From One to Many: Diving Deeper into Evolving VPC Design (ARC310-R2) - AWS re:Invent 2018

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
From One to Many: Evolving VPC Design
Chalk Talk
Androski Spicer
Solutions Architect
Amazon Web Services
A R C 3 1 0

A m a z o n V P C D e s i g n
Rethinking Connectivity

VPC IP SPACE DESIGN
Don’toverlapIPspace
Considerconnectivitytocorporatenetworks
PlanforexpansiontoadditionalAvailabilityZonesorregions
Subnet
Availability Zone A
IPv4 IPv6
OptionallyenableIPv6onVPC
/56ofAmazon’sGlobalUnicastAddress(GUA)perVPC
/64CIDRblockpersubnet
IPv6completelyindependentfromIPv4
Enabledpersubnetorperinstance(perENI)
Supportedbysecuritygroups,routetables,NACLs,VPCPeering
internetgateway,DX,flowlogs,andDNSResolution
ChooseACIDR
/16
/28
(65,536 IPs)
(16IPs)

VPC ID : abc-de-fg-7
Secondary CIDR : 10.2.0.0/16
Secondary CIDR : 10.3.0.0/16
Secondary CIDR : 10.4.0.0/16 Secondary CIDR : 10.5.0.0/16
Primary CIDR :
10.1.0.0/28
Main Route Table
Destination Target
10.1.0.0/28 Local
10.2.0.0/16 Local
10.3.0.0/16 Local
10.4.0.0/16 Local
10.5.0.0/16 Local
US-WEST-2
VPC RESIZING
Primary CIDR
10.3.0.0/16
• CIDR Block/s cannot overlap
• Existing CIDR Blocks cannot change
• CIDR block must not be the same or larger than the CIDR range of a
route in any of the VPC route tables

IPv4 VPC SUBNET DESIGN
/16
Availability Zone A
Hybrid Subnet
Public subnet
Private subnet
Availability Zone B
Public subnet
Private subnet
Availability Zone C
Public subnet
Private subnet
/22 /22 /22
/20
/20
/20
/20
/20
/20
4091 IPs
1019 IPs
4091 IPs
Hybrid Subnet Hybrid Subnet

WHAT ABOUT IPV6 DESIGN
Availability Zone A
Public subnet
Private subnet
Availability Zone B
Public subnet
Private subnet
Availability Zone C
Public subnet
Private subnet
/64
/56
/64 /64
/64 /64 /64
18 QUINTILLION
18 QUINTILLION
18 SEXTILLION

INTERNET
ACCESS

DEPLOY A NAT GATEWAY
Availability Zone A
Public subnet
Private Route Table
Destination Target
10.1.0.0/16 Local
0.0.0.0/0 NAT-GW-1
Corp CIDR VGW
Private subnet
CORPORATE
DATA CENTER
Availability Zone A
Public subnet
Private subnet
INTERNET
GATEWAY
INTERNET
NAT GATEWAY
• Still need internet gateway
• Separate subnets
• Requires Elastic IP address
• AZ specific
• Burst to 10 Gbps
Hybrid subnet Hybrid subnet

Hybrid subnet
ROUTING IN THE PRIVATE SUBNET
Availability Zone A
Hybrid subnet
Public subnet
Private Route Table
Destination Target
10.1.0.0/16 Local
0.0.0.0/0 NAT-GW-2
Corp CIDR VGW
Private subnet
CORPORATE DATA CENTER
Availability Zone A
Public subnet
Private subnet
INTERNET
GATEWAY
INTERNET
NAT GATEWAY
NAT GATEWAY

ROUTING IN THE PRIVATE SUBNET
Availability Zone A
Public subnet
Private Route Table
Destination Target
10.1.0.0/16 Local
0.0.0.0/0 NAT-GW-2
Corp CIDR VGW
Private subnet
CORPORTAE DATA CENTER
Availability Zone A
Public subnet
Private subnet
INTERNET
GATEWAY
INTERNET
NAT GATEWAY
NAT GATEWAY
Hybrid subnet Hybrid subnet

Private subnet
Internal app
Availability Zone A
AWS Oregon (us-west-2) Region
ROUTE TABLE
0.0.0.0/0 – > NAT GW
Public Subnet
Public Infrastructure
Availability Zone A
Private Route Table
Destination Target
10.1.0.0/16 Local
0.0.0.0/0 NAT-GW
NAT GATEWAY (NAT-GW)
ROUTE TABLE
Private Route Table
Destination Target
10.1.0.0/16 Local
0.0.0.0/0 IGW
PRIVATE
PUBLIC
IGW
18.219.170.117

