Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

[NEW LAUNCH!] AWS Transit Gateway and Transit VPCs - Reference Architectures for Many VPCs (NET402) - AWS re:Invent 2018

1,992 views

Published on

In this session, we will review the new AWS Transit Gateway and new networking features. We compare AWS Transit Gateway and Transit VPCs and discuss how to architect your accounts and VPCs. This session will be helpful if the developers have been let loose, and you are planning lots of VPCs or accounts. How should you connect them; what limits do you need to be aware of; and how does routing work with many VPCs? We dive into the details of recent launches and how to work with concepts like Transit VPCs, account strategies, scaling services, using firewalls, and direct connect gateways to solve problems of many VPCs.

  • .DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... .DOWNLOAD PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... .DOWNLOAD EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... .DOWNLOAD doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... .DOWNLOAD PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... .DOWNLOAD EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... .DOWNLOAD doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • .DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... .DOWNLOAD PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... .DOWNLOAD EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... .DOWNLOAD doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... .DOWNLOAD PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... .DOWNLOAD EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... .DOWNLOAD doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

[NEW LAUNCH!] AWS Transit Gateway and Transit VPCs - Reference Architectures for Many VPCs (NET402) - AWS re:Invent 2018

  1. 1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Transit Gateway and Transit VPCs Reference Architectures for Many VPCs Nick Matthews Principal Solutions Architect AWS N E T 4 0 2 nickpowpow
  2. 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What to expect How it works Transit VPC Transit Gateway Build out a reference architecture: Account Strategy VPN WAN AWS Direct Connect Transit VPC Network Services Connectivity WAN Shared Services Multi-Region Options Segmentation Model
  3. 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  4. 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC management differences Ease of creation Access models Diverse ownership
  5. 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Our starting point VPN WAN AWS Direct Connect Virtual private gateway Dev Prod
  6. 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Challenge: Adding more VPCs VPN WAN AWS Direct Connect Lots of connections Dev Prod Dev Prod Dev Prod
  7. 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Challenge: Peering VPCs VPN WAN AWS Direct Connect Dev Prod Dev Prod Dev Prod Connect dev and prod VPC peering Connect the green environment How does this scale? Let’s:
  8. 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPN WAN AWS Direct Connect Dev Prod Dev Prod Dev Prod Dev Prod Dev Prod Dev Prod Scaling connections? Scaling VPC peering? Shared services? Firewall and services?
  9. 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Transit VPC VPN WAN AWS Direct Connect Transit VPC Dev Prod Dev Prod Dev Prod Dev Prod Dev Prod Dev Prod
  10. 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPN WAN AWS Direct Connect Transit Gateway AWS Transit Gateway Dev Prod Dev Prod Dev Prod Dev Prod Dev Prod Dev Prod
  11. 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPN WAN AWS Direct Connect Transit VPC Transit VPC Mechanics
  12. 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Route table Destination Target 10.2.0.0/16 Local 10.1.0.0/16 VGW Route table Destination Target 10.2.0.0/16 Local 0.0.0.0/0 VGW Transit VPC: Routing Virtual private gateway (VGW) Virtual Private Network (VPN) Transit VPC 10.0.0.0/16 10.1.0.0/16 10.2.0.0/16 Internet The VPN Instances advertise routes to each VGW with BGP. This can be a default route or individual routes.
