Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Networking Advanced VPC Design and New Capabilities

310 views

Published on

Networking Advanced VPC Design and New Capabilities
亞馬遜 AWS 於 2018 年 11 月底在美國拉斯維加斯所舉辦的第七屆 AWS re:Invent 2018 大會,在 AWS 客戶、合作夥伴、媒體人士、產業分析師及 AWS 員工共襄盛舉下,與會人數再創新高,超過 5 萬人。會中 AWS 發布超過 20 款雲端方案,且一半以上專攻雲端 AI、機器學習、物聯網,包括對 SageMaker 強化更多進階功能,推出第一款專用的機器學習推論晶片、加入深度的機器學習運算法支援,及其他包括儲存、資料庫、混合雲、邊緣運算 IoT 等解決方案。而具備微型機器學習能力的迷你自駕遙控車 DeepRacer 的現身,驚人之舉不僅抓人眼球,深入客戶體驗的用心,更成功抓住全球使用者的心。

為讓您與全球先進技術同步,共享最新趨勢資訊,解決您開發機器學習和發展 AIoT 所遇到的難題,AWS 台灣團隊將於 2019 年 1 月 31 日 (四) 舉辦《AWS re:Invent 2018 Recap 台北》,特別嚴選最適切國內諸位先進和企業需求的內容,從「技術創新」、「AIoT」兩大分組議程,發表 AWS 的新服務和新方案。大會除了邀請亞馬遜 AWS 大中華區首席雲計算企業顧問 (Principal Evangelist) 張俠博士分享 AWS 的解決方案藍圖外,眾多 AWS 資深專家也將分享包含機器學習、深度學習推理加速等新方案,完全託管的文件系統、資料庫,無伺服器、容器技術與安全性,以及大數據與分析、物聯網服務應用、儲存方案等最新技術。歡迎您親臨會場,全方位體驗 AWS 新服務將能為您創造的驚人創新之效益。

  • Be the first to comment

Networking Advanced VPC Design and New Capabilities

  1. 1. Advanced VPC Design and New Capabilities for Amazon VPC Bruce Wang, Solutions Architect
  2. 2. Previously, from AWS AWS Region Availability zone 2Availability zone 1 Private subnet Private subnet Public subnet Public subnet VPC CIDR 10.1.0.0/16 + Expand + IPv6
  3. 3. AWS Lambda Previously, from AWS AWS Region Availability zone 2Availability zone 1 Private subnet VGW VPC Peering VPC Flow Logs VPN AWS Direct Connect The Internet Private subnet Public subnet Instance A Public subnet AWS IoTAmazon DynamoDB Amazon S3 Amazon SQS Amazon SNS VPC CIDR 10.1.0.0/16 10.1.0.11/24 Instance B 10.1.1.11/24 Instance C 10.1.2.11/24 Instance D 10.1.3.11/24 DXGW + Expand + IPv6 IGWVPCE 10.1.0.0/16 Local 0.0.0.0/0 IGW S3.prefix.list VPCE-123 On-premises VGW VPC-B PCX-123 Destination Target Intra or Inter region 10.1.0.0/16 Local 0.0.0.0/0 Instance B S3.prefix.list VPCE-123 On-premises VGW VPC-B PCX-123 Destination Target AWS PrivateLink Service Provider VPC NLB AWS PrivateLink NAT On-Premises VPC-B EIP - 10.1.0.11 : 54.23.12.43 EIP - 10.1.1.11 : 54.19.12.23 NAT-GW NAT-GW
  4. 4. Previously, from AWS AWS Region Availability zone 2Availability zone 1 Private subnet Private subnet Public subnet Instance A Public subnet VPC CIDR 10.1.0.0/16 10.1.0.11/24 Instance B 10.1.1.11/24 Instance C 10.1.2.11/24 Instance D 10.1.3.11/24 + Expand + IPv6 10.1.0.0/16 Local 0.0.0.0/0 IGW S3.prefix.list VPCE-123 On-premises VGW VPC-B PCX-123 Destination Target 10.1.0.0/16 Local 0.0.0.0/0 Instance B S3.prefix.list VPCE-123 On-premises VGW VPC-B PCX-123 Destination Target AWS PrivateLink Service Provider VPC NLB AWS PrivateLink NAT NAT-GW NAT-GW • API Endpoints for Amazon EC2 and Elastic Load Balancing (ELB) • Amazon Kinesis Data Streams • AWS Service Catalog • Amazon EC2 Systems Manager
