Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Networking and Edge Services on AWS

139 views

Published on

Networking and Edge Services on AWS

  • Be the first to comment

  • Be the first to like this

Networking and Edge Services on AWS

  1. 1. S U M M I T AMST ERDAM
  2. 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Networking and Edge Services on AWS Viktor Goldberg Cloud Infrastructure Architect AWS Professional Services
  3. 3. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Building an advanced hybrid and connected architecture Exploring new capabilities and features including - VPC Sharing - AWS Transit Gateway - Amazon Route53 Resolver - AWS Global Accelerator What to expect
  4. 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T What not to expect • Explanation of VPC basics; we assume that you know: • VPCs • Subnets • Route Tables • Security Groups / NACLs • Explanation of AWS core services
  5. 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Agenda Account Strategy VPN WAN AWS Direct Connect Transit VPC Network Services Connectivity WAN Shared Services Multi-Region Options VGW VGW VGW VGW VGW VGW VGW VGW
  6. 6. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  7. 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Our starting point VPN WAN AWS Direct Connect Virtual private gateway Dev Prod
  8. 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Challenge: Adding more VPCs VPN WAN AWS Direct Connect Dev Prod Dev Prod Dev Prod
  9. 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Challenge: Peering VPCs VPN WAN AWS Direct Connect Dev Prod Dev Prod Dev Prod Connect dev and prod VPC peering Connect the yellow environment How does this scale? Let’s:
  10. 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T VPN WAN AWS Direct Connect Dev Prod Dev Prod Dev Prod Dev Prod Dev Prod Dev Prod Scaling connections? Scaling VPC peering? Shared services? Firewall and services?
  11. 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Transit VPC VPN WAN AWS Direct Connect Transit VPC Dev Prod Dev Prod Dev Prod Dev Prod Dev Prod Dev Prod
  12. 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T VPN WAN AWS Direct Connect Transit Gateway AWS Transit Gateway Dev Prod Dev Prod Dev Prod Dev Prod Dev Prod Dev Prod New
  13. 13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Agenda Account Strategy VPN WAN AWS Direct Connect Transit VPC Network Services Connectivity WAN Shared Services Multi-Region Options VGW VGW VGW VGW VGW VGW VGW VGW
  14. 14. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  15. 15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Automation of infrastructure AWS Direct Connect and VPN standards Subnet and routing standards AWS Identity and Access Management Strict security groups and routing Identifying resources with tags S m a l l e r V P C s o r a c c o u n t sL a r g e r V P C s o r a c c o u n t s Account and VPC segmentation Infrastructure and NetworkingPolicy and IAM
  16. 16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Segmentation: Decision inputs Relationship between accounts, VPCs, and tenants? • Do accounts and tenants trust each other? • Is the current network segmentation intentional or a side effect? Who owns security and networking? • Each team or a centralized team? Compliance and governance requirements? • Can they be scoped to an account or a VPC level
  17. 17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Baseline security IAM Security groups Segmentation options: Layers VPC VPC Application Application Application Application VPC Application Application Inside the account At the VPC ACLs Network security Route tables Network ACLs Separate VPCs VPC
  18. 18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T VPC sharing Easily share VPC networks between AWS accounts, providing central oversight and control for networking engineers
  19. 19. VPC Sharing and Resource Access Manager Share subnets between accounts in an AWS Organization VPC Account Account Account Account 172.16.0.0 172.16.1.0 172.16.2.0 172.16.0.0 172.16.1.0 172.16.2.0 Resource Share • Public subnets • Private subnets Resource Share • Private subnets Infrastructure account
  20. 20. VPC Sharing and Resource Access Manager Account owners only see subnets and their resources Account Account
  21. 21. VPC Sharing and Resource Access Manager Account owners only see subnets and their resources Account Account
  22. 22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T VPC Sharing benefits Less unused resources • Higher density subnets, add up to 5 additional CIDRs • More efficient use of VPN and AWS Direct Connect Separation of duties • Infrastructure strictly controls routing, IP addresses, and VPC structure • Developers own their resources, accounts, and security groups Decouple accounts and networks • Account protection and billing without additional infrastructure • Many accounts with fewer networks • Avoid VPC peering charges
