Exploring the fundamentals of AWS networking - SVC211 - New York AWS Summit

Exploring the fundamentals of AWS networking - SVC211 - New York AWS Summit
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Exploring the fundamentals of AWS networking Sid Chauhan Solutions architect Amazon Web Services S V C 2 1 0
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T NAT InstanceB 10.1.1.11/24 Instance BNAT-GW NAT-GW 0.0.0.0/0 AWS Region Availability Zone 2Availability Zone 1 Private subnet VGW VPC peering VPC Flow Logs VPN Internet Private subnet Public subnet InstanceA Public subnet Amazon S3 VPC CIDR 10.1.0.0/16 10.1.0.11/24 InstanceC 10.1.2.11/24 InstanceD 10.1.3.11/24 DXGW + Expand + IPv6 IGWVPCE 10.1.0.0/16 Local 0.0.0.0/0 IGW S3.prefix.list VPCE-123 On premises VGW VPC-B PCX-123 Destination Target Intra or inter region 10.1.0.0/16 Local S3.prefix.list VPCE-123 On premises VGW VPC-B PCX-123 Destination Target AWS PrivateLink service provider VPC NLB On premises VPC-B EIP - 10.1.0.11 : 54.23.12.43 EIP - 10.1.1.11 : 54.19.12.23 Amazon DynamoDB AWS Lambda AWS Direct Connect Amazon SQS Amazon SNS AWS IoT Amazon CloudWatch AWS PrivateLink Transit GW On premises AWS PrivateLink- enabled services Other Routes TGW Other Routes TGW Amazon S3 AWS Global Accelerator
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T That was the agenda for this session
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T What is a VPC ?
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T IP addressing Creating subnets Routing in a VPC Security VPC concepts and fundamentals DNS in-VPC with Amazon Route 53
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Choosing an IP address range
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Choosing an IP address range for your VPC 172.31.0.0/16 Recommended: RFC1918 range Avoid ranges that overlap with other networks to which you might connect
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Creating subnets in a VPC
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T VPC subnets and Availability Zones 172.31.0.0/16 Availability Zone Availability Zone Availability Zone VPC subnet VPC subnet VPC subnet 172.31.0.0/24 172.31.1.0/24 172.31.2.0/24 eu-west-1a eu-west-1b eu-west-1c
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T IPv6 in your VPC • Can have a dual-stack VPC by adding an IPv6 CIDR • Fixed sizes for VPC and subnets: • /56 VPC (4,722,366,482,869,645,213,696 addresses) • /64 subnets (18,446,744,073,709,551,616 addresses)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T VPC subnets and Availability Zones 172.31.0.0/16 Availability Zone Availability Zone Availability Zone VPC subnet VPC subnet VPC subnet 172.31.0.0/24 172.31.1.0/24 172.31.2.0/24 eu-west-1a eu-west-1b eu-west-1c 2600:1f16:14d:6300::/56 2600:1f16:14d:6300::/64 2600:1f16:14d:6301::/64 2600:1f16:14d:6302::/64 + Expand
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Routing in a VPC
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Route tables 172.31.0.0/16 Availability Zone Availability Zone Availability Zone VPC subnet VPC subnet VPC subnet 172.31.0.0/24 172.31.1.0/24 172.31.2.0/24
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Traffic destined for my VPC stays in my VPC
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T DNS in a VPC
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T VPC DNS options Use Amazon DNS server Have EC2 auto-assign DNS host names to instances
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Amazon Route 53 private hosted zones Private Hosted Zoneexample.demohostedzone.org → 172.31.0.99
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Amazon Route 53 Resolver for hybrid clouds Route 53 Resolver endpoints Conditional forwarding rules
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Flow logsNetwork access control list Security groups Network security
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T “MyWebServers” security group “MyBackends” security group Allow only “MyWebServers” Security groups follow application structure Web Web Web Web App App App Internet gateway
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Security groups example: Web servers Allow HTTP traffic from anywhere