  5. 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  6. 6. AWS PrivateLink: • PrivateLink is a way to reach additional public services, privately from your Amazon Virtual Private Cloud (Amazon VPC) • Each PrivateLink is represented by a private IP from the subnet assigned • API Endpoints for Amazon EC2 and Elastic Load Balancing (ELB) • Amazon Kinesis Streams • AWS Service Catalog • Amazon EC2 Systems Manager• No Route Table update required Amazon S3 Amazon DynamoDB After: VPC Endpoints for Amazon Simple Storage Service (Amazon S3) and Amazon DynamoDB Before:
  7. 7. AWS Region Availability zone 2Availability zone 1 Private subnet Private subnet Public subnet Instance A Public subnet VPC CIDR 10.1.0.0/16 10.1.0.11/24 Instance B 10.1.1.11/24 Instance C 10.1.2.11/24 Instance D 10.1.3.11/24 + Expand + IPv6 NAT NAT-GW AmazonAPIGateway AWSCloudFormation AmazonCloudWatch AmazonCloudWatchEvents AmazonCloudWatchLogs AWSCodeBuild AWSConfig AmazonEC2API ElasticLoadBalancingAPI AWSKeyManagementService AmazonKinesisDataStreams AmazonSageMakerRuntime AWSSecretsManager AWSSecurityTokenService AWSServiceCatalog AmazonSNS AWSSystemsManager +More After: 19 services now supported over AWS PrivateLink
  8. 8. AWS PrivateLink (additional endpoints): https://amzn.to/2TTHxXh
  9. 9. Bonus: AWS PrivateLink now supports access over AWS VPN and Inter-region Peering V P N: h t t ps :// amz n.to /2Iv0U Ao I n t er - re gio n P e e r i ng: h t t ps:// am z n.to /2NB TFI0
  10. 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  11. 11. Amazon VPC Sharing Before
  12. 12. L l a m a 10.3.0.0/16 P e g a s u s 10.2.0.0/16 B a r r y 10.1.0.0/16 I g u a n a 10.6.0.0/16 S t e v e 10.5.0.0/16 S u e 10.4.0.0/16 AWS Lambda Amazon EC2 Amazon RedshiftAmazon RDS Amazon EC2 Amazon EC2 Prod 1Dev Test Prod2 Prod 3 Prod 4
  13. 13. Amazon VPC Sharing After
  14. 14. L l a m a 10.3.0.0/16 P e g a s u s 10.2.0.0/16 B a r r y 10.1.0.0/16 I g u a n a 10.6.0.0/16 S t e v e 10.5.0.0/16 S u e 10.4.0.0/16 AWS Lambda Amazon EC2 Amazon RedshiftAmazon RDS Amazon EC2 Amazon EC2 Prod 1Dev Test Prod2 Prod 3 Prod 4
  15. 15. L l a m aP e g a s u s 10.2.0.0/16 B a r r y 10.1.0.0/16 I g u a n aS t e v eS u e AWS Lambda Amazon EC2 Amazon RedshiftAmazon RDS Amazon EC2 Amazon EC2 Prod 1Dev Test Prod2 Prod 3 Prod 4 Owner Participant Owner Participant Participant Participant
  16. 16. Amazon VPC owners are responsible for creating, managing and deleting all VPC level entities. Amazon VPC owners cannot modify or delete participant resources. Amazon VPC Owner
  17. 17. Participants that are in a shared Amazon VPC are responsible for the creation, management and deletion of their resources including Amazon Elastic Compute Cloud (Amazon EC2) instances, Amazon Relational Database Service (Amazon RDS) databases, and load balancers. However, they cannot modify any Amazon VPC-level entities including route tables, network ACLs or subnets (Or view / modify resources belonging to other participants). Amazon VPC Participant
  18. 18. Why use multiple accounts?
