Enterprise Network Architectures on AWS

P U B L I C S E C T O R
S U M M I T
WASH INGTON D.C

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Enterprise Network
Architectures on AWS
Eric Schwenter
Principal Solutions Architect
AWS State and Local Government
2 9 5 5 0 8
Sohaib Tahir
Solutions Architect
AWS State and Local Government

S U M M I T
Target Audience
• Customers who are architecting an AWS Network Architecture
• Existing AWS users using Amazon VPC in production environments
• Network architects / engineers interested in AWS Networking Services
deep-dive

S U M M I T
What not to expect
• Explanation of VPC basics; we assume that you know:
• VPCs
• Subnets
• Route Tables
• Security Groups / NACLs
• Explanation of AWS core services

S U M M I T
Agenda
Account
Strategy
VPN
WAN
AWS Direct
Connect
Transit VPC
Network
Services
External
Connectivity
WAN
Internal
Connectivity
Multi-Region
Options

S U M M I T

S U M M I T
Automation of infrastructure
AWS Direct Connect and VPN
standards
Subnet and routing standards
AWS Identity and Access
Management
Strict security groups and
routing
Identifying resources with tags
Smaller VPCs or accountsLarger VPCs or accounts
Account and VPC Segmentation
Infrastructure and
Networking
Policy and IAM

S U M M I T
Segmentation: Decision Inputs
Relationship between accounts, VPCs, and tenants?
• Do accounts and tenants trust each other?
• Is the current network segmentation intentional or a side effect?
Who owns security and networking?
• Each team or a centralized team?
Compliance and governance requirements?
• Can they be scoped to an account or a VPC level?

S U M M I T
Baseline security
IAM
Security groups
Segmentation Options: Layers
Application Application
Application Application
Application
Application
Inside the account
At the VPC
ACLs
Network security
Route tables
Network ACLs
Separate VPCs

S U M M I T
Separation of Duties using AWS Organizations
Core OU
AWS Organizations
Shared Services Log Archive
Account
Baseline
Shared VPC
Parameter
store
VPN/DXEndpoints
Route53
Resolver
NAT
gateway
Transit
Gateway
Security
Direct
Connect
Network Services
Workload
OU
Workload
Regulated Workload
Workload VPC
Workload VPC

S U M M I T
Multi-Account Services
Resource Access ManagerAWS Organizations Aware Services

S U M M I T
AWS Control Tower
Automated AWS setup
Launch an automated
landing zone with best-
practices blueprints
Policy enforcement
Pre-packaged guardrails
to enforce policies or
detect violations
Dashboard for oversight
Continuous visibility into
workload compliance with
controls

S U M M I T
Internal Connectivity Options
VPC peering
• One-to-one connectivity
• Scales to 100 VPCs
• Security groups across
VPCs
• Inter-region peering
Transit VPC
• Shared services as a spoke
• Bandwidth constrained
• Complex management
• Instance and licensing costs
VPN
WAN
AWS Direct
Connect
Transit VPC
Shared
Services
AWS Transit Gateway
• Many-to-many or one-to-many
with route tables
• Highly scalable
• Hourly per attachment costs
Account Account
Account Account
Development
Account Account
Account Account
Testing
Account Account
Account Account
Production Shared Services
Route
Tables
Route
Tables
Transit Gateway
AWS PrivateLink
• One-to-many connectivity
• Highly scalable
• Supports overlapping CIDRs
• Uses Elastic Load Balancing
• Load balancing and hourly
endpoint costs

S U M M I T
Our Starting Point
VPN
WAN
AWS Direct
Connect
Virtual private
gateway
Dev Prod
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.PU BLI C SECTO R
SU M M I T
Our Starting Point
VPN
WAN
AWS Direct
Connect
Virtual private
gateway
Dev Prod
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.PU BLI C SECTO R
SU M M I T
Our Starting Point
VPN
WAN
AWS Direct
Connect
Virtual private
gateway
Dev Prod

S U M M I T
Challenge: Adding More VPCs
VPN
WAN
AWS Direct
Connect
Dev Prod Dev Prod Dev Prod

S U M M I T
Challenge: Peering VPCs
VPN
WAN
AWS Direct
Connect
Connect dev and prod
VPC peering
Connect the yellow environment
How does this scale?
Let’s:

S U M M I T
VPN
WAN
AWS Direct
Connect
Scaling connections?
Scaling VPC peering?
Shared services?
Firewall and services?