Private subnet
Internal app
Amazon S3Amazon DynamoDB
Availability Zone A
GATEWAY VPC ENDPOINTS
VPC ENDPOINT
AWS Oregon (us-west-2) Region
GATEWAY
ROUTE TABLE
GET REQUEST TO AMAZON S3
PUT REQUEST TO DYNAMODB
Route Table
Destination Target
10.1.0.0/16 Local
Corp CIDR VGW
Prefix List for S3 us-west-2 VPC-Endpoint
Prefix List for DynamoDB- us-west-2 VPC-Endpoint
aws ec2 create-vpc-endpoint
--vpc-id vpc-40f18d25
--service-name com.amazonaws.us-west-2.s3
--route-table-ids rtb-2ae6a24f rtb-61c78704
--vpc-id vpc-40f18d25
--service-name com.amazonaws.us-west-
2.dynamodb
aws ec2 describe-vpc-endpoint-services
{ "ServiceNames": [
"com.amazonaws.us-east-1.s3",
"com.amazonaws.us-east-1.dynamodb"
] }
Amazon S3
Amazon DynamoDB
Add Endpoint Hostnames to Security Group Outgoing Rules

{
"Statement": [
{
"Sid": "vpce-restrict-to-backup-bucket",
"Principal": "*",
"Action": [ "s3:GetObject", "s3:PutObject” ],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::reinvent-docs", "arn:aws:s3::: reinvent-docs /*"]
} ] }
{
"Statement": [
{
"Sid": "bucket-restrict-to-specific-vpce",
"Principal": "*",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::backups-reinvent", "arn:aws:s3:::backups-reinvent/*"],
"Condition": {"StringNotEquals": {"aws:sourceVpce": "vpce-bc42a4e5” } }
} ] }
S3 Bucket Policy
VPC Endpoint IAM Access Policy
Private subnet
Internal app
Availability Zone A
VPC ENDPOINTGATEWAY
ROIUTE TABLE
GET REQUEST
TO S3
VPC Endpoint
IAM Access Policy
S3
Bucket Policy

INTERFACE
VPC ENDPOINTS
S E R V I C E O W N E D B Y Y O U , O T H E R A C C O U N T S O R
A M A Z O N P A R T N E R S
E n a b l e s p r i v a t e c o m m u n i c a t i o n b e t w e e n
A W S s e r v i c e s u s i n g a n e l a s t i c n e t w o r k
i n t e r f a c e w i t h p r i v a t e I P s i n y o u r A m a z o n
V P C
1 0 . 1 . 1 0 . 5 0
S U B N E T - 1 0 . 1 . 1 0 . 0 / 2 4
Availability Zone A
O N E E N I P E R A Z F O R A S P E C I F I C S E R V I C E
1 0 . 1 . 2 0 . 5 0
S U B N E T - 1 0 . 1 . 2 0 . 0 / 2 4
Availability Zone B
R e q u e s t e r - m a n a g e d
n e t w o r k i n t e r f a c e
1 0 G B P S E A C H I N T E R F A C E E N D P O I N T

S U B N E T - 1 0 . 1 . 1 . 0 / 2 4
Availability Zone A
--vpc-id vpc-ec43eb89
--vpc-endpoint-type Interface
--service-name com.amazonaws.us-east-1.kinesis
--subnet-id subnet-abababab subnet-catbatratsat
--security-group-id sg-1a2b3c4d
S E C U R I T Y G R O U P
S U B N E T - 1 0 . 1 . 2 . 0 / 2 4
Availability Zone B
Amazon Kinesis
1 0 . 1 . 2 . 1 0
1 0 . 1 . 1 . 1 0
v p c - i d v p c - e c 4 3 e b 8 9
k i n e s i s . u s - e a s t -
1 . a m a z o n a w s . c o m
Enable Private DNS Name
o AWS Services
o AWS Market Place Services
Kinesis.putRecord
DNS Resolution
Virtual Private Gateway
Customer
network
IPSec VPN
NO ROUTES IN YOUR ROUTE TABLE
SUPPORTS TCP ONLY
aws ec2 describe-vpc-endpoints
DX Gateway
vpce-0fe5b17a0707d6abc-29p5708s.kinesis.us-west-
2.vpce.amazonaws.com
ENDPOINT-SPECIFIC REGIONAL DNS HOSTNAME
vpce-0fe5b17a0707d6abc-29p5708s-us-west-
2a.kinesis.us-west-2.vpce.amazonaws.com
vpce-0fe5b17a0707d6abc-29p5708s-us-west-
2b.kinesis.us-west-2.vpce.amazonaws.com
ENDPOINT-SPECIFIC ZONAL DNS HOSTNAME
kinesis.us-west-2.amazonaws.com
PRIVATE DNS ENABLED

