More Related Content Similar to Enterprise Network Architectures on AWS (20) More from Amazon Web Services (20) Enterprise Network Architectures on AWS1. P U B L I C S E C T O R
S U M M I T
WASH INGTON D.C
2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Enterprise Network
Architectures on AWS
Eric Schwenter
Principal Solutions Architect
AWS State and Local Government
2 9 5 5 0 8
Sohaib Tahir
Solutions Architect
AWS State and Local Government
3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Target Audience
• Customers who are architecting an AWS Network Architecture
• Existing AWS users using Amazon VPC in production environments
• Network architects / engineers interested in AWS Networking Services
deep-dive
4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
What not to expect
• Explanation of VPC basics; we assume that you know:
• VPCs
• Subnets
• Route Tables
• Security Groups / NACLs
• Explanation of AWS core services
5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Agenda
Account
Strategy
VPN
WAN
AWS Direct
Connect
Transit VPC
Network
Services
External
Connectivity
WAN
Internal
Connectivity
Multi-Region
Options
6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Automation of infrastructure
AWS Direct Connect and VPN
standards
Subnet and routing standards
AWS Identity and Access
Management
Strict security groups and
routing
Identifying resources with tags
Smaller VPCs or accountsLarger VPCs or accounts
Account and VPC Segmentation
Infrastructure and
Networking
Policy and IAM
8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Segmentation: Decision Inputs
Relationship between accounts, VPCs, and tenants?
• Do accounts and tenants trust each other?
• Is the current network segmentation intentional or a side effect?
Who owns security and networking?
• Each team or a centralized team?
Compliance and governance requirements?
• Can they be scoped to an account or a VPC level?
9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Baseline security
IAM
Security groups
Segmentation Options: Layers
Application Application
Application Application
Application
Application
Inside the account
At the VPC
ACLs
Network security
Route tables
Network ACLs
Separate VPCs
10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Separation of Duties using AWS Organizations
Core OU
AWS Organizations
Shared Services Log Archive
Account
Baseline
Shared VPC
Parameter
store
VPN/DXEndpoints
Route53
Resolver
NAT
gateway
Transit
Gateway
Security
Direct
Connect
Network Services
Workload
OU
Workload
Regulated Workload
Workload VPC
Workload VPC
11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Multi-Account Services
Resource Access ManagerAWS Organizations Aware Services
12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
AWS Control Tower
Automated AWS setup
Launch an automated
landing zone with best-
practices blueprints
Policy enforcement
Pre-packaged guardrails
to enforce policies or
detect violations
Dashboard for oversight
Continuous visibility into
workload compliance with
controls
13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Agenda
Account
Strategy
VPN
WAN
AWS Direct
Connect
Transit VPC
Network
Services
External
Connectivity
WAN
Internal
Connectivity
Multi-Region
Options
14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Internal Connectivity Options
VPC peering
• One-to-one connectivity
• Scales to 100 VPCs
• Security groups across
VPCs
• Inter-region peering
Transit VPC
• Shared services as a spoke
• Bandwidth constrained
• Complex management
• Instance and licensing costs
VPN
WAN
AWS Direct
Connect
Transit VPC
Shared
Services
AWS Transit Gateway
• Many-to-many or one-to-many
with route tables
• Highly scalable
• Hourly per attachment costs
Account Account
Account Account
Development
Account Account
Account Account
Testing
Account Account
Account Account
Production Shared Services
Route
Tables
Route
Tables
Transit Gateway
AWS PrivateLink
• One-to-many connectivity
• Highly scalable
• Supports overlapping CIDRs
• Uses Elastic Load Balancing
• Load balancing and hourly
endpoint costs
16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Our Starting Point
VPN
WAN
AWS Direct
Connect
Virtual private
gateway
Dev Prod
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.PU BLI C SECTO R
SU M M I T
Our Starting Point
VPN
WAN
AWS Direct
Connect
Virtual private
gateway
Dev Prod
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.PU BLI C SECTO R
SU M M I T
Our Starting Point
VPN
WAN
AWS Direct
Connect
Virtual private
gateway
Dev Prod
17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Challenge: Adding More VPCs
VPN
WAN
AWS Direct
Connect
Dev Prod Dev Prod Dev Prod
18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Challenge: Peering VPCs
VPN
WAN
AWS Direct
Connect
Dev Prod Dev Prod Dev Prod
Connect dev and prod
VPC peering
Connect the yellow environment
How does this scale?