S U M M I T
Transit VPC
VPN
WAN
AWS Direct
Connect
Transit VPC

S U M M I T
Connectivity options at scale
VPC Peering
• 1-to-1 connectivity
• Scales to 100 VPCs
• Security groups across
VPCs
• Inter-region peering
Transit VPC
• Shared services as a spoke
• Bandwidth restricted
• Complex management
• Instance and licensing costs
AWS Transit Gateway
• Many-to-many or one-to-many
with route tables
• Highly scalable
• Hourly per attachment costs
Account Account
Account Account
Development
Account Account
Account Account
Testing
Account Account
Account Account
Production Shared Services
Route
Tables
Route
Tables
Transit Gateway
AWS PrivateLink
• One-to-many connectivity
• Highly scalable
• Supports overlapping CIDRs
• Uses Elastic Load Balancing
• Load balancing and hourly
endpoint costs

S U M M I T
VPN
WAN
AWS Direct
Connect
Transit Gateway
AWS
Transit Gateway

S U M M I T
AWS Transit Gateway
AWS Region
Transit Gateway
ENIs
VPN
Routing Domain
Routing Domain
AWS Direct
Connect
Regional service
Scalable
Flexible routing

Reference Network
Architecture
Account Account
Account Account
Account Account
Account Account
Account Account
Account Account
VPN
AWS Direct Connect
Account Account Account Account IAM, cross-account roles
Route
tables
Route
tables
Transit Gateway

S U M M I T
VPC Sharing
Easily share VPC networks between AWS accounts,
providing central oversight and control for networking
engineers

VPC Sharing and Resource Access Manager
Share subnets between accounts in an AWS Organization
Account
Account
Account
Account
Resource Share
• Public subnets
• Private subnets
Resource Share
• Private subnets
Infrastructure
account

S U M M I T
VPC Sharing Benefits
Less unused resources
• Higher density subnets, add up
to 5 additional CIDRs
• More efficient use of VPN and
AWS Direct Connect
Separation of duties
• Infrastructure strictly controls
routing, IP addresses, and VPC
structure
• Developers own their resources,
accounts, and security groups
Decouple accounts and networks
• Account protection and billing
without additional infrastructure
• Many accounts with fewer
networks
• Avoid VPC peering charges

S U M M I T
Segmentation Considerations: Where to Start
Security groups and IAM are effective and proven
• Encourage IAM and security group use and monitor security configuration
Shared VPCs
• Tenants should limit access from the internet and other tenants
• VPCs using VPC peering are likely to benefit from shared VPCs
• Design around resource and limit contention
Separate VPCs
• Often the best security decision is the simplest. Separate VPCs are simple
• Use separate VPCs for strong network segmentation and resource isolation
• Transit Gateway removes the scaling issues with many VPCs (peering, VPN, routes)
Transit Gateway route tables define multi-VPC policy
• Consider isolating environments (dev and prod) and allow access to shared resources

S U M M I T
Connecting to On Premises
Virtual Private Gateway VPN AWS Direct Connect
VPN WAN
• Per VPC
• 1.25 Gbps outbound
• Encrypted in transit
• 50 virtual interfaces per port
• Multiple VPCs with Direct
Connect gateway
• No bandwidth constraints
AWS Transit Gateway VPN
VPN
• Multiple VPCs
• Add VPN connection as needed
• 1.25 Gbps per tunnel
• AWS Direct Connect Support
Amazon EC2 Customer VPN
VPN
• Per VPC or multiple (Transit VPC)
• Bandwidths vary by instance type
• AWS Marketplace options
• Scalability is generally limited by
management complexity

