 10.2.0.0/16
Route Table
Destination Target
10.2.0.0/16 Local
10.1.0.0/0 VGW
Route Table
Destination Target
10.2.0.0/16 Local
0.0.0.0/0 VGW
Internet
Destination: Internet
VGW
VGW
Virtual Private
Network (VPN)
VGW
VGW
Traffic must either originate or
terminate on a network
interface in the VPC
Transitive Routing

Transit VPC: Availability
Virtual Private
Gateway (VGW)
VGW
VGW
Virtual Private
Network (VPN)
Transit VPC
10.0.0.0/16
10.1.0.0/16
VGW
VGW
10.2.0.0/16
Route Table
Destination Target
10.2.0.0/16 Local
10.1.0.0/0 VGW
Route Table
Destination Target
10.2.0.0/16 Local
0.0.0.0/0 VGW
BGP and Dead Peer Detection (DPD)
detect the failure
The VGW route automatically fails
over to the other tunnel
Internet

Transit VPC: Availability
VGW
VGW
Transit VPC
10.0.0.0/16
10.1.0.0/16
VGW
VGW
10.2.0.0/16
Route Table
Destination Target
10.2.0.0/16 Local
10.1.0.0/0 VGW
Route Table
Destination Target
10.2.0.0/16 Local
0.0.0.0/0 VGW
detect the failure
detect the failure
Internet

Options for On-Premises Connectivity
Transit VPC
Internet
On-premises
Virtual Private
Network (VPN)
Internet Gateway
WAN
Virtual Private
Network (VPN)
VGW
VGW
Detached
VGW
AWS
Direct
Connect
Customer
Gateway
VPN over the internet
WANVGW
VGW
Customer
Gateway
VGW
Virtual Private
Network (VPN)
AWS
Direct
Connect
VPN over AWS Direct
Connect
Detached VGW with AWS
Direct Connect

VPN Over the Internet
VGW
VGW
Transit VPC
10.0.0.0/16
10.1.0.0/16
VGW
VGW
10.2.0.0/16
Internet
172.16.0.0/16
On-premises
Virtual Private
Gateway (VGW)
Virtual Private
Network (VPN)
Virtual Private
Network (VPN)
• Use this design for more
control and visibility
• Supports alternative tunnels
such as DMVPN and GRE
• Manually configured and
operated
+
-

VPN Over AWS Direct Connect
VGW
VGW
Transit VPC
10.0.0.0/16
10.1.0.0/16
VGW
VGW
10.2.0.0/16
Virtual Private
Gateway (VGW)
Virtual Private
Network (VPN)
WAN
172.16.0.0/16
On-premises
Virtual Private Network (VPN)
VGW
VGW
Customer
Gateway
(CGW)
VGW
• Useful for encrypting
connections or inserting services
• More control over latency and
quality of the connectivity
• Supports alternative tunnels
such as DMVPN and GRE
• Manually configured and
operated
AWS
Direct
Connect
Private Virtual
Interface (VIF)
+
-

Detached VGW with AWS Direct Connect
VGW
VGW
Transit VPC
10.0.0.0/16
10.1.0.0/16
VGW
VGW
10.2.0.0/16
Virtual Private
Gateway (VGW)
Virtual Private
Network (VPN)
WAN
172.16.0.0/16
On-premises
VGW
VGW
Customer
Gateway
(CGW)
Detached
VGW AWS
Direct
Connect
Private Virtual
Interface (VIF)

Detached VGW with AWS Direct Connect
VGW
VGW
Transit VPC
10.0.0.0/16
10.1.0.0/16
VGW
VGW
10.2.0.0/16
WAN
172.16.0.0/16
On-premises
Virtual Private
Gateway (VGW)
Customer
Gateway
(CGW)
Detached
VGW
On-premises looks like another spoke
AWS
Direct
Connect
VGW
VGW
• Use this design if consistency
and automation are important
• Less management overhead
• Traffic can take multiple
routes out from AWS
• Traffic is unencrypted on the
private network
+
-

Firewalls and the
Transit VPC
VGW
VGW VGW
VGW
Internet

Firewall Use Cases
“We need a firewall for all traffic between on-premises and AWS.”
“We have compliance requirements for intrusion detection in our VPCs.”
“Our security organization requires application-level inspection.”
“We would like to centralize security appliances for any internet traffic.”