Let’s:
19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
VPN
WAN
AWS Direct
Connect
Dev Prod Dev Prod Dev Prod
Dev Prod Dev Prod Dev Prod
Scaling connections?
Scaling VPC peering?
Shared services?
Firewall and services?
20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Transit VPC
VPN
WAN
AWS Direct
Connect
Transit VPC
Dev Prod Dev Prod Dev Prod
Dev Prod Dev Prod Dev Prod
21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Connectivity options at scale
VPC Peering
• 1-to-1 connectivity
• Scales to 100 VPCs
• Security groups across
VPCs
• Inter-region peering
Transit VPC
• Shared services as a spoke
• Bandwidth restricted
• Complex management
• Instance and licensing costs
AWS Transit Gateway
• Many-to-many or one-to-many
with route tables
• Highly scalable
• Hourly per attachment costs
Account Account
Account Account
Development
Account Account
Account Account
Testing
Account Account
Account Account
Production Shared Services
Route
Tables
Route
Tables
Transit Gateway
AWS PrivateLink
• One-to-many connectivity
• Highly scalable
• Supports overlapping CIDRs
• Uses Elastic Load Balancing
• Load balancing and hourly
endpoint costs
22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Transit VPC
VPN
WAN
AWS Direct
Connect
Transit VPC
Dev Prod Dev Prod Dev Prod
Dev Prod Dev Prod Dev Prod
23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
VPN
WAN
AWS Direct
Connect
Transit Gateway
AWS
Transit Gateway
Dev Prod Dev Prod Dev Prod
Dev Prod Dev Prod Dev Prod
24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
AWS Transit Gateway
AWS Region
Transit Gateway
ENIs
VPN
Routing Domain
Routing Domain
AWS Direct
Connect
Regional service
Scalable
Flexible routing
26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
VPC Sharing
Easily share VPC networks between AWS accounts,
providing central oversight and control for networking
engineers
27. VPC Sharing and Resource Access Manager
Share subnets between accounts in an AWS Organization
Account
Account
Account
Account
Resource Share
• Public subnets
• Private subnets
Resource Share
• Private subnets
Infrastructure
account
28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
VPC Sharing Benefits
Less unused resources
• Higher density subnets, add up
to 5 additional CIDRs
• More efficient use of VPN and
AWS Direct Connect
Separation of duties
• Infrastructure strictly controls
routing, IP addresses, and VPC
structure
• Developers own their resources,
accounts, and security groups
Decouple accounts and networks
• Account protection and billing
without additional infrastructure
• Many accounts with fewer
networks
• Avoid VPC peering charges
29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Segmentation Considerations: Where to Start
Security groups and IAM are effective and proven
• Encourage IAM and security group use and monitor security configuration
Shared VPCs
• Tenants should limit access from the internet and other tenants
• VPCs using VPC peering are likely to benefit from shared VPCs
• Design around resource and limit contention
Separate VPCs
• Often the best security decision is the simplest. Separate VPCs are simple
• Use separate VPCs for strong network segmentation and resource isolation
• Transit Gateway removes the scaling issues with many VPCs (peering, VPN, routes)
Transit Gateway route tables define multi-VPC policy
• Consider isolating environments (dev and prod) and allow access to shared resources
30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Agenda