//Lambda Handler Function aka Main
exports.handler = (event, context, callback) => {
event.Records.forEach(function(record) {
var esDoc = new Buffer(record.kinesis.data, 'base64');
esDoc = esDoc.toString();
client.index({
index: process.env.esIndex,
id: record.kinesis.sequenceNumber,
type: process.env.esType,
body: {
"Kinesis-Shard-Event-ID": record.eventID,
"Time-Written-To-Kinesis-Shard": record.kinesis.approximateArrivalTimestamp,
"Message-Data": esDoc.toString(),
}
},function(err,resp,status) {
console.log(resp);
});
});
};
W r i t e s d a t a f r o m
K i n e s i s S t r e a m t o
E l a s t i c s e a r c h C l u s t e r
P r i v a t e D N S N a m e E n a b l e d
S U B N E T - 1 0 . 1 . 1 . 0 / 2 4
Availability Zone A
1 0 . 1 . 1 . 1 0
v p c - i d v p c - e c 4 3 e b 8 9
k i n e s i s . u s - e a s t -
Kinesis.putRecord
Application Log
Data
Application
Server
Elasticsearch
Cluster
Amazon Kinesis
M a k e s L a m b d a S e r v i c e
A w a r e o f t h e P U T
e v e n t
Writes to ES
Endpoint
VPC Endpoint
IAM Access Policy
S3
Bucket Policy
Writes logs
S3
DNS Resolution
IP add :
10.1.1.10
returned

VPC ENDPOINT SERVICES
VIA
AMAZONPRIVATELINKS

S U B N E T - 1 0 . 1 . 1 . 0 / 2 4
Availability Zone A
v p c - i d v p c - e c 4 3 e b 8 9
Application
Servers
CREATES VPC ENDPOINT SERVICE
WHITELIST ACCOUNTS FOR ACCESS
ASSOCIATE VPC ENDPOINT SERVICE WITH NLB
aws ec2 create-vpc-endpoint-service
--whitelist-account-ids 123456789012,210987654321
--network-load-balancer-ids nlb-aaaaaaaa
Network Load Balancer
SERVICE ARN : aws::us-east-1::service-12345678
SERVICE DNS NAME : service-12345678.vpc-Endpoints.aws
u s - w e s t - 2
1 0 . 1 . 1 . 0 / 2 4
Availability Zone A
S E C U R I T Y
G R O U P
1 0 . 1 . 1 . 1 0
v p c - i d v p c - b e s v p c e v r
d b A P I . e x e c u t e -
a p i . . u s - e a s t -
HTTPS GET
DNS Resolution
IP add : 10.1.1.10
returned
HTTPS PUT
Intranet App- A
u s - w e s t - 2
LISTING AVAILABLE SERVICE OVER VPC ENDPOINTS
P R O D U C E R C O N S U M E R
--vpc-id vpc-ec43eb89
--vpc-endpoint-type Interface
--service-name com.amazonaws.us-east-1.elasticloadbalancing
--subnet-id subnet-abababab subnet-catbatratsat
--security-group-id sg-1a2b3c4d
DNS Names
elasticloadbalancing.us-west-2.amazonaws.com (Z35DVM6FZNQKU5)
General DNS Names
vpce-030344adc43a00bdb-45ltt7jj.elasticloadbalancing.us-west-2.vpce.amazonaws.com (Z1YSA3EXCYUU9Z)
Zonal DNS Names
vpce-030344adc43a00bdb-45ltt7jj-us-west-2b.elasticloadbalancing.us-west-2.vpce.amazonaws.com
vpce-030344adc43a00bdb-45ltt7jj-us-west-2a.elasticloadbalancing.us-west-2.vpce.amazonaws.com
vpce-030344adc43a00bdb-45ltt7jj-us-west-2c.elasticloadbalancing.us-west-2.vpce.amazonaws.com
A c c o u n t
– A
A c c o u n t
– B