Transit VPC: Security Services
VGW
VGW
Virtual Private
Network (VPN)
10.0.0.0/16
10.1.0.0/16
VGW
VGW
10.2.0.0/16
Active/Passive
AS-path prepend

Instance-Based Transit VPC
Virtual Private
Network (VPN)
Spoke VPC Route
Table
Destination Target
10.1.0.0/16 Local
0.0.0.0 ENI
• Use this design for more control
of both sides of the connection
• A wider set of solutions can be
used, like firewalls
• Failover and management at
scale can be challenging
• Use more than one device in
each VPC for better availability
• Instances inside spoke VPCs can
be intrusive
• No dynamic routing with BGP to
the route tables
+
-

Spoke VPC Route
Table
Destination Target
10.1.0.0/16 Local
0.0.0.0 ENI
• Design is highly scalable
• Design for failover in each
Availability Zone
• Requires centralized
management
• Devices must support many
tunnels
• Licensing costs may be
prohibitive
• High management overhead
• Route propagation is more
difficult
VPN
Mesh
Full-mesh VPN
Connectivity
+
-
Bandwidth
Licensing

Transit VPC ecosystem
AWS VPN in Spoke VPCs
Instance VPN
in Spoke VPCs
Continuous Automation
One-time Automation
Manual Deployment
Routing
Firewalls
Anything with
BGP and VPN
Anything with
BGP and VPN
vSRX
CSR
Anything with
tunnels
vMX

Transit VPC:
Cost, Scale, and
Performance

Transit VPC Costs
VPN
WAN
AWS Direct
Connect
Transit VPC
Per Spoke:
VPN Hourly Charges
VPN Egress Charges
Hub Traffic:
Spoke Destination Egress
Egress Charges
Transit Instances:
Amazon EC2 Charges
Licensing Costs

Reference: Cisco CSR Bandwidth Tests
Size Routing
(Mbps)
1500B
VPN (Mbps)
1400B
T2.medium 390 300
M3.medium 300 250
C4.large 575 550
C4.xlarge 860 860
C3.2xlarge 1330 1000
C4.2xlarge 2300 2200
C4.4xlarge 4600 4100
C4.8xlarge 5000 4700
Note: Large packets

VPN
WAN
AWS Direct
Connect
Transit VPC
Transit VPC Performance
Use Security Groups inside the VPC
Use VPC Peering
better performance
Each VPN instance can forward ~1-
3 Gbps aggregate on traffic and
instance size
Then what?
Each spoke can forward ~1.25 Gbps
per VPN tunnel
At 100 spokes, aggregate routes

Scaling the Transit VPC
VPN
WAN
AWS Direct
Connect
Transit VPC

Scaling the Transit VPC
VPN
WAN
AWS Direct
Connect
Transit VPC
VPN
WAN
AWS Direct
Connect
Transit VPC
Use pods of independent Transit VPCs
Connect the pods with tunnels for East-West traffic
VPN

AWS Direct Connect
for Many VPCs
WAN

AWS Direct Connect to Many VPCs
AWS Region
VGW
VGW
10.1.0.0/16
WAN
On-premises
AWS Direct Connect
Location
Private Virtual Interface
(VIF)
Customer
Router
AWS
Router
Customer
Router
AWS
Router
VGW
VGW
10.2.0.0/16
Up to 50 VIFs per port
AWS Direct Connect
Location 2

AWS Direct Connect: Link Aggregation
AWS Region
VGW
VGW
10.1.0.0/16
WAN
On-premises
Link Aggregation
(LAG)
Private Virtual Interface
(VIF)
Customer
Router
AWS
Router
Customer
Router
AWS
Router
VGW
VGW
10.2.0.0/16
Up to 4 ports in a LAG,
each with 50 VIFs
AWS Direct Connect
Location 2

Direct Connect Gateway
AWS Region
VGW
VGW
10.1.0.0/16
WAN
On-premises
AWS Direct Connect
location
Private Virtual
Interface (VIF)
Customer
Router
AWS
Router
Customer
Router
AWS
Router
VGW
VGW
10.2.0.0/16
Up to 10 VGWs per direct
connect gateway
AWS Direct Connect
location 2
Direct
connect
gateway
Account

Multiple Regions
WAN
On-premises
AWS Direct Connect
Location
Private Virtual
Interface (VIF)
Customer
Router
AWS
Router
Customer
Router
AWS
Router
AWS Region
VGW
VGW
VGW
VGW
AWS Direct Connect
Location 2
Direct
connect
gateway
Account
AWS Region
VGW
VGW
VGW
VGW