  13. 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why doesn’t peering work? VPC peering Transit VPC 10.0.0.0/16 10.1.0.0/16 10.2.0.0/16 Route table Destination Target 10.2.0.0/16 Local 0.0.0.0/0 PCX Internet
  14. 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why doesn’t peering work? VPC peering Transit VPC 10.0.0.0/16 10.1.0.0/16 10.2.0.0/16 Route table Destination Target 10.2.0.0/16 Local 0.0.0.0/0 PCX Internet Destination: Internet Traffic must either originate or terminate on a network interface in the VPC Transitive routing
  15. 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why does VPN work? Transit VPC 10.0.0.0/16 10.1.0.0/16 10.2.0.0/16 Route table Destination Target 10.2.0.0/16 Local 0.0.0.0/0 VGW Internet Destination: Internet Virtual Private Network (VPN) Traffic must either originate or terminate on a network interface in the VPC Transitive routing
  16. 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Transit VPC: Availability Virtual Private Gateway (VGW) Virtual Private Network (VPN) Transit VPC 10.0.0.0/16 10.1.0.0/16 10.2.0.0/16 Route Table Destination Target 10.2.0.0/16 Local 0.0.0.0/0 VGW BGP and Dead Peer Detection (DPD) detect the failure The VGW route automatically fails over to the other tunnel Internet Spoiler: We’ll use this again with Transit Gateway later
  17. 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Transit VPC: Performance Virtual private gateway (VGW) Virtual Private Network (VPN) Transit VPC 10.0.0.0/16 10.1.0.0/16 10.2.0.0/16 The VGW will only choose a single tunnel for outbound traffic (1.25 gbps) The VGW accepts packets on any tunnel or connection Internet The VPN instance must forward all traffic, the maximum is based on instance size. ~1-3 gbps on M4 and C4 families. Spoiler: We’ll need to know this for Transit Gateway also
  18. 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Transit VPC: Security Services Virtual Private Network (VPN) 10.0.0.0/16 10.1.0.0/16 10.2.0.0/16 Active/Passive AS-path prepend
  19. 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What is the AWS Transit Gateway?
  20. 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Introducing: Transit Gateway AWS Region Transit Gateway ENIs VPN Routing domain Routing domain AWS Direct Connect * Regional router Scalable Flexible routing Available Q1 2019
  21. 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS HyperPlane and AWS Transit Gateway AWS Region VPC A VPC B VPC A VPC B VPC A VPC B AWS HyperPlane Attachments
  22. 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Transit Gateway example time! Flat: Every VPC should talk to every VPC! Isolated: Don’t let anything talk! Send everything back over VPN!
  23. 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Flat: Transit Gateway route domains (route tables) Transit Gateway Route Destination 10.1.0.0/16 vpc-att-1xxxxxxx 10.2.0.0/16 vpc-att-2xxxxxxx 10.3.0.0/16 vpc-att-3xxxxxxx 10.4.0.0/16 vpc-att-4xxxxxxx Default routing domain Route Destination 10.1.0.0/16 Local 10.0.0.0/8 tgw-xxxxxxxxx Per VPC
  24. 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Flat: Transit Gateway route domains (route tables) Transit Gateway Route Destination 10.1.0.0/16 vpc-att-1xxxxxxx 10.2.0.0/16 vpc-att-2xxxxxxx 10.3.0.0/16 vpc-att-3xxxxxxx 10.4.0.0/16 vpc-att-4xxxxxxx Default routing domain Route Destination 10.1.0.0/16 Local 10.0.0.0/8 tgw-xxxxxxxxx Per VPC
  25. 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Isolated: Transit Gateway route domains Transit Gateway Route Destination 0.0.0.0/0 VPN Routing domain for VPN Route Destination 10.1.0.0/16 Local 0.0.0.0/0 tgw-xxxxxxxxx Per VPC VPN Routing domain for VPCs Route Destination 10.1.0.0/16 vpc-att-1xxxx 10.2.0.0/16 vpc-att-2xxxx Route Destination 10.3.0.0/16 vpc-att-3xxxx 10.4.0.0/16 vpc-att-4xxxx
  26. 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Isolated: Transit Gateway route domains Transit Gateway Route Destination 0.0.0.0/0 VPN Route Destination 10.1.0.0/16 Local 0.0.0.0/0 tgw-xxxxxxxxx Per VPC VPN Route Destination 10.1.0.0/16 vpc-att-1xxxx 10.2.0.0/16 vpc-att-2xxxx Route Destination 10.3.0.0/16 vpc-att-3xxxx 10.4.0.0/16 vpc-att-4xxxx Attach go Propagate routes can reach Routing domain for VPN Routing domain for VPCs
  27. 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Isolated: Transit Gateway route domains Transit Gateway Route Destination 0.0.0.0/0 VPN Route Destination 10.1.0.0/16 Local 0.0.0.0/0 tgw-xxxxxxxxx Per VPC VPN Route Destination 10.1.0.0/16 vpc-att-1xxxx 10.2.0.0/16 vpc-att-2xxxx Route Destination 10.3.0.0/16 vpc-att-3xxxx 10.4.0.0/16 vpc-att-4xxxx Routing domain for VPN Routing domain for VPCs
  28. 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Quick comparison: Transit Gateway and Transit VPC VPN WAN AWS Direct Connect Transit VPC Transit VPC Transit Gateway
  29. 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Transit Gateway details Find on YouTube NET 331: NEW LAUNCH: Introduction to Transit Gateway
  30. 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Are there any reasons to use a Transit VPC?