  19. 19. Why use Amazon VPC sharing? P r e s erve I P s p a c e U s e f e we r I P v 4 C I DRs I n t erc onnec tiv ity N o V P C P e e r i ng r e q uired B i l l i n g a n d S e c u r i t y C o n t i n u e t o e n j o y s e g r e g a t i o n w i t h m u l t i p l e a c c o u n t s S e p a r a t i o n o f d u t i e s A c e n t r a l t e a m c a n c r e a t e a n d m a n a g e y o u r A m a z o n V P C S a m e A Z c o s t f o r d a t a t r a n s f e r i s n i l !
  20. 20. Amazon VPC Sharing details: https://amzn.to/2Aovw2Z
  21. 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  22. 22. Before
  23. 23. AWS Region 1 AWS Region 2
  24. 24. After
  25. 25. AWS Region 1 AWS Region 2 3.10.3.1253.10.3.125
  26. 26. Client StateAWS’s Global Network Static Anycast IP’s Applications can keep state, with connections routed to the same endpoint, after initial connection. Traffic routed through Accelerator traverses AWS global network (instead of the public internet). Global Accelerator uses Static IP addresses are a fixed entry point to your applications. These IP addresses are anycast from AWS edge locations
  27. 27. AWS Global Accelerator https://amzn.to/2FI3y89
  28. 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  29. 29. On-Premises IPsec Tunnel 1 - Primary IPsec Tunnel 2- Secondary Virtual private gateway VGW IPSEC tunnel over the internet Customer gateway CGW The Internet
  30. 30. Before AWS Client VPN VPC VPN connections were site-to-site only
  31. 31. How does this change my architecture?
  32. 32. After AWS Client VPN AWS now supports client-to-site VPN termination with Open VPN clients through the Client VPN Endpoint
  33. 33. Attachment to Amazon VPC TLS based tunnel over the internet User with Open VPN Client Client VPN Endpoint Client The InternetAmazon DynamoDB Amazon S3 On-Premises
  34. 34. AWS Client VPN https://amzn.to/2Uru9J5
  35. 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  36. 36. Transit Gateway (TGW)
  37. 37. 1 3 2 4 B Local A C PCX-2 D PCX-3 E PCX-4 Destination Target A B C D E PCX-1 Before: V PC Peering
  38. 38. Full mesh: How many Amazon VPC Peering connections do I need (full mesh)? n(n-1) 2 VPC x 10
  39. 39. Full mesh: How many Amazon VPC Peering connections do I need (full mesh)? 10(10-1) 2 VPC x 10
  40. 40. Full mesh: How many Amazon VPC Peering connections do I need (full mesh)? VPC x 10 45
  41. 41. Full mesh: How many Amazon VPC Peering connections do I need (full mesh)? 100(100-1) 2 VPC x 100
  42. 42. Full mesh: How many Amazon VPC Peering connections do I need (full mesh)? VPC x 100 4500
  43. 43. Static routes per Amazon VPC route table 100 Amazon VPC Peering connections per Amazon VPC 125
  44. 44. B Local 0.0.0.0/0 Destination Target A B D E VGW Before: Transit V PC with IPSec I P S e c b e t w e e n V P C s ( l i m i t s a p p l y )
  45. 45. A B C On-Premises Before: V PN Connection per V PC I P S e c b e t w e e n V P C s ( l i m i t s a p p l y )
  46. 46. After: AWS Tra n sit Ga t ewa y (TGW) AWS Transit Gateway (TGW)