S U M M I T
Connecting to on premises at scale
Virtual Private Gateway VPN AWS Direct Connect
VPN WAN
• Per VPC
• Encrypted in transit
• 50 virtual interfaces per port
• Multiple VPCs with Direct
Connect gateway
• No bandwidth constraints
AWS Transit Gateway VPN
VPN
• Multiple VPCs
• Add VPN connection as needed
• AWS Direct Connect support
Amazon EC2 Customer VPN
VPN
• Per VPC or multiple (Transit VPC)
• Bandwidths vary by instance type
• AWS Marketplace options
• Scalability is generally limited by
management complexity

S U M M I T
Private connectivity with AWS Direct Connect
Dedicated private connection
from on-premises to AWS
Consistent network
performance
Reduced bandwidth costs
Compatible with all
AWS services

S U M M I T
AWS Direct Connect to Many VPCs
AWS Region
10.1.0.0/16
WAN
On premises
AWS Direct Connect
location
Private Virtual Interface
(VIF)
Customer
Router
AWS
Router
Customer
Router
AWS
Router
10.2.0.0/16
Up to 50 VIFs per port
AWS Direct Connect
Location 2

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Direct Connect Gateway
AWS Region
10.1.0.0/16
WAN
On premises
AWS Direct Connect
location
Private Virtual
Interface (VIF)
Customer
Router
AWS
Router
Customer
Router
AWS
Router
10.2.0.0/16
Up to 10 VGWs per
Direct Connect Gateway
AWS Direct Connect
Location 2
Direct
Connect
Gateway
Account

Direct Connect Gateway: Multiple Accounts
10.1.0.0/16
WAN
On premises
AWS Direct Connect
location
Private Virtual
Interface (VIF)
Customer
Router
AWS
Router
Customer
Router
AWS
Router
10.2.0.0/16
AWS Direct Connect
Location 2
Direct
Connect
Gateway
Account A
Account B

S U M M I T
VPN With Transit Gateway
VPN
Route
Tables
Route
Tables
Transit Gateway
Customer Gateway
Consolidate VPN at the Transit Gateway (TGW)
• VPN acts similar to the Virtual Private Gateway (VGW)
• Bandwidth, configuration, APIs, cost, and experience
• VPN is attached to a TGW instead of a VGW
• Same 1.25 Gbps bandwidth per tunnel applies
Encryption to the edge of many VPCs
• Traffic is encrypted until it’s inside the VPC
• Does not natively encrypt traffic between VPCs
• Inter-region VPC peering does

S U M M I T
VPN with Transit Gateway: Add More Bandwidth
VPN
Route
Tables
Route
Tables
Transit Gateway
Customer Gateway
Support for spreading traffic across many tunnels
• Equal cost multi-path (ECMP) support with BGP multi-path
• Tested up to 50 Gbps of traffic
• Split traffic into smaller flows, multi-part uploads, etc.
Check your on-premises configuration
• Multi-path BGP
• ECMP support, amount of equal paths, reverse-path
forwarding/spoofing checks
• Only supported with BGP, not static routing

AWS Direct Connect and Transit Gateway
Account Account
Account Account
Account Account
Account Account
Account Account
Account Account
VPN
Route
Tables
Route
Tables
Transit Gateway

AWS Direct Connect and Transit Gateway
Direct Connect with VPN failover VPN over Direct Connect via
Public virtual interface (VIF)
Account Account
Account Account
Account Account
Account Account
Account Account
Account Account
VPN
AWS Direct
Connect
Route
Tables
Route
Tables
Transit Gateway
Transit VIF
VPN
AWS Direct
Connect
Route
Tables
Route
Tables
Transit Gateway
Public VIF
AWS Region
Receive AWS
public IP
addresses
Direct Connect
Gateway

S U M M I T
AWS Client VPN
Support for OpenVPN clients
Available in 10 AWS Regions
today
Connected users charged
per user per hour