S U B N E T - 1 0 . 1 . 1 . 0 / 2 4 Availability Zone A
v p c - i d v p c - e c 4 3 e b 8 9
AMAZON RELATIONAL
DATABASE SERVICE
Network Load Balancer
u s - w e s t - 2
1 0 . 1 . 1 . 0 / 2 4
Availability Zone A
S E C U R I T Y
G R O U P
1 0 . 1 . 1 . 1 0
v p c - i d v p c - b e s v p c e v r
d b A P I . e x e c u t e -
a p i . . u s - e a s t -
HTTPS GET
DNS Resolution
IP add : 10.1.1.10
returned
HTTPS PUT
Intranet App- A
u s - w e s t - 2
LISTING AVAILABLE SERVICE OVER VPC ENDPOINTS
A c c o u n t
– A
A c c o u n t
– B
RDS-FAILURE-EVENT
AMAZON SNS

Centralize network connectivity to and from cloud
Centralize management, security, and common
services
Account owners in control of own VPC resources
Many AWS accounts
Many VPCs
One region

Region
Customer
network
Internal apps
DNS
Directory
Logging
Monitoring
Security
Public apps
14 VPCs

HA VPN
TO
VPC
VPC
HA VPN Pair
Availability Zone A
iBGP
eBGP
Customer CIDRs or Default Route
eBGP
AWS ASN 7224
Re-advertise VPC CIDR via IGP
VGW
VPC CIDR
Customer ASN (Public or Private)
CGW1 CGW2
VPN1
Tun1
VPN1
Tun2
Availability Zone A
VPN2
Tun1
VPN2
Tun2
Reuse your customer gateway public IP
to connect to more VPCs
Customer
network
MED
MED
REGION

HUB & SPOKE
VPC PEERING
VPC
Shared services
VPC
Shared
services
VPC
VPC
Customer
network
Spoke VPC
Spoke VPC
Spoke VPCSpoke VPC
Spoke VPC
Spoke VPC
REGION
VPC
VPC
VPC
VPC
VPC
VPC

HQ
OREGON
VPC
Shared services
VPC
VPC
Customer
network
OREGON REGION
VPC
VPC
VPC
VPC
IRELAND REGION
VPC
Shared services
VPC
VPC
VPC
VPC
VPC
NOOVERLAPPINGIP
ADDRESSSPACE
SHARED SERVICES
A M A Z O N B A C K B O N E
I N T E R - R E G I O N
V P C P E E R
C R O S S - R E G I O N P E E R E D
C O N N E C T I O N E N C R Y P T E D
SINGAPORE REGION
VPC
VPC
VPC
Shared services
VPC
VPC
I N T E R - R E G I O N
V P C P E E R

us-east-2
VPC
VPC
VPC
VPC
Transit VPC
VPC
us-west-2
VPC
VPC
VPC
eu-west-1
VPC
VPC
VPC
VPC
Transit VPC
VPC
AWS Network
Backbone
Provider
MPLS
Network
Branch Branch
NA
HQ
VPC
VPC
VPC
VPC
VPC
VPC
Chicago DX
AP
HQ
London DX
ap-northeast-1
VPC
VPC
VPC
VPC
Transit VPC
VPC
EU
HQ
Tokyo DX
DO NOT DO THIS

Oregon DX Location
US-EAST-1
Customer Router
Ireland DX Location
Customer Router
Singapore DX Location
Customer Router
US-EAST-2
US-WEST-1
US-WEST-2
US-EAST-2
US-WEST-1
ACCOUNT-A
ACCOUNT-B
PRIVATE VIF
HOSTED
PRIVATE VIF
US-WEST-1 US-WEST-2
Reference Architecture

Transit Gateway
SIMPLICITY

TransitGatewayIsARegional,NativeAWSService
AllowsYoutoInterconnectThousandsofVPCsThatExistWithinTheSameAccountOrDifferentAccounts
Today,ATransitGatewayconnectstoYourDatacentersviaanIPSecTunnelOnly
Supportsupto 10,000Routes
NetworkSegmentationIsAchieved ByCreatingMultipleRouteTablesinaTransitGatewayandAssociateVPCs&
VPN
On-DemandBandwidthtoMoveLargeAmountsofData
AWS Transit Gateway
InterconnectingVPCsatscale:TransitGatewayisbestsuitedforcustomerswho
havemultipleVPCsandwanttoconnectthem.
Edgeconsolidation:TransitGatewayallowscustomerstoshareacommonVPN
acrossalltheirVPCs.
GlobalConnectivity:TransitGatewayscanbepeeredacrossregionsusingthe
secureAWSbackboneallowingcustomerstobuildaglobalnetworkthat
connectstheirVPCsandon-premisesnetworksworldwide.
Whatitis Usecases