  23. 23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Agenda Account Strategy VPN WAN AWS Direct Connect Transit VPC Network Services Connectivity WAN Shared Services Multi-Region Options VGW VGW VGW VGW VGW VGW VGW VGW
  24. 24. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  25. 25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Shared services connectivity options VPC peering • One-to-one connectivity • Scales to 100 VPCs • Security groups across VPCs • Inter-region peering Shared Services VPC Peering Authentication, Security, Logging Transit VPC • Shared services as a spoke • Bandwidth constrained • Complex management • Instance and licensing costs VPN WAN AWS Direct Connect Transit VPC Shared Services AWS Transit Gateway • Many-to-many or one-to-many with route tables • Highly scalable • Hourly per attachment costs VPC Account Account Account Account Development VPC Account Account Account Account Testing VPC Account Account Account Account Production VPC Shared Services Route Tables Route Tables Transit Gateway AWS PrivateLink • One-to-many connectivity • Highly scalable • Supports overlapping CIDRs • Uses Elastic Load Balancing • Load balancing and hourly endpoint costs
  26. 26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Shared services connectivity options at scale VPC Peering • 1-to-1 connectivity • Scales to 100 VPCs • Security groups across VPCs • Inter-region peering Transit VPC • Shared services as a spoke • Bandwidth restricted • Complex management • Instance and licensing costs AWS Transit Gateway • Many-to-many or one-to-many with route tables • Highly scalable • Hourly per attachment costs VPC Account Account Account Account Development VPC Account Account Account Account Testing VPC Account Account Account Account Production VPC Shared Services Route Tables Route Tables Transit Gateway AWS PrivateLink • One-to-many connectivity • Highly scalable • Supports overlapping CIDRs • Uses Elastic Load Balancing • Load balancing and hourly endpoint costs
  27. 27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T What is the AWS Transit Gateway?
  28. 28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Introducing: Transit Gateway AWS Region Transit Gateway ENIs VPN Routing domain Routing domain AWS Direct Connect * Regional service Scalable Flexible routing VPC VPC VPC VPC Available Q1 2019
  29. 29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Flat: Transit Gateway route domains (route tables) Transit Gateway VPC VPC VPC VPC Route Destination 10.1.0.0/16 vpc-att-1xxxxxxx 10.2.0.0/16 vpc-att-2xxxxxxx 10.3.0.0/16 vpc-att-3xxxxxxx 10.4.0.0/16 vpc-att-4xxxxxxx Default routing domain Route Destination 10.1.0.0/16 Local 10.0.0.0/8 tgw-xxxxxxxxx Per VPC
  30. 30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Flat: Transit Gateway route domains (route tables) Transit Gateway VPC VPC VPC VPC Route Destination 10.1.0.0/16 vpc-att-1xxxxxxx 10.2.0.0/16 vpc-att-2xxxxxxx 10.3.0.0/16 vpc-att-3xxxxxxx 10.4.0.0/16 vpc-att-4xxxxxxx Default routing domain Route Destination 10.1.0.0/16 Local 10.0.0.0/8 tgw-xxxxxxxxx Per VPC
  31. 31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Isolated: Transit Gateway route domains Transit Gateway VPC VPC VPC VPC Route Destination 0.0.0.0/0 VPN Routing domain for VPN Route Destination 10.1.0.0/16 Local 0.0.0.0/0 tgw-xxxxxxxxx Per VPC VPN Routing domain for VPCs Route Destination 10.1.0.0/16 vpc-att-1xxxx 10.2.0.0/16 vpc-att-2xxxx Route Destination 10.3.0.0/16 vpc-att-3xxxx 10.4.0.0/16 vpc-att-4xxxx
  32. 32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Isolated: Transit Gateway route domains Transit Gateway VPC VPC VPC VPC Route Destination 0.0.0.0/0 VPN Route Destination 10.1.0.0/16 Local 0.0.0.0/0 tgw-xxxxxxxxx Per VPC VPN Route Destination 10.1.0.0/16 vpc-att-1xxxx 10.2.0.0/16 vpc-att-2xxxx Route Destination 10.3.0.0/16 vpc-att-3xxxx 10.4.0.0/16 vpc-att-4xxxx Associate go Propagate routes can reach Routing domain for VPN Routing domain for VPCs
  33. 33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Isolated: Transit Gateway route domains Transit Gateway VPC VPC VPC VPC Route Destination 0.0.0.0/0 VPN Route Destination 10.1.0.0/16 Local 0.0.0.0/0 tgw-xxxxxxxxx Per VPC VPN Route Destination 10.1.0.0/16 vpc-att-1xxxx 10.2.0.0/16 vpc-att-2xxxx Route Destination 10.3.0.0/16 vpc-att-3xxxx 10.4.0.0/16 vpc-att-4xxxx Routing domain for VPN Routing domain for VPCs
  34. 34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Isolated: Transit Gateway route domains Transit Gateway VPC VPC VPC Shared services VPN VPC Route Destination 10.1.0.0/16 vpc-att-1xxxx 10.2.0.0/16 vpc-att-2xxxx Route Destination 10.3.0.0/16 vpc-att-3xxxx 10.4.0.0/16 vpc-att-4xxxx Route Destination 10.0.0.0/8 VPN 10.4.0.0/16 vpc-att-4xxxx VPC VPCs associate to a route table with routes to shared resources Shared resources attach to a route table with routes to all resources