  47. 47. B Local 0.0.0.0/0 Destination Target A B TGW After: AWS Tra n sit Ga t ewa y (TGW) C TGW 1 2 3 4 TGW Route Table(s) VPC A : Attachment 1 VPC B : Attachment 2 VPC C : Attachment 3 On-prem : VPN 4 RT1 RT2 On-Premises
  48. 48. Attachment The connection from a Amazon VPC and VPN to a TGW Association The route table used to route packets coming from an attachment (from an Amazon VPC and VPN) Propagation The route table where the attachment’s routes are installed
  49. 49. Llama After: AWS Tra n sit Ga t ewa y (TGW) TGW X Y TGW Route Table(s) Associations RT1 Z Propagations Pegasus from Y Llama from X Pegasus from Y Llama from X 10.1.0.0/16 Pegasus 10.2.0.0/16 Barry 10.3.0.0/16 Barry from Z Barry from Z Routes 10.2.0.0/16 via Y 10.1.0.0/16 via X 10.3.0.0/16 via Z 10.1.0.0/16 Local 0.0.0.0/0 TGW Destination Target 10.1.0.0/16 Local 0.0.0.0/0 IGW Destination Target 10.0.0.0/8 TGW
  50. 50. Llama After: AWS Tra n sit Ga t ewa y (TGW) TGW X Y TGW Route Table(s) Associations RT1 Z Propagations Pegasus from Y Llama from X Pegasus from Y Llama from X 10.1.0.0/16 Pegasus 10.2.0.0/16 Barry 10.3.0.0/16 Barry from Z Barry from Z Routes 10.2.0.0/16 via Y 10.1.0.0/16 via X 10.3.0.0/16 via Z 10.8.0.0/16 10.9.0.0/16 10.8.0.0/16 via X 10.9.0.0/16 via X
  51. 51. Llama After: AWS Tra n sit Ga t ewa y (TGW) TGW X Y TGW Route Table(s) Associations RT1 Z Propagations Pegasus from Y Llama from X Pegasus from Y Llama from X 10.1.0.0/16 Pegasus 10.2.0.0/16 Barry 10.3.0.0/16 Barry from Z Barry from Z Routes 10.2.0.0/16 via Y 10.1.0.0/16 via X 10.3.0.0/16 via Z 10.8.0.0/16 10.9.0.0/16 10.8.0.0/16 via X 10.9.0.0/16 via X Propagation turned off, you can still statically configure routes
  52. 52. Llama After: AWS Tra n sit Ga t ewa y (TGW) TGW X Y TGW Route Table(s) Z 10.1.0.0/16 Pegasus 10.2.0.0/16 Barry 10.3.0.0/16 O n - P r e m i s e s Q RT1 RT2 RT3 Associations RT1 Propagations Pegasus from Y Llama from X Pegasus from Y Llama from X On-prem from Q Routes 10.2.0.0/16 via Y 10.1.0.0/16 via X 172.16.0.0/16 via Q Associations RT2 Propagations On-prem fromQ Barry from ZBarry from Z Routes 172.16.0.0/16 via Q 10.3.0.0/16 via Z Associations RT3 Propagations On-prem from Q Llama from X On-prem from Q Pegasus from Y Routes 10.2.0.0/16 via Y 10.1.0.0/16 via X 10.3.0.0/16 via ZBarry from Z 172.16.0.0/16 172.16.0.0/16 via Q
  53. 53. Llama After: AWS Tra n sit Ga t ewa y (TGW) TGW X Y TGW Route Table(s) Z 10.1.0.0/16 Pegasus 10.2.0.0/16 Barry 10.3.0.0/16 O n - P r e m i s e s Q RT1 RT2 RT3 Associations RT1 Propagations Pegasus from Y Llama from X Pegasus from Y Llama from X On-prem from Q Routes 10.2.0.0/16 via Y 10.1.0.0/16 via X 172.16.0.0/16 via Q Associations RT2 Propagations On-prem fromQ Barry from ZBarry from Z Routes 172.16.0.0/16 via Q 10.3.0.0/16 via Z Associations RT3 Propagations On-prem from Q Llama from X On-prem from Q Pegasus from Y Routes 10.2.0.0/16 via Y 10.1.0.0/16 via X 10.3.0.0/16 via ZBarry from Z 172.16.0.0/16 172.16.0.0/16 via Q Packet SRCLlama DSTOn-prem