Account
Strategy
VPN
WAN
AWS Direct
Connect
Transit VPC
Network
Services
External
Connectivity
WAN
Internal
Connectivity
Multi-Region
Options
31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Connecting to On Premises
Virtual Private Gateway VPN AWS Direct Connect
VPN WAN
• Per VPC
• 1.25 Gbps outbound
• Encrypted in transit
• 50 virtual interfaces per port
• Multiple VPCs with Direct
Connect gateway
• No bandwidth constraints
AWS Transit Gateway VPN
VPN
• Multiple VPCs
• Add VPN connection as needed
• 1.25 Gbps per tunnel
• AWS Direct Connect Support
Amazon EC2 Customer VPN
VPN
• Per VPC or multiple (Transit VPC)
• Bandwidths vary by instance type
• AWS Marketplace options
• Scalability is generally limited by
management complexity
33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Connecting to on premises at scale
Virtual Private Gateway VPN AWS Direct Connect
VPN WAN
• Per VPC
• 1.25 Gbps per tunnel
• Encrypted in transit
• 50 virtual interfaces per port
• Multiple VPCs with Direct
Connect gateway
• No bandwidth constraints
AWS Transit Gateway VPN
VPN
• Multiple VPCs
• Add VPN connection as needed
• 1.25 Gbps per tunnel
• AWS Direct Connect support
Amazon EC2 Customer VPN
VPN
• Per VPC or multiple (Transit VPC)
• Bandwidths vary by instance type
• AWS Marketplace options
• Scalability is generally limited by
management complexity
34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Private connectivity with AWS Direct Connect
Dedicated private connection
from on-premises to AWS
Consistent network
performance
Reduced bandwidth costs
Compatible with all
AWS services
35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
AWS Direct Connect to Many VPCs
AWS Region
10.1.0.0/16
WAN
On premises
AWS Direct Connect
location
Private Virtual Interface
(VIF)
Customer
Router
AWS
Router
Customer
Router
AWS
Router
10.2.0.0/16
Up to 50 VIFs per port
AWS Direct Connect
Location 2
36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Direct Connect Gateway
AWS Region
10.1.0.0/16
WAN
On premises
AWS Direct Connect
location
Private Virtual
Interface (VIF)
Customer
Router
AWS
Router
Customer
Router
AWS
Router
10.2.0.0/16
Up to 10 VGWs per
Direct Connect Gateway
AWS Direct Connect
Location 2
Direct
Connect
Gateway
Account
37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Direct Connect Gateway: Multiple Accounts
10.1.0.0/16
WAN
On premises
AWS Direct Connect
location
Private Virtual
Interface (VIF)
Customer
Router
AWS
Router
Customer
Router
AWS
Router
10.2.0.0/16
AWS Direct Connect
Location 2
Direct
Connect
Gateway
Account A
Account B
38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
VPN With Transit Gateway
VPN
Route
Tables
Route
Tables
Transit Gateway
Customer Gateway
Consolidate VPN at the Transit Gateway (TGW)
• VPN acts similar to the Virtual Private Gateway (VGW)
• Bandwidth, configuration, APIs, cost, and experience
• VPN is attached to a TGW instead of a VGW
• Same 1.25 Gbps bandwidth per tunnel applies
Encryption to the edge of many VPCs
• Traffic is encrypted until it’s inside the VPC
• Does not natively encrypt traffic between VPCs
• Inter-region VPC peering does
39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
VPN with Transit Gateway: Add More Bandwidth
VPN
Route
Tables
Route
Tables
Transit Gateway
Customer Gateway
Support for spreading traffic across many tunnels
• Equal cost multi-path (ECMP) support with BGP multi-path
• Tested up to 50 Gbps of traffic
• Split traffic into smaller flows, multi-part uploads, etc.