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Security groups example: Backends Allow application traffic from web servers only
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Network security Flow logsNetwork access control list Security groups
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Security groups vs. NACLs Security group Network ACL Operates at instance level Operates at subnet level Supports allow rules only Supports allow and deny rules Is stateful: return traffic is automatically allowed regardless of any rules Is stateless: return traffic must be explicitly allowed by rules All rules evaluated before deciding whether to allow traffic Rules evaluated in order when deciding whether to allow traffic Applies only to instances explicitly associated with the security group Automatically applies to all instances launched into associated subnets Doesn’t filter traffic to or from link-local addresses (169.254.0.0/16) or AWS-reserved IPv4 addresses; these are the first four IPv4 addresses of the subnet (including the Amazon VPC DNS server)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Network security Flow logsNetwork access control list Security groups
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T VPC Flow Logs AZ 2AZ 1 • Visibility • Troubleshooting • Analyze traffic Amazon S3 Amazon CloudWatch Logs VPC Flow Logs
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T VPC Flow Logs: Setup VPC traffic metadata captured in Amazon S3 or Amazon CloudWatch Logs
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T VPC Flow Logs format
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Internet connectivity Connecting to other VPCs Connecting to your on-premises network Connecting your VPC or not
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Internet connectivity or not
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T NAT InstanceB 10.1.1.11/24 Instance BNAT-GW NAT-GW 0.0.0.0/0 AWS Region Availability Zone 2Availability Zone 1 Private subnet Internet Private subnet Public subnet InstanceA Public subnet Amazon S3 VPC CIDR 10.1.0.0/16 10.1.0.11/24 InstanceC 10.1.2.11/24 InstanceD 10.1.3.11/24 + Expand + IPv6 Internet gateway 10.1.0.0/16 Local 0.0.0.0/0 IGW Destination Target 10.1.0.0/16 Local Destination Target EIP - 10.1.0.11 : 54.23.12.43 EIP - 10.1.1.11 : 54.19.12.23 Let’s take a closer look Amazon DynamoDB AWS Lambda Amazon SQS Amazon SNS AWS IoT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Connecting to other VPCs VPC peering Transit Gateway
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T VPC peering • Full private IP connectivity between two VPCs • Can peer VPCs across regions • VPCs can be in different accounts • VPC CIDR ranges must not overlap 10.0.0.0/16 10.2.0.0/16 10.1.0.0/16 10.3.0.0/16
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Establish a VPC peering: Initiate request Step 1 Initiate peering request 172.31.0.0/16 10.55.0.0/16
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Establish a VPC peering: Accept request Step 1 Initiate peering request Step 2 Accept peering request 172.31.0.0/16 10.55.0.0/16
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Establish a VPC peering: Create routes Step 1 Initiate peering request Step 2 Accept peering request Step 3, 4 172.31.0.0/16 10.55.0.0/16 Traffic destined for the peered VPC should go to the peering, repeat for other VPC
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T VPC peering Transit Gateway and beyond… Connecting to other VPCs
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T VPN connectionCustomer gateway Amazon VPC Amazon VPC AWS Direct Connect gateway VPC peering VPC peering VPC peering Amazon VPC Amazon VPCVPC peering VPN connection VPN connection VPC peering Before Transit Gateway …
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Transit Gateway Amazon VPCAmazon VPC Amazon VPCAmazon VPC Customer gateway VPN connection AWS Direct Connect Gateway (NEW) With Transit Gateway . . .