Private Subnet -A
TGW- ENI
Availability Zone A
ROUTE TABLE
ROUTE TABLE
aws ec2 create-transit-gateway
Whitelist other account(s) using the Cross-account resource sharing API:
create-resource-share --name "Network Ops resource share"
-–principals [‘account-2’, ‘account-3’] //same OU
--resource-arns ["arn:aws:ec2:us-east-1:12345678901:tgw/ tgw-
0ea7775074e8d0683"]
Account-2
Account-3
aws ec2 describe-transit-gateways
tgw-0ea7775074e8d0683
Discover the TGWs being shared aws ec2 create-transit-gateway-vpc-attachment
--transit-gateway-id tgw-
14324bbc412a43243
--vpc-id vpc-2321314314
--subnet-ids subnet-12312312,subnet-
41343432
Associate VPC with the TGWs being shared
aws ec2 describe-transit-gateway-vpc-
attachments
--transit-gateway-id tgw-14324bbc412a43243
--filters “Name=transit-gateway-attachment-
state, Values= pendingAcceptance”
Discover & Accept Associations
How it works
Private Subnet -A
TGW- ENI
Availability Zone A

Routing & The Transit Gateway
TGWsupportsdynamicandstaticroutingbetweenattachedVPCs&VPN
Bydefault,VPCsandVPNsareassociatedwiththedefaultroutetable
RouteSegmentationcanbeachievedbycreatingadditionalroutetablesandassociateVPCsandVPNwithit.
RoutescanpointtoaVPCoraVPNconnection.
Thereare2wayswhereroutesgetpropagatedintheTransitGateway:
o Routespropagatedto/fromon-premises-networks/ Site-to-siteVPN
o Routeswillbepropagated/advertisedbetweentheTGWandyouron-premisesrouterusingBorderGateway
Protocol(BGP)
o RoutesPropagatedto/fromVPCs.
o WhenyouattachaVPCtoaTransitGatewayorresizesanattachedVPC,theVPCCIDRswillbepropagated
intotheTransitGatewayroutetableusinginternalAPIs(notBGP).
o RoutesintheTransitGatewayroutetablewillnotbepropagatedtotheVPC’sroutetable.
o VPCownerneedtocreatestaticroutetosendTraffictotheTransitGateway.
aws ec2 create-transit-gateway-route
--transit-gateway-route-table-ids
tgw-rtb-abc3232
--destination-cidr-block 10.1.0.0/16
--target-vpc-id vpc-34234322
CreatingRoutesStaticallyintheTGW

Let’s look at a routing scenario
Customerhas:
ThreeAccounts: [Account–A,Account–B,Account–C]
Three(3)VPCs: [ vpc-aa-00 | vpc-bb-00 | vpc-cc-00 ]
One(1)Datacenter: [ DC–1 ]
Customerneedsto:
InterconnectallthreeVPCs
vpc-aa-00 & vpc-bb-00 Shouldroute ALLInternetRequestthroughaNATGatewayin VPCvpc-cc-00
Establish multipleIPSectunnels toacentralpointandpropagateitsroutestoitsAmazonVPCs
vpc-aa-00, vpc-bb-00 & vpc-cc-00shouldbeabletocommunicatewithusersandresourcesinDC-1aws ec2 create-transit-gateway

Private subnet
Internal app
Availability Zone A
ROUTE TABLE
Oregon (us-west-2) Region
Private subnet
Internal app
Availability Zone A
ROUTE TABLE
TRANSITGATEWAY
TGW-XYZ-123
ACCOUNT - A
ACCOUNT - B
Customer network
Private Route Table
Destination Target
10.1.0.0/16 Local
10.2.0.0/16 TGW-XYZ-123
10.3.0.0/16 TGW-XYZ-123
172.16.0.0/16 TGW-XYZ-123
Transit Gateway Default Route Table
Destination Target Route Description
10.1.0.0/16 Vpc-aa-00 Route to reach VPC - A
10.2.0.0/24 Vpc-bb-00 Route to reach VPC - B
10.3.0.0/24 Vpc-cc-00 Route to reach VPC - C
172.16.0.0/16 IPSEC-VPN-CONN-XXXXXX Route to on-premises DC
Private Route Table
Destination Target
10.2.0.0/16 Local
10.1.0.0/16 TGW-XYZ-123
10.3.0.0/16 TGW-XYZ-123
172.16.0.0/16 TGW-XYZ-123
Availability
Zone A
ROUTE TABLE
ACCOUNT - EPrivate Route Table
Destination Target
10.3.0.0/16 Local
10.2.0.0/16 TGW-XYZ-123
10.1.0.0/16 TGW-XYZ-123
10.1.0.0/16
10.2.0.0/16
10.3.0.0/16
vpc-aa-000
vpc-bb-000
vpc-cc-000
DC -1
172.16.0.0/16
Bandwidth per tunnel 1250Mbps
Maximum Tunnels : 30
IPSEC VPN
ECMP