  54. 54. Llama After: AWS Tra n sit Ga t ewa y (TGW) TGW X Y TGW Route Table(s) Z 10.1.0.0/16 Pegasus 10.2.0.0/16 Barry 10.3.0.0/16 O n - P r e m i s e s Q RT1 RT2 RT3 Associations RT1 Propagations Pegasus from Y Llama from X Pegasus from Y Llama from X On-prem from Q Routes 10.2.0.0/16 via Y 10.1.0.0/16 via X 172.16.0.0/16 via Q Associations RT2 Propagations On-prem fromQ Barry from ZBarry from Z Routes 172.16.0.0/16 via Q 10.3.0.0/16 via Z Associations RT3 Propagations On-prem from Q Llama from X On-prem from Q Pegasus from Y Routes 10.2.0.0/16 via Y 10.1.0.0/16 via X 10.3.0.0/16 via ZBarry from Z 172.16.0.0/16 172.16.0.0/16 via Q Packet SRCLlama DSTOn-prem
  55. 55. Llama After: AWS Tra n sit Ga t ewa y (TGW) TGW X Y TGW Route Table(s) Z 10.1.0.0/16 Pegasus 10.2.0.0/16 Barry 10.3.0.0/16 O n - P r e m i s e s Q RT1 RT2 RT3 Associations RT1 Propagations Pegasus from Y Llama from X Pegasus from Y Llama from X On-prem from Q Routes 10.2.0.0/16 via Y 10.1.0.0/16 via X 172.16.0.0/16 via Q Associations RT2 Propagations On-prem fromQ Barry from ZBarry from Z Routes 172.16.0.0/16 via Q 10.3.0.0/16 via Z Associations RT3 Propagations On-prem from Q Llama from X On-prem from Q Pegasus from Y Routes 10.2.0.0/16 via Y 10.1.0.0/16 via X 10.3.0.0/16 via ZBarry from Z 172.16.0.0/16 172.16.0.0/16 via Q Packet SRC:Barry DSTOn-prem
  56. 56. Llama After: AWS Tra n sit Ga t ewa y (TGW) TGW X Y TGW Route Table(s) Z 10.1.0.0/16 Pegasus 10.2.0.0/16 Barry 10.3.0.0/16 O n - P r e m i s e s Q RT1 RT2 RT3 Associations RT1 Propagations Pegasus from Y Llama from X Pegasus from Y Llama from X On-prem from Q Routes 10.2.0.0/16 via Y 10.1.0.0/16 via X 172.16.0.0/16 via Q Associations RT2 Propagations On-prem fromQ Barry from ZBarry from Z Routes 172.16.0.0/16 via Q 10.3.0.0/16 via Z Associations RT3 Propagations On-prem from Q Llama from X On-prem from Q Pegasus from Y Routes 10.2.0.0/16 via Y 10.1.0.0/16 via X 10.3.0.0/16 via ZBarry from Z 172.16.0.0/16 172.16.0.0/16 via Q Packet SRCBarry DSTOn-prem
  57. 57. Aft er: AWS Transit Gateway (TGW) – The console
  58. 58. Unicorn TGW This TGW is Awesome Aft er: AWS Transit Gateway (TGW) – The console
  59. 59. Aft er: AWS Transit Gateway (TGW) – The console
  60. 60. TGWs per account / TGW attachments per Amazon VPC 5 Maximum burstable bandwidth per attachment 50Gbps
  61. 61. Maximum bandwidth per VPN connection 1.25Gbps *With ECMP, you can distribute traffic over multiple tunnels, e.g. 8 tunnels = 10Gbps *
  62. 62. Routes per TGW 10,000 Number of TGW attachments per region per account 5,000
  63. 63. Cross region connectivity? TGW is a region-level construct today
  64. 64. Before TGW
  65. 65. Amazon VPC Peering for full mesh connectivity VPC VPC VPC A B C On-Premises I P S e c b e t w e e n V P C s ( l i m i t s a p p l y ) Instance based Transit Amazon VPC VPN Connection per Amazon VPC
  66. 66. After TGW Up to 5000 Amazon VPC attachments per TGW 1.25Gbps per VPN Connection with ECMP 10,000 routes per TGW Multiple TGW route tables for finer routing control 50 Gbps of bandwidth per attachment per availability zone Centralized hub for routing between Amazon VPCs and on-premises to AWS
  67. 67. TGW Detailed Instructions: https://amzn.to/2SkI4zV
  68. 68. Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Bruce Wang ykwang@amazon.com

×