  31. 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. We’re only adding things You can use all existing options with Transit Gateway: • VPC peering • AWS Direct Connect • Elastic Load Balancing • AWS PrivateLink • AWS CloudWatch metrics • AWS CloudFormation • Transit VPC
  32. 32. Reference Network Architecture Account Account Account Account Account Account Account Account Account Account Account Account VPN AWS Direct Connect * Account Account Account Account IAM, cross-account roles Route tables Route tables Transit Gateway Available Q1 2019
  33. 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Architecture walk through Account strategy VPN WAN AWS Direct Connect Transit VPC Network services Connectivity WAN Shared services Multi-region options Segmentation model
  34. 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Account Strategy Network Services ConnectivityShared Services Multi-Region Options Segmentation Model
  35. 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automation of infrastructure AWS Direct Connect and VPN standards Subnet and routing standards AWS Identity and Access Management Strict security groups and routing Identifying resources with tags S m a l l e r V P C s o r a c c o u n t sL a r g e r V P C s o r a c c o u n t s Account and VPC segmentation Infrastructure and NetworkingPolicy and IAM
  36. 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. both? Provide granular account control with centralized infrastructure
  37. 37. VPC Sharing and Resource Access Manager Share subnets between accounts in an AWS Organization Account Account Account Account Resource Share Resource Share Infrastructure account
  38. 38. VPC Sharing and Resource Access Manager Account owners only see subnets and their resources Account Account
  39. 39. VPC Sharing and Resource Access Manager Account owners only see subnets and their resources Account Account
  40. 40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC Sharing benefits Less unused resources • Higher density subnets, add up to 5 additional CIDRs • More efficient use of VPN and AWS Direct Connect Separation of duties • Infrastructure strictly controls routing, IP addresses, and VPC structure • Developers own their resources, accounts, and security groups Decouple accounts and networks • Account protection and billing without additional infrastructure • Many accounts with fewer networks • Avoid VPC peering charges
  41. 41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Other account considerations One size does not need to fit all • Example: production may use separate VPCs, development can use a shared VPC • AWS Transit Gateway can handle large amounts of VPCs if needed VPC Sharing works within an AWS Organization VPC Sharing doesn’t restrict resource utilization • NAT gateways, VPN, subnet address space, and security groups have shared limits • VPC Sharing doesn’t change any VPC limits, only account limits • Give highly scalable services like AWS Lambda dedicated IP space
  42. 42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Account Strategy Network Services ConnectivityShared Services Multi-Region Options Segmentation Model
  43. 43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Segmentation: Decision inputs Relationship between accounts, VPCs, and tenants? • Do accounts and tenants trust each other? • Is the current network segmentation intentional or a side effect? Who owns security and networking? • Each team or a centralized team? Compliance and governance requirements? • Scope can be reduced at an account or a VPC level
  44. 44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Baseline security IAM Security groups Segmentation options: Layers Account Account Account Account Account Account Account Account Inside the account At the VPC ACLs Network security Route tables Network ACLs Separate VPCs Tenant and infrastructure Shared Security line
  45. 45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Segmentation options: Layers Account Account Account Account VPN AWS Direct Connect * Route tables Route tables Transit Gateway Transit Gateway Security services Inside the account At the VPC Account Account Account Account Available Q1 2019