Private subnet
Internal app
Availability Zone A
ROUTE TABLE
Private subnet
Internal app
Availability Zone A
ROUTE TABLE
TRANSITGATEWAY
TGW-XYZ-123
ACCOUNT - A
ACCOUNT - B
Customer network
Private Route Table
Destination Target
10.1.0.0/16 Local
10.30.0.0/16 TGW-XYZ-123
0.0.0.0/0 IPSEC-VPN-CONN-XXXXXX Route to on-premises DC
Private Route Table
Destination Target
10.2.0.0/16 Local
10.30.0.0/16 TGW-XYZ-123
AZ-A
ROUTE TABLE
ACCOUNT - EPrivate Route Table
Destination Target
10.30.0.0/16 Local
10.1.0.0/16 TGW-XYZ-123
10.1.0.0/16
10.2.0.0/16
10.30.0.0/16
vpc-aa-000
vpc-bb-000
SHARED SERVICES -vpc-cc-000
DC -1
172.16.0.0/16
Bandwidth per tunnel 1250Mbps
Maximum Tunnels : 30
IPSEC VPN
ECMP
VPC-A to VPC –B Route Table
DNS
Directory
Logging
Monitoring
Security

Private subnet
Internal app
Availability Zone A
ROUTE TABLE
Private subnet
Internal app
Availability Zone A
ROUTE TABLE
TRANSITGATEWAY
TGW-XYZ-123
ACCOUNT - A
ACCOUNT - B
Customer network
Private Route Table
Destination Target
10.1.0.0/16 Local
10.2.0.0/16 TGW-XYZ-123
10.3.0.0/16 TGW-XYZ-123
0.0.0.0/0 TGW-XYZ-123
172.16.0.0/16 TGW-XYZ-123
10.3.0.0/24 Vpc-cc-00 Route to reach VPC - C
172.16.0.0/16 IPSEC-VPN-CON Route to on-premises DC
0.0.0.0/0 Vpc-cc-00 Routed to Palo-Alto ENI
Private Route Table
Destination Target
10.2.0.0/16 Local
10.1.0.0/16 TGW-XYZ-123
10.3.0.0/16 TGW-XYZ-123
0.0.0.0/0 TGW-XYZ-123
172.16.0.0/16 TGW-XYZ-123
Availability Zone A
ROUTE TABLE
ACCOUNT - E
Private Route Table
Destination Target
10.3.0.0/16 Local
0.0.0.0/0 Palo-Alto-ENI
10.1.0.0/16 TGW-XYZ-123
10.1.0.0/16
10.2.0.0/16
10.3.0.0/16
vpc-aa-000
vpc-bb-000
vpc-cc-000
DC -1
172.16.0.0/16
IPSEC VPN
ECMP
INTERNET
TGW- ENI
IGW

Private subnet
Internal app
Availability Zone A
ROUTE TABLE
us-eAst-2
Region
Private subnet
Internal app
Availability Zone A
ROUTE TABLE
TRANSITGATEWAY
TGW-XYZ-123
ACCOUNT - A
ACCOUNT - B
Customer
network
Private Route Table
Destination Target
10.1.0.0/16 Local
10.2.0.0/16 TGW-XYZ-123
172.16.0.0/16 TGW-XYZ-123
172.16.0.0/16 IPSEC-VPN-CONN Route to on-premises DC
Private Route Table
Destination Target
10.2.0.0/16 Local
10.1.0.0/16 TGW-XYZ-123
172.16.0.0/16 TGW-XYZ-123
10.1.0.0/16
10.2.0.0/16
vpc-aa-000
vpc-bb-000
172.16.0.0/16
DX INTEGRATION
IPSEC VPN
A Z - A
ACCOUNT - B10.22.0.0/16
Transit - vpc-bb-000
A Z - B
PRIVATE VIF
IPSEC VPN
CROSS REGION PEERING COMING SOON!!!!!!!