S U M M I T
Attachmen
t to
Amazon
VPC
TLS based tunnel
over the internet
User with Open
VPN Client
Client VPN
Endpoint
Clien
t
The
InternetAmazon
DynamoDB
Amazon S3
On-Premises

S U M M I T
Enabling Hybrid Cloud
VPC
Data Center

S U M M I T
VPC
Data Center
X
DNS not resolvable

S U M M I T
VPC
Data Center
DNS Forwarders

S U M M I T
Enabling Hybrid Cloud – Multiple Accounts
VPC
Data Center
VPC
VPC

S U M M I T
VPC
Data Center
VPC
VPC

S U M M I T
Enabling Hybrid Cloud – Highly Available
Forwarders
VPC
Data Center
VPC
VPC

S U M M I T
Route 53 Resolver
Managed DNS Resolver
service from Route 53
Create conditional
forwarding rules to re-direct
query traffic
Enables hybrid connectivity
over AWS Direct Connect
and managed VPN

S U M M I T
Route 53 Resolver

S U M M I T
Benefit to You: Availability
• Use AWS high-availability architecture
• Create additional redundancy by provisioning more ENIs in different
AZs
VPC

S U M M I T
Benefit to You: Cross Account Rules Sharing
VPC
VPC
VPC

S U M M I T
Interface VPC Endpoints - Powered by AWS
PrivateLink
Three types of services accessible over AWS PrivateLink
• AWS services – Interface VPC Endpoints
• Customer-hosted internal services
• Third-party services (SaaS)

S U M M I T
VPC Endpoints (VPCEs) for AWS Services
AWS ServiceConsumer VPC
Consumer VPC
AWS Service
VPCE
us-east-1
Growing list of supported AWS Services:

S U M M I T
Sharing VPCEs Across VPCs Using TGW
VPC
Shared Services VPC (Service Consumer)
corporate data center
On-prem
servers
Route53
Resolver
Transit
Gateway
VPC
VPC
VPN

S U M M I T
Private Connectivity with Inter-Region Peering
Private connectivity for two
or more VPCs between regions
Highly available, no single
point of failure
All traffic stays on the AWS
global backbone network
All traffic encrypted and
anonymized

S U M M I T
Multiple Regions with Direct Connect
WAN
On Premises
AWS Direct Connect
Location
Private Virtual
Interface (VIF)
Customer
Router
AWS
Router
Customer
Router
AWS
Router
AWS Region
AWS Direct Connect
Location 2
Direct
Connect
Gateway
Account
AWS Region

S U M M I T
Multiple Regions with Direct Connect + TGW
WAN
On Premises
AWS Direct Connect
Location
Transit Virtual
Interface (VIF)
Customer
Router
AWS
Router
Customer
Router
AWS
Router
AWS Direct Connect
Location 2
Direct
Connect
Gateway
Account
AWS Region
AWS Region

S U M M I T
Multiple Regions with Direct Connect + TGW
WAN
On Premises
AWS Direct Connect
Location
Transit Virtual
Interface (VIF)
Customer
Router
AWS
Router
Customer
Router
AWS
Router
AWS Direct Connect
Location 2
Direct
Connect
Gateway
Region
Region
Network Services Account
Prod Account
Dev Account

S U M M I T
Takeaways
Enterprises have flexibility to architect for any use case
We have tools that scale to many VPCs across many AWS accounts
Use services in combination to meet scale and security requirements

S U M M I T
Advice
• Networking changes fast, no more crystal balls
• Start simple! Stay simple. Reduce complexity to smaller scopes
• Segment and modify as needed
• Experiment and test

S U M M I T
Related Breakout Sessions
295497 - Advanced Architectures with AWS Transit Gateway
Tuesday 10:00 AM
299940 - Networking Patterns and Practices: A case study
Tuesday 2:45 PM
316596 - Connecting AWS to Private Government Networks
Tuesday 4:00 PM

Thank you!
S U M M I T

Enterprise Network Architectures on AWS

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Enterprise Network Architectures on AWS

Similar to Enterprise Network Architectures on AWS (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Enterprise Network Architectures on AWS