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T B Local 0.0.0.0/0 Destination Target A B TGW C Transit Gateway 1 2 3 4 TGW route table (s) VPC A : Attachment 1 VPC B : Attachment 2 VPC C : Attachment 3 On prem : VPN 4 RT1 RT2 On premises With Transit Gateway . . .
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Attachment The connection from an Amazon VPC, VPN, and DX GW to a Transit Gateway Association The route table used to route packets coming from an attachment Propagation The route table where the attachment’s routes are installed
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Llama X Y Transit Gateway route table Associations RT1 Z Propagations Pegasus from Y Llama from X Pegasus from Y Llama from X 10.1.0.0/16 Pegasus 10.2.0.0/16 Barry 10.3.0.0/16 Barry from Z Barry from Z Routes 10.2.0.0/16 via Y 10.1.0.0/16 via X 10.3.0.0/16 via Z 10.1.0.0/16 Local 0.0.0.0/0 TGW Destination Target 10.1.0.0/16 Local 0.0.0.0/0 IGW Destination Target 10.0.0.0/8 TGW Transit Gateway (s)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Llama X Y Transit Gateway route table (s) Associations RT1 Z Propagations Pegasus from Y Llama from X Pegasus from Y Llama from X 10.1.0.0/16 Pegasus 10.2.0.0/16 Barry 10.3.0.0/16 Barry from Z Barry from Z Routes 10.2.0.0/16 via Y 10.1.0.0/16 via X 10.3.0.0/16 via Z 10.8.0.0/16 10.9.0.0/16 10.8.0.0/16 via X 10.9.0.0/16 via XTransit Gateway
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Llama X Y Transit Gateway route table (s) Associations RT1 Z Propagations Pegasus from Y Llama from X Pegasus from Y Llama from X 10.1.0.0/16 Pegasus 10.2.0.0/16 Barry 10.3.0.0/16 Barry from Z Barry from Z Routes 10.2.0.0/16 via Y 10.1.0.0/16 via X 10.3.0.0/16 via Z 10.8.0.0/16 10.9.0.0/16 10.8.0.0/16 via X 10.9.0.0/16 via X Propagation turned off, you can still statically configure routes Transit Gateway
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T After: AWS Transit Gateway (TGW) – The console
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Unicorn TGW This TGW is `Awesome After: AWS Transit Gateway – The console
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T After: AWS Transit Gateway – The console
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Transit Gateways per account / Transit Gateway attachments per Amazon VPC 5 Maximum burstable bandwidth per attachment 50 Gbps
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Maximum bandwidth per VPN connection 1.25 Gbps *With ECMP, you can distribute traffic over multiple tunnels, e.g., 8 tunnels = 10 Gbps *
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Routes per AWS Transit Gateway 10,000 Number of AWS Transit Gateway attachments per region per account 5,000 !!!
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Cross-region connectivity? TGW is a region-level construct today
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T AWS Transit Gateway detailed instructions: https://amzn.to/2SkI4zV
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Connecting to on-premises networks AWS VPN AWS Direct Connect
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T On premises IPsec tunnel 1 - primary IPsec tunnel 2- secondary Virtual private gateway IPsec tunnel over the internet Customer gateway The internet
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T On premises IPsec tunnel 1 - primary IPsec tunnel 2- secondary IPsec tunnel over the internet The internet Transit Gateway Customer gateway
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Migrate site-to-site VPN to Transit Gateway https://amzn.to/2vwPcj7 NEW
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Attachment to Amazon VPC TLS-based tunnel over the internet User with OpenVPN client Client VPN endpoint Client The internet On premises Amazon S3 Amazon DynamoDB
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Connecting to on-premises networks AWS VPN AWS Direct Connect
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Customer or partner cage Service provider network AWS Direct Connect: What’s that? AWS Region On premises AWS Direct Connect location AWS cage Cross connect 10.0.0.0/16 192.168.0.0/16 Private VIF Public VIF VGW