  35. 35. Reference Network Architecture VPC Account Account Account Account VPC Account Account Account Account VPC Account Account Account Account VPC VPC VPC VPC VPN AWS Direct Connect * Account Account Account Account IAM, cross-account roles Route tables Route tables Transit Gateway Available soon
  36. 36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Agenda Account Strategy VPN WAN AWS Direct Connect Transit VPC Network Services Connectivity WAN Shared Services Multi-Region Options VGW VGW VGW VGW VGW VGW VGW VGW
  37. 37. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  38. 38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Global Infrastructure • 20 Regions with 61 Availability Zones • 5 Regions coming soon: Bahrain, Cape Town, Hong Kong SAR, South Africa, and Milan Global Infrastructure
  39. 39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T 166 Points of Presence (PoPs) • 155 Edge Locations • 11 Regional Edge Caches Points of Presence AWS Global Infrastructure • 20 Regions with 61 Availability Zones • 5 Regions coming soon: Bahrain, Cape Town, Hong Kong SAR, South Africa, and Milan
  40. 40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Amazon Global Network • Redundant 100 GbE network • Private network capacity between all AWS region, except China Global Network AWS Global Infrastructure • 20 Regions with 61 Availability Zones • 5 Regions coming soon: Bahrain, Cape Town, Hong Kong SAR, South Africa, and Milan 166 Points of Presence (PoPs) • 155 Edge Locations • 11 Regional Edge Caches
  41. 41. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Multiple services traverse the backbone
  42. 42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Local ISP Network A B C D E F Access Application! Accessing your application is not this straightforward!It can take many networks to reach the application Paths to and from the application may differ Each hop impacts performance and can introduce risk Introducing AWS Global Accelerator
  43. 43. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Local ISP AWS Network Accessing your web applications with AWS Global Accelerator Adding AWS Global Accelerator removes these inefficiencies Leverages the Global AWS Network Resulting in improved performance
  44. 44. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T VPCVPC AWS Region 1 AWS Region 2 3.10.3.1253.10.3.125
  45. 45. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  46. 46. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Connecting to on-premises Virtual Private Gateway VPN AWS Direct Connect VGW VGW VPN VGW VGW WAN • Per VPC • 1.25 Gbps outbound • Encrypted in transit • Per VPC (50 per port) • Multiple VPCs with Direct Connect gateway • No bandwidth restraint AWS Transit Gateway VPN VPN • Multiple VPCs • Add VPN connection as needed • 1.25 Gbps per tunnel • Roadmap: AWS Direct Connect Amazon EC2 Customer VPN VPN • Per VPC or multiple (Transit VPC) • Bandwidths vary by instance type • AWS Marketplace options • Scalability is generally limited by management complexity
  47. 47. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Connecting to On-premises at Scale Virtual Private Gateway VPN AWS Direct Connect VPN VGW VGW WAN • Per VPC • 1.25 Gbps per tunnel • Encrypted in transit • Per VPC (50 per port) • Multiple VPCs with Direct Connect gateway • No bandwidth restraint AWS Transit Gateway VPN VPN • Multiple VPCs • Add VPN connection as needed • 1.25 Gbps per tunnel • Roadmap: AWS Direct Connect Amazon EC2 Customer VPN VPN • Per VPC or multiple (Transit VPC) • Bandwidths vary by instance type • AWS Marketplace options • Scalability is generally limited by management complexity
  48. 48. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Private connectivity with AWS Direct Connect Dedicated private connection from on-premised to AWS Consistent network performance Reduced bandwidth costs Compatible with all AWS services
  49. 49. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Direct Connect to Many VPCs AWS Region VGW VGW 10.1.0.0/16 WAN On-premises AWS Direct Connect location Private virtual interface (VIF) Customer router AWS router Customer router AWS router VGW VGW 10.2.0.0/16 Up to 50 VIFs per port AWS Direct Connect location 2
  50. 50. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Direct Connect and Transit Gateway Use Direct Connect in parallel Use VPN over a Direct Connect public virtual interface (VIF) VPC Account Account Account Account VPC Account Account Account Account VPC Account Account Account Account VPC VPN AWS Direct Connect Route Tables Route Tables Transit Gateway Private virtual interfaces VPN AWS Direct Connect Route Tables Route Tables Transit Gateway Public virtual interface AWS Region Receive AWS public IP addresses Native Direct Connect support coming soon