Key benefits of Transit Gateway
SimplifiedNetworking
EasytoManageSetUp
HigherVPNBandwidth
Reliability
SinglepointtoconnectVPCs(whethersameaccountoracrossaccounts)andSite-to-SiteVPNsforsimplified
management
Reducesthetime tosetupnewVPCsneedingedgeconnectivity
Reduces operationalburdeninmanagingedgeconnectivityforalargenumberofVPCs
OffersthesamereliabilityastherestofAWSplatform.Itusesacellular,scalable,andresilientplatformthat
runswithinAmazon’sproveninfrastructure
Achievebandwidthrangefrom1.2Gbpsto >60Gbps by
leveragingECMPacrosstwoto50Site-2-SiteVPNtunnels
Integration
ControloverinterconnectivitypoliciesbetweenVPCsandon-premises
networkswhichimprovetheirnetworksecurity.
Security
managementandmonitorTransitGatewayswithCloudFormation,
CloudWatchandVPCFlowLogs.

VPC SHARING
ShareVPCsacrossmultiple accountsinanAWSOrganization
ShareVPCsacrossmultipleaccounts
inanAWSOrganization
FLATNETWORKSPACE
FORALL

Customers Complain About
Inconsistentnetworkconfigurationsduetolackofcentralizedcontrolandinsufficientnetworkskillsacrosstheorganization
Lackoftoolingtoenforceconsistentconfigurationsandsecuritycontrolsacross100sofVPCsacross100sofaccounts
ManagingcomplexmeshesofVPCPeeringsandPrivateLinkconnectionstoprovideinterconnectivity
HighercostsbecauseofmultipleVPN/DXconnections
IPwastageduetotheneedtohavenon-overlappingVPCCIDRsforpeering.
CustomerswithhundredsofVPCsoftencomplainof:

ACCOUNT – A ( VPC Owner )
VPCCIDR10.0.0.0/16
Availability Zone A Availability Zone B Availability Zone C
10.0.2.0/2410.0.1.0/24
PublicSubnet PrivateSubnet PublicSubnet PrivateSubnet PublicSubnet PrivateSubnet
10.0.1.0/24 10.0.1.0/24 10.0.1.0/24 10.0.1.0/24
ACCOUNT – B ACCOUNT – C ACCOUNT – C ACCOUNT – C ACCOUNT – C
Participant Accounts

ACCOUNT – A (VPC Owner)
VPCCIDR10.0.0.0/16
Availability Zone A Availability Zone B Availability Zone C
10.0.2.0/2410.0.1.0/24
PublicSubnet PrivateSubnet PublicSubnet PrivateSubnet PublicSubnet PrivateSubnet
10.0.1.0/24 10.0.1.0/24 10.0.1.0/24 10.0.1.0/24
AWS Organizations
Share across all accounts in multiple OUs in the same org
create-resource-share –name “MAVPC_OU1-3” – resource-
arns [‘arn:aws:ec2:us-east-1:12345678901:subnet/subnet-
1’, ‘arn:aws:ec2:us-east-1:12345678901:subnet/subnet-2’]
--principals [‘ou-1’, ‘ou-2’, ‘ou-3’]

VPC Owner Sharing VPC Subnet
Share across all accounts in multiple OUs in the same org
create-resource-share –name “MAVPC_OU1-3” – resource-arns [‘arn:aws:ec2:us-east-1:12345678901:subnet/subnet-
1’, ‘arn:aws:ec2:us-east-1:12345678901:subnet/subnet-2’] --principals [‘ou-1’, ‘ou-2’, ‘ou-3’]
Share across all accounts in the same AWS Org
> create-resource-share –name “MAVPC_ORG_1” – resource-arns [‘arn:aws:ec2:us-east-1:12345678901:subnet/subnet-
1’, ‘arn:aws:ec2:us-east-1:12345678901:subnet/subnet-2’] –- principals [‘org_1’]

Participant Accounts
{
"Subnets": [
{
"VpcId": "vpc-a0110aaaa", // Participant owned VPC
………
"SubnetId": "subnet-9d4aaaaa", // Participant owned subnet
………
"OwnerAccountId": "2222222222222” // Participant AccountId
},
{
….....
"VpcId": "vpc-11111111", // MAPVC
"State": "available",
"MapPublicIpOnLaunch": false,
"SubnetId": "subnet- aaaaaaa", //MAVPC Subnet
……….,
"OwnerAccountId": "111111111111” , // MAVPC Owner id
}
]
}
aws ec2 describe-subnets