Shared Services VPCs

Shared Services VPC
• Authentication
• Logging
• DevOps tools
• Security resources
• Deployed in each AWS Region
Shared Services
VPC Peering
Authentication,
Security, Logging

VPC Peering
Challenges
VPN
WAN
AWS Direct
Connect
Shared Services
VPC Peering
Full VPC connectivity
172.16.0.0/16 172.16.0.0/16
No overlapping addresses
…125
Scale

PrivateLink
Shared
Services VPC
10.1.0.0/16
10.1.1.0/24
Availability Zone
10.1.1.127
10.1.2.0/24
Availability Zone
10.1.2.35
172.16.0.0/16
172.16.1.0/24
Availability Zone
172.16.2.0/24
Availability Zone
Network Load
Balancer
API API
One IP Address for each
Availability Zone
The endpoint is a local IP address
Access is unidirectional
Requests
172.16.1.9 172.16.2.41

PrivateLink
Shared
Services VPC
10.1.0.0/16
10.1.1.0/24
Availability Zone
10.1.1.127
10.1.2.0/24
Availability Zone
10.1.2.35
172.16.0.0/16
172.16.1.0/24
Availability Zone
172.16.2.0/24
Availability Zone
172.16.1.9 172.16.2.41
API API
10.1.0.0/16
10.1.1.0/24
Availability Zone
10.1.1.162
10.1.2.0/24
Availability Zone
10.1.2.22
Support for
overlapping IP address
ranges
…thousands

VPN
WAN
AWS Direct
Connect
Transit VPC
Shared
Services
Transit VPC with Services VPC:
It’s just a spoke

Shared Services Options
VPN
WAN
AWS Direct
Connect
Shared Services
VPC Peering
VPC Peering
• Bidirectional services
• Broad VPC access
• No load balancers required
+
PrivateLink
• Unidirectional services
• More granular access
• Scale beyond 125 spokes
• Overlapping addresses
+
Transit VPC
• Transit VPC consistency
• Automation is built-in
• Lower performance
• More complex to manage
+
VPN
WAN
AWS Direct
Connect
Transit VPC
Shared
Services
-

Multiple Regions
AWS Region
VGW
VGW
VGW
VGW
AWS Region
VGW
VGW
VGW
VGW

Inter-Region VPC Peering
AWS Region AWS Region
VPC
Peering

Global Connectivity Options
VPN
WAN
AWS Direct
Connect
Transit VPC
Cross-Region VPNDirect Connect Gateway Inter-Region Peering
• Native connectivity
• No management required
• One-to-one VPC
configuration
+• AWS Direct Connect only
• High performance
• No management required
+ • Transit VPC consistency
• Full control of connectivity
• Lower performance
• More complex to manage
+
--

Transit VPC
Automation
AWS CloudFormation and
Implementation Guide

Transit VPC: Hub
Availability Zone 1
Subnet 1
Cisco CSR
Availability Zone 2
Subnet 2
Cisco CSR
• Uses the Cisco CSR
• Available in BYOL or Hourly billing
from AWS Marketplace
• Full featured IOS-XE device
• Deployed in two Availability Zones
• Support for duplicate tunnel addresses
Internet gateway
https://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/aws/b_csraws_transitVPC/b_csraws_transitVPC_chapter_01.html

AWS Region
Transit VPC
S3 Bucket
for
VPN
Config
Route Table
Destination Target
100.64.127.224/27 Local
0.0.0.0 IGW
Prefix List for S3 VPCE
100.64.127.224 / 27
Transit
VPC:
Creation
Availability Zone 1
Subnet 1
Cisco CSR
Availability Zone 2
Subnet 2
Cisco CSR
EC2 Auto-recovery

Transit VPC
S3 Bucket
for
VPN Config
Spoke VPC
AWS Lambda
Cisco
Configurator
AWS Lambda
VGW Poller
transitvpc:spoke = true
Transit VPC:
Add Spoke
SSH Only to CSR Security Group
VGW
AWS Key
Management
Service (KMS)
AWS Region
Availability Zone 1
Subnet 1
Cisco CSR
Availability Zone 2
Subnet 2
Cisco CSR