  46. 46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Segmentation in a Shared VPC with network ACLs Account Account Account Account Resource share Resource share Inbound network ACL # Source Action 100 10.0.1.0/24 ALLOW 101 10.0.101.0/24 ALLOW 200 10.0.0.0/16 DENY 300 0.0.0.0/0 ALLOW Mimic behavior of a single VPC:
  47. 47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Flat: Transit Gateway route domains Transit Gateway Route Destination 10.1.0.0/16 vpc-att-1xxxxxxx 10.2.0.0/16 vpc-att-2xxxxxxx 10.3.0.0/16 vpc-att-3xxxxxxx 10.0.0.0/8 VPN Default routing domain All routes and attachments are in a single route table
  48. 48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Isolated: Transit Gateway route domains Transit Gateway Shared services VPN VPC Route Destination 10.1.0.0/16 vpc-att-1xxxx 10.2.0.0/16 vpc-att-2xxxx Route Destination 10.3.0.0/16 vpc-att-3xxxx 10.4.0.0/16 vpc-att-4xxxx Route Destination 10.0.0.0/8 VPN 10.4.0.0/16 vpc-att-4xxxx VPCs attach to a route table with routes to shared resources Shared resources attach to a route table with routes to all resources
  49. 49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Segmentation considerations: Where to start Security groups and IAM are effective and proven • Encourage IAM and security group use and monitor security configuration Shared VPCs • Tenants should limit access from the internet and other tenants • VPCs using VPC peering are likely to benefit from Shared VPCs • Design around resource and limit contention Separate VPCs • Often the best security decision is the simplest. Separate VPCs are simple. • Use separate VPCs for strong network segmentation and resource isolation • Transit Gateway removes the scaling issues with many VPCs (peering, VPN, routes) Transit Gateway route tables define multi-VPC policy • Consider isolating environments (dev and prod) and allow access to shared resources
  50. 50. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Network Services ConnectivityShared Services Multi-Region Options Segmentation ModelAccount Strategy
  51. 51. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Shared services connectivity options VPC peering • One-to-one connectivity • Scales to 100 VPCs • Security groups across VPCs • Inter-region peering Transit VPC • Shared services as a spoke • Bandwidth constrained • Complex management • Instance and licensing costs VPN WAN AWS Direct Connect Transit VPC Shared Services AWS Transit Gateway • Many-to-many or one-to-many with route tables • Highly scalable • Hourly per AZ endpoint costs Account Account Account Account Development Account Account Account Account Testing Account Account Account Account Production Shared Services Route Tables Route Tables Transit Gateway AWS PrivateLink • One-to-many connectivity • Highly scalable • Supports overlapping CIDRs • Uses Elastic Load Balancing • Load balancing and hourly endpoint costs
  52. 52. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Shared services connectivity options at scale VPC Peering • 1-to-1 connectivity • Scales to 100 VPCs • Security groups across VPCs • Inter-region peering Transit VPC • Shared services as a spoke • Bandwidth restricted • Complex management • Instance and licensing costs AWS Transit Gateway • Many-to-many or one-to-many with route tables • Highly scalable • Hourly per AZ endpoint costs Account Account Account Account Development Account Account Account Account Testing Account Account Account Account Production Shared Services Route Tables Route Tables Transit Gateway AWS PrivateLink • One-to-many connectivity • Highly scalable • Supports overlapping CIDRs • Uses Elastic Load Balancing • Load balancing and hourly endpoint costs
  53. 53. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Shared services with Transit Gateway Extensible for many VPCs if needed Account Account Account Account Development Account Account Account Account Testing Account Account Account Account Production Shared services Route tables Route tables Transit Gateway Works with flat or isolated segmentation Account Account Account Account Acquisition Example applications • Authentication • Logging • DevOps tools • Security resources