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Customer or partner cage Service provider network AWS Direct Connect: What’s that? AWS Region On premises AWS Direct Connect location AWS cage Cross connect 10.0.0.0/16 192.168.0.0/16 Private VIF Public VIF 10.2.0.0/16 VGW VGW Private VIF
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Customer or partner cage Service provider network AWS Direct Connect gateway AWS Region On premises AWS Direct Connect location AWS cage Cross connect 10.0.0.0/16 192.168.0.0/16 Private VIF 10.2.0.0/16 VGW VGW One private VIF → many VPCs AWS Direct Connect gateway
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Customer or partner cage Service provider network AWS Direct Connect gateway AWS Region 1 On premises AWS Direct Connect location AWS cage Cross Connect 10.0.0.0/16 192.168.0.0/16 Private VIF 10.2.0.0/16 VGW VGW One private VIF → many VPCs across regions AWS Region 2 AWS Direct Connect gateway
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Customer or partner cage Service provider network AWS Direct Connect gateway AWS Account 1 On premises AWS Direct Connect location AWS cage Cross connect 10.0.0.0/16 192.168.0.0/16 Private VIF 10.2.0.0/16 VGW VGW One private VIF → many VPCs across accounts AWS Account 2 AWS Direct Connect gateway Multi-account DX gateway New
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Customer or partner cage Service provider network AWS Direct Connect gateway AWS Account 1 On premises AWS Direct Connect location AWS cage Cross connect 10.0.0.0/16 192.168.0.0/16 Transit VIF 10.2.0.0/16 One transit VIF → many VPCs AWS Account 2 AWS Direct Connect gateway Transit VIF with DX gateway New AWS Transit Gateway
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Transit Gateway with AWS Direct Connect https://amzn.to/2VDnnEt New
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T New partner connection speeds 1, 2, 5, or 10 Gbps of capacity https://amzn.to/2YtGNue Also new
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T VPC sharing VPC endpoints and AWS PrivateLink …more AWS networking AWS Global Accelerator
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Amazon VPC sharing Before
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Llama 10.3.0.0/16 Pegasus 10.2.0.0/16 Barry 10.1.0.0/16 Iguana 10.6.0.0/16 Steve 10.5.0.0/16 Sue 10.4.0.0/16 AWS Lambda Amazon EC2 Amazon RedshiftAmazon RDS Amazon EC2 Amazon EC2 Prod 1Dev Test Prod2 Prod 3 Prod 4
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Amazon VPC sharing After
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T AWS Lambda Amazon EC2 Amazon RedshiftAmazon RDS Amazon EC2 Amazon EC2 Prod 1Dev Test Prod2 Prod 3 Prod 4 Owner Participant Owner Participant Participant Participant Llama 10.3.0.0/16 Pegasus 10.2.0.0/16 Barry 10.1.0.0/16 Iguana 10.6.0.0/16 Steve 10.5.0.0/16 Sue 10.4.0.0/16
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Responsible for creating, managing, and deleting all VPC-level entities. Amazon VPC owners cannot modify or delete participant resources. Amazon VPC owner Responsible for the creation, management, and deletion of their resources, including Amazon Elastic Compute Cloud (Amazon EC2) instances, Amazon Relational Database Service (Amazon RDS) databases, and load balancers. However, they cannot modify any Amazon VPC- level entities, including route tables, network ACLs, or subnets (or view/modify resources belonging to other participants). Amazon VPC participant
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Why use Amazon VPC sharing? Preserve IP space Use fewer IPv4 CIDRs Interconnectivity No VPC peering required Billing and security Continue to enjoy segregation with multiple accounts Separation of duties A central team can create and manage your Amazon VPC Same AZ cost for data transfer is nil!
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Amazon VPC sharing details https://amzn.to/2Aovw2Z
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T VPC endpoints Interface VPC endpoints Gateway VPC endpoints AWS PrivateLink