Check your on-premises configuration
• Multi-path BGP
• ECMP support, amount of equal paths, reverse-path
forwarding/spoofing checks
• Only supported with BGP, not static routing
40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Direct Connect and Transit Gateway
Account Account
Account Account
Account Account
Account Account
Account Account
Account Account
VPN
Route
Tables
Route
Tables
Transit Gateway
41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Direct Connect and Transit Gateway
Direct Connect with VPN failover VPN over Direct Connect via
Public virtual interface (VIF)
Account Account
Account Account
Account Account
Account Account
Account Account
Account Account
VPN
AWS Direct
Connect
Route
Tables
Route
Tables
Transit Gateway
Transit VIF
VPN
AWS Direct
Connect
Route
Tables
Route
Tables
Transit Gateway
Public VIF
AWS Region
Receive AWS
public IP
addresses
Direct Connect
Gateway
42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
AWS Client VPN
Support for OpenVPN clients
Available in 10 AWS Regions
today
Connected users charged
per user per hour
43. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Attachmen
t to
Amazon
VPC
TLS based tunnel
over the internet
User with Open
VPN Client
Client VPN
Endpoint
Clien
t
The
InternetAmazon
DynamoDB
Amazon S3
On-Premises
44. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Agenda
Account
Strategy
VPN
WAN
AWS Direct
Connect
Transit VPC
Network
Services
External
Connectivity
WAN
Internal
Connectivity
Multi-Region
Options
45. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
46. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Enabling Hybrid Cloud
VPC
Data Center
47. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Enabling Hybrid Cloud
VPC
Data Center
X
DNS not resolvable
48. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Enabling Hybrid Cloud
VPC
Data Center
DNS Forwarders
49. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Enabling Hybrid Cloud
VPC
Data Center
50. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Enabling Hybrid Cloud – Multiple Accounts
VPC
Data Center
VPC
VPC
51. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Enabling Hybrid Cloud
VPC
Data Center
VPC
VPC
52. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Enabling Hybrid Cloud – Highly Available
Forwarders
VPC
Data Center
VPC
VPC
53. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Route 53 Resolver
Managed DNS Resolver
service from Route 53
Create conditional
forwarding rules to re-direct
query traffic
Enables hybrid connectivity
over AWS Direct Connect
and managed VPN
54. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Route 53 Resolver
55. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Benefit to You: Availability
• Use AWS high-availability architecture
• Create additional redundancy by provisioning more ENIs in different
AZs
VPC
56. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Benefit to You: Cross Account Rules Sharing
VPC
VPC
VPC
57. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Interface VPC Endpoints - Powered by AWS
PrivateLink
Three types of services accessible over AWS PrivateLink
• AWS services – Interface VPC Endpoints
• Customer-hosted internal services
• Third-party services (SaaS)
58. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
VPC Endpoints (VPCEs) for AWS Services
AWS ServiceConsumer VPC
Consumer VPC
AWS Service
VPCE
us-east-1
Growing list of supported AWS Services:
59. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Sharing VPCEs Across VPCs Using TGW
VPC
Shared Services VPC (Service Consumer)
corporate data center
On-prem
servers
Route53
Resolver
Transit
Gateway
VPC
VPC
VPN
60. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Agenda
Account
Strategy
VPN
WAN
AWS Direct
Connect
Transit VPC
Network
Services
External
Connectivity
WAN
Internal
Connectivity
Multi-Region
Options
61. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
62. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Private Connectivity with Inter-Region Peering
Private connectivity for two
or more VPCs between regions
Highly available, no single
point of failure
All traffic stays on the AWS
global backbone network
All traffic encrypted and
anonymized
63. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Multiple Regions with Direct Connect
WAN
On Premises
AWS Direct Connect
Location
Private Virtual
Interface (VIF)
Customer
Router
AWS
Router
Customer
Router
AWS
Router
AWS Region
AWS Direct Connect
Location 2
Direct
Connect
Gateway
Account
AWS Region
64. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Multiple Regions with Direct Connect + TGW
WAN
On Premises
AWS Direct Connect
Location
Transit Virtual
Interface (VIF)
Customer
Router
AWS
Router
Customer
Router
AWS
Router
AWS Direct Connect
Location 2
Direct
Connect
Gateway
Account
AWS Region
AWS Region
65. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Multiple Regions with Direct Connect + TGW
WAN
On Premises
AWS Direct Connect
Location
Transit Virtual
Interface (VIF)
Customer
Router
AWS
Router
Customer
Router
AWS
Router
AWS Direct Connect
Location 2
Direct
Connect
Gateway
Region
Region
Network Services Account
Prod Account
Dev Account
66. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
67. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Takeaways
Enterprises have flexibility to architect for any use case
We have tools that scale to many VPCs across many AWS accounts
Use services in combination to meet scale and security requirements
68. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Advice
• Networking changes fast, no more crystal balls
• Start simple! Stay simple. Reduce complexity to smaller scopes
• Segment and modify as needed
• Experiment and test
69. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Related Breakout Sessions
295497 - Advanced Architectures with AWS Transit Gateway
Tuesday 10:00 AM
299940 - Networking Patterns and Practices: A case study
Tuesday 2:45 PM
316596 - Connecting AWS to Private Government Networks
Tuesday 4:00 PM
70. Thank you!
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
71. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T