Transit VPC
S3 Bucket
for
VPN Config
Spoke VPC
AWS Lambda
Cisco
Configurator
AWS Lambda
VGW Poller
transitvpc:spoke = falseVGW
AWS Region
Availability Zone 1
Subnet 1
Cisco CSR
Availability Zone 2
Subnet 2
Cisco CSR
Transit VPC:
Remove Spoke

AWS Lambda
Cisco
Configurator
AWS Lambda
VGW
Poller
Transit VPC:
Add Spoke in
Another Region
AWS Region
S3 Bucket
for
VPN Config
Transit VPC
Availability Zone 1
Subnet 1
Cisco CSR
Availability Zone 2
Subnet 2
Cisco CSR
AWS Region

AWS Lambda
Cisco
Configurator
AWS Region
Transit VPC
Availability Zone 1
Subnet 1
Cisco CSR
Availability Zone 2
Subnet 2
Cisco CSR
AWS Region
AWS Account
1. Setup the VGW
Poller
2. Allow bucket access
3. Allow KMS access
Transit VPC:
Add Spoke in
Another Account S3 Bucket
for
VPN Config
AWS Key
Management
Service (KMS)
AWS Lambda
VGW
Poller

AWS Account
Availability Zone 1
Subnet 1
Cisco CSR
Availability Zone 2
Subnet 2
Cisco CSR
AWS Region
Transit VPC
AWS Region
S3 Bucket
for
VPN Config
AWS Lambda
Cisco
Configurator
AWS Lambda
VGW
Poller
Transit VPC:
Add Spoke in
Another Account
AWS Key
Management
Service (KMS)
Launch CloudFormation in Spoke Account
1. Setup the VGW
Poller
3. Allow KMS access

S3 Bucket
for
VPN Config
AWS Lambda
Cisco
Configurator
AWS Lambda
VGW
Poller
Transit VPC:
Add Spoke in
Another Account
AWS Key
Management
Service (KMS)
1. Setup the VGW
Poller
3. Allow KMS access
AWS Region
Availability Zone 1
Subnet 1
Cisco CSR
Availability Zone 2
Subnet 2
Cisco CSR
Transit VPC
AWS Region
AWS Account

{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<account-1-ID>:root",
"arn:aws:iam::<account-2-ID>:root"
]
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::<S3 bucket name>/<bucket prefix>/*"
}
]
}
S3 Bucket Policy for a Spoke Account
One additional account can be defined at launch

{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam:: <transit-vpc-primary-account-id>:role/TransitVPC-TransitVpcPollerRole-[cloudformation-id]",
"arn:aws:iam:: <transit-vpc-primary-account-id>:role/TransitVPC-CiscoConfigFunctionRole-[cloudformation-id]",
"arn:aws:iam:: <transit-vpc-primary-account-id>:role/TransitVPC-LambdaLoaderRole-[cloudformation-id]",
"arn:aws:iam::<account-1-id>:root",
"arn:aws:iam::<account-2-id>:root"
]
},
Key Management System: Key Policy
One additional account can be defined at launch

VPC Inflection Points
VPN Direct Connect VPC
5
15
50
100
125
200+
Transit VPC
Define your own
tunnel addresses
Automation Automation
VIF to port Limit Route and peering limit
Max route limit
Max peer limit
Limit on 4x LAG
Transit VPC
Customization
1

200+
Internet
Secure protocols
Secure authentication
Bastion hosts
Use PrivateLink

Advice
• Networking changes fast, no more crystal balls
• Segment as needed
• Experiment and test
• Mix and match! These are starting points not dogma!

Take This Home
• Transit VPC for centralizing VPN configuration
• AWS Direct Connect can be used in addition to VPN
• Automation is important
• There are many options, and they change over time
• Customize, mix and match

Networking Study Guide

Thank you
Bradley Acar, Solutions Architect
/in/bradleyacar/
https://bit.ly/2KIMuRu
Networking Many VPCs: Transit and Shared Architectures (NET404) –
Nick Matthews, Partner Solution Architect, AWS

DevNetOps: Automating large-scale hybrid cloud architectures - AWS Summit Cape Town 2018

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to DevNetOps: Automating large-scale hybrid cloud architectures - AWS Summit Cape Town 2018

Similar to DevNetOps: Automating large-scale hybrid cloud architectures - AWS Summit Cape Town 2018 (20)

More from Amazon Web Services

More from Amazon Web Services (20)

DevNetOps: Automating large-scale hybrid cloud architectures - AWS Summit Cape Town 2018