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T NAT InstanceB 10.1.1.11/24 Instance BNAT-GW NAT-GW 0.0.0.0/0 AWS Region Availability Zone 2Availability Zone 1 Private subnet Internet Private subnet Public subnet InstanceA Public subnet Amazon S3 VPC CIDR 10.1.0.0/16 10.1.0.11/24 InstanceC 10.1.2.11/24 InstanceD 10.1.3.11/24 + Expand + IPv6 Internet gatewayVPCE 10.1.0.0/16 Local 0.0.0.0/0 IGW S3.prefix.list VPCE-123 Destination Target 10.1.0.0/16 Local DDB.prefix.list VPCE-123 Destination Target EIP - 10.1.0.11 : 54.23.12.43 EIP - 10.1.1.11 : 54.19.12.23 Amazon DynamoDB VPCE = Virtual private endpoint (Type: Gateway)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Amazon API Gateway AWS CloudFormation Amazon CloudWatch Amazon CloudWatch Events Amazon CloudWatch Logs AWS CodeBuild AWS Config Amazon EC2 API Elastic Load Balancing API AWS Key Management Service Amazon Kinesis Data Streams Amazon SageMaker Runtime AWS Secrets Manager AWS Security Token Service AWS Service Catalog Amazon SNS AWS Systems Manager NAT InstanceB 10.1.1.11/24 NAT-GW AWS Region Availability Zone 2Availability Zone 1 Private subnet Private subnet Public subnet InstanceA Public subnet VPC CIDR 10.1.0.0/16 10.1.0.11/24 InstanceC 10.1.2.11/24 InstanceD 10.1.3.11/24 + Expand + IPv6 22+ services now supported over AWS PrivateLink ec2.eu-west-1.amazonaws.com ENI1: 10.1.0.15 ENI2: 10.1.1.23 ec2.eu-west-1.amazonaws.com ENI1: 10.1.0.15 ENI2: 10.1.1.23 AWS PrivateLink can reach public services, privately from your VPC No routes needed! (almost) 10.1.0.0/16 Local Destination Target 10.1.0.0/16 Local Destination Target + More
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T VPC endpoints Type: Gateway Type: Interface
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T And now AWS PrivateLink for service providers Customer VPC Service provider VPC Application, e.g., SaaS NLB AWS PrivateLink VPC endpoint: vpce-2222.foo.amazon.com
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T AWS Global Accelerator
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Before
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T AWS Region 1 AWS Region 2
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T After
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T AWS Region 1 AWS Region 2 3.10.3.1253.10.3.125
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Client stateAWS global network Static anycast IPs Applications can keep state, with connections routed to the same endpoint, after initial connection Traffic routed through Global Accelerator traverses AWS global network (instead of the public internet) Global Accelerator uses static IP addresses as a fixed entry point to your applications, which are anycast from AWS edge locations
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T AWS Global Accelerator https://amzn.to/2FI3y89
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T NAT InstanceB 10.1.1.11/24 Instance BNAT-GW NAT-GW 0.0.0.0/0 AWS Region Availability Zone 2Availability Zone 1 Private subnet VGW VPC peering VPC Flow Logs VPN Internet Private subnet Public subnet InstanceA Public subnet Amazon S3 VPC CIDR 10.1.0.0/16 10.1.0.11/24 InstanceC 10.1.2.11/24 InstanceD 10.1.3.11/24 DXGW + Expand + IPv6 Internet gatewayVPCE 10.1.0.0/16 Local 0.0.0.0/0 IGW S3.prefix.list VPCE-123 On premises VGW VPC-B PCX-123 Destination Target Intra or inter region 10.1.0.0/16 Local S3.prefix.list VPCE-123 On premises VGW VPC-B PCX-123 Destination Target AWS PrivateLink service provider VPC NLB On premises VPC-B EIP - 10.1.0.11 : 54.23.12.43 EIP - 10.1.1.11 : 54.19.12.23 Amazon DynamoDB AWS Lambda AWS Direct Connect Amazon SQS Amazon SNS AWS IoT Amazon CloudWatch AWS PrivateLink Transit GW On premises AWS PrivateLink- enabled services Other Routes TGW Other Routes TGW Amazon S3 AWS Global Accelerator
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Awesome Networking study guide https://amzn.to/2U9TczL
Thank you! S U M M I T © 2019, Amazo n Web Services, Inc. or its affiliates. All rights reserved. Sid Chauhan @sidhartc

Check these out next

Exploring the fundamentals of AWS networking - SVC211 - New York AWS Summit

Recommended

More Related Content

Slideshows for you(20)

Similar to Exploring the fundamentals of AWS networking - SVC211 - New York AWS Summit(20)

More from Amazon Web Services(20)

Exploring the fundamentals of AWS networking - SVC211 - New York AWS Summit