  51. 51. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T VPN With Transit Gateway VPN Route tables Route tables Transit Gateway Customer Gateway Consolidate VPN at the Transit Gateway (TGW) • VPN acts similar to the Virtual Private Gateway (VGW) • Bandwidth, configuration, APIs, cost, and experience • VPN is attached to a TGW instead of a VGW • Same 1.25 Gbps bandwidth per tunnel applies Encryption to the edge of many VPCs • Traffic is encrypted until it’s inside the VPC • Does not natively encrypt traffic between VPCs • Inter-region VPC peering does
  52. 52. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T VPN with Transit Gateway: Add more bandwidth VPN Route tables Route tables Transit Gateway Customer Gateway Support for spreading traffic across many tunnels • Equal Cost Multi-Path (ECMP) support with BGP multi- path • Tested up to 50 Gbps of traffic • Split traffic into smaller flows, multi-part uploads, etc. Check your on-premises configuration • Multi-path BGP • ECMP support, amount of equal paths, reverse-path forwarding/spoofing checks • Only supported with BGP, not static routing
  53. 53. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Agenda Account Strategy VPN WAN AWS Direct Connect Transit VPC Network Services Connectivity WAN Shared Services Multi-Region Options VGW VGW VGW VGW VGW VGW VGW VGW
  54. 54. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  55. 55. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Route 53 Resolver Managed DNS Resolver service from Route 53 Create conditional forwarding rules to re-direct query traffic Enables hybrid connectivity over AWS Direct Connect and Managed VPN
  56. 56. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Enabling Hybrid Cloud VPC Data Center
  57. 57. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Enabling Hybrid Cloud VPC Data Center X
  58. 58. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Enabling Hybrid Cloud VPC Data Center X
  59. 59. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Enabling Hybrid Cloud VPC Data Center
  60. 60. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Enabling Hybrid Cloud VPC Data Center
  61. 61. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Enabling Hybrid Cloud VPC Data Center VPC VPC
  62. 62. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Enabling Hybrid Cloud VPC Data Center VPC VPC
  63. 63. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Enabling Hybrid Cloud VPC Data Center VPC VPC
  64. 64. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Route 53 Resolver
  65. 65. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Benefit to you: Reduced Complexity
  66. 66. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Benefit to you: Availability • Use AWS high availability architecture • Create additional redundancy by provisioning more ENIs in different AZs VPC
  67. 67. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Benefit to you: Cross Account Rules Sharing VPC VPC VPC
  68. 68. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Benefit to you: Cross Account Rules Sharing VPC VPC VPC
  69. 69. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Client VPN Support for OpenVPN clients Available in 4 regions at launch; others coming soon Connected users charged per user per hour
  70. 70. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Attachment to Amazon VPC TLS based tunnel over the internet User with Open VPN Client VPC Client VPN Endpoint Client The InternetAmazon DynamoDB Amazon S3 On-Premises VPC
  71. 71. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Agenda Account Strategy VPN WAN AWS Direct Connect Transit VPC Network Services Connectivity WAN Shared Services Multi-Region Options VGW VGW VGW VGW VGW VGW VGW VGW
  72. 72. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  73. 73. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Private connectivity with Inter-region Peering Private connectivity for two or more VPCs between regions Highly available, no single point of failure All traffic stays on the AWS global backbone network All traffic encrypted and anonymized
  74. 74. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Multiple Regions WAN On-premises AWS Direct Connect location Private virtual interface (VIF) Customer router AWS router Customer router AWS router AWS Region VGW VGW VGW VGW AWS Direct Connect location 2 Direct Connect gateway Account AWS Region VGW VGW VGW VGW
  75. 75. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  76. 76. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Takeaways We have tools and architectures that horizontally scale to many VPCs There’s wiggle room for your specific use cases Use services in combination to meet scale and security requirements
  77. 77. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Advice • Networking changes fast, no more crystal balls • Start simple! Stay simple. Reduce complexity to smaller scopes • Segment and modify as needed • Experiment and test
  78. 78. Thank you! S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

×