Key Benefits & Use Cases of Sharing VPC
SimplerAllocationofPrivateIPv4SpaceNaturalInterconnectivity:
EnforcementofSeparationofDutiesandConsistentNetwork Configurations
SharingofVPCsprovidesthebenefitsofbillingsegregationandaccesscontrol
acrossprojectsandteamsthroughtheuseofmultipleaccounts
Whatarethekeybenefitsofusing thisfeature? UseCases
ConsolidationofVPCs:
Customerswith100sofaccounts,whowould
preferanetworkarchitecturewith10sof
centrallymanagedVPCswithlargeCIDR
Small-tomedium-sizecustomersmigrating
tothecloud:
Small-tomedium-sizedcustomerslookingtomigrate
tothecloudcanleveragethecapabilityduring
migration

Sharing VPC Segmentation & Security
AnAccountOwner
o CannotseeParticipantAccounts recourseslikeEC2Instances,Loadbalancers,
LambdaFunctions
o DescribeNetworkInterfaceswillindicatetheowneraccountofeachENI,evenif
theowneristheVPCowner
o FullAccess&ControlofSubnets,RouteTables &NACLs
o CanDescribeSecurityGroupsforParticipantAccountsbutcannotModify
ParticipantAccount
o FullAccesstoresourcescreatedinthesubnetsbeingshared
o FullAccesstocreateSecurityGroupsforresourcesinsideinthesharedsubnets
o NoaccesstotheowneraccountSecurityGroupsorotherParticipantSecurityGroups
o UnabletointeractormodifyAmazonRoute53PrivateHostedZone,Peering,VGW,NAT
GW
PacketSegmentation
o Subnetting
o RouteTables
o SecurityGroups
o NACLs

ACCOUNT – A ( VPC Owner)
VPCCIDR10.0.0.0/16
Availability Zone A
10.0.1.0/24
PublicSubnet
10.0.1.0/24
PrivateSubnet
Availability Zone B
10.0.1.0/24
PrivateSubnet
10.0.1.0/24
PublicSubnet
Availability Zone C
10.0.1.0/24
PublicSubnet
10.0.1.0/24
PrivateSubnet
VPCCIDR10.2.0.0/16
Availability Zone A
10.2.1.0/24
PrivateSubnet
Prod-VPC
Availability Zone B
10.2.2.0/24
PrivateSubnet
10.0.1.0/20
Private
LambdaSubnet
10.0.1.0/20
Private
LambdaSubnet
10.0.1.0/20
Private
LambdaSubnet
ACC-1
ACC-2
ACC-N
SharedVPC
VPCPEERING
Logging&Monitoring
ADDomainControllers
Security
Logging&Monitoring
ADDomainControllers
Security
Logging&Monitoring
ADDomainControllers
Security

VPC–ID-XYZABC
Availability Zone A
10.0.1.0/24
PublicSubnet
10.0.1.0/24
PrivateSubnet
Availability Zone B
10.0.1.0/24
PrivateSubnet
10.0.1.0/24
PublicSubnet
VPCCIDR10.0.0.0/16
Availability Zone A
10.0.1.0/24
PublicSubnet
10.0.1.0/24
PrivateSubnet
Availability Zone B
10.0.1.0/24
PrivateSubnet
10.0.1.0/24
PublicSubnet
VPCCIDR10.0.0.0/16
Availability Zone A
10.0.1.0/24
PublicSubnet
10.0.1.0/24
PrivateSubnet
Availability Zone B
10.0.1.0/24
PrivateSubnet
10.0.1.0/24
PublicSubnet
VPCCIDR10.0.0.0/16
ACCOUNT – A
( VPC Owner )
(Participant Acc) (Participant Acc)
(Participant Acc)
o OneSingleVPC,MultipleVPCCIDRBlocks
o CIDRperBusinessUnit
o NACLsSecurityBoundaryfor eachsubnet

Thank you!

From One to Many: Diving Deeper into Evolving VPC Design (ARC310-R2) - AWS re:Invent 2018

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to From One to Many: Diving Deeper into Evolving VPC Design (ARC310-R2) - AWS re:Invent 2018

Similar to From One to Many: Diving Deeper into Evolving VPC Design (ARC310-R2) - AWS re:Invent 2018 (20)

More from Amazon Web Services

More from Amazon Web Services (20)

From One to Many: Diving Deeper into Evolving VPC Design (ARC310-R2) - AWS re:Invent 2018