  54. 54. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Using Transit Gateway and PrivateLink AWS Transit Gateway • Many-to-Many or one-to-many with route tables • Highly scalable • Hourly per AZ endpoint costs Account Account Account Account Development Account Account Account Account Testing Account Account Account Account Production Shared Services Route Tables Route Tables Transit Gateway Scope Trust model Dependencies Scale Scope Trust model Dependencies Scale AWS PrivateLink • One-to-many connectivity • Highly scalable • Supports overlapping CIDRs • Uses Elastic Load Balancing • Load balancing and hourly endpoint costs
  55. 55. Connecting on-premises Account Account Account Account Account Account Account Account Account Account Account Account VPN AWS Direct Connect * Route tables Route tables Transit Gateway Network Services Connectivity Multi-Region Options Account Strategy Shared ServicesSegmentation Model
  56. 56. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Connecting to on-premises Virtual Private Gateway VPN AWS Direct Connect VPN WAN • Per VPC • 1.25 gbps per tunnel • Encrypted in transit • Per VPC (50 per port) • Multiple VPCs with Direct Connect gateway • No bandwidth restraint AWS Transit Gateway VPN VPN • Multiple VPCs • Add VPN connection as needed • 1.25 gbps per tunnel • Roadmap: AWS Direct Connect Amazon EC2 customer VPN VPN • Per VPC or multiple (Transit VPC) • Bandwidths vary by instance type • AWS Marketplace options • Scalability is generally limited by management complexity
  57. 57. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Connecting to On-premises at Scale Virtual Private Gateway VPN AWS Direct Connect VPN WAN • Per VPC • 1.25 gbps per tunnel • Encrypted in transit • Per VPC (50 per port) • Multiple VPCs with Direct Connect gateway • No bandwidth restraint AWS Transit Gateway VPN VPN • Multiple VPCs • Add VPN connection as needed • 1.25 gbps per tunnel • Roadmap: AWS Direct Connect Amazon EC2 Customer VPN VPN • Per VPC or multiple (Transit VPC) • Bandwidths vary by instance type • AWS Marketplace options • Scalability is generally limited by management complexity
  58. 58. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Direct Connect to Many VPCs AWS Region 10.1.0.0/16 WAN On-premises AWS Direct Connect location Private virtual interface (VIF) Customer router AWS router Customer router AWS router 10.2.0.0/16 Up to 50 VIFs per port AWS Direct Connect location 2
  59. 59. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Direct Connect: Link Aggregation AWS Region 10.1.0.0/16 WAN On-premises Link aggregation (LAG) Private virtual interface (VIF) Customer router AWS router Customer router AWS router 10.2.0.0/16 Up to 4 ports in a LAG, each with 50 VIFs AWS Direct Connect location 2
  60. 60. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Direct Connect gateway AWS Region 10.1.0.0/16 WAN On-premises AWS Direct Connect location Private virtual interface (VIF) Customer router AWS router Customer router AWS router 10.2.0.0/16 Up to 10 VGWs per direct connect gateway AWS Direct Connect location 2 Direct connect gateway Account
  61. 61. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Direct Connect and Transit Gateway Use Direct Connect in parallel Use VPN over a Direct Connect public virtual interface (VIF) Account Account Account Account Account Account Account Account Account Account Account Account VPN AWS Direct Connect Route Tables Route Tables Transit Gateway Private virtual interfaces VPN AWS Direct Connect Route Tables Route Tables Transit Gateway Public virtual interface AWS Cloud Receive AWS public IP addresses Native Direct Connect support planned for Q1 2019
  62. 62. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Direct Connect and Transit Gateway Use an edge services VPC in front of a private virtual interface Transit VPC Private virtual interface AWS Direct Connect Tunnels VPN 10.1.0.0/16 10.2.0.0/16 VPC A VPC B AWS Transit Gateway • More detail in the network services section • Also how used to migrate or extend existing Transit VPCs • Helpful for single-VIF (<1 Gbps) Direct Connect • Can be used for North-South inspection use- cases
  63. 63. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPN With Transit Gateway VPN Route tables Route tables Transit Gateway Customer Gateway Consolidate VPN at the Transit Gateway (TGW) • VPN acts similar to the Virtual Private Gateway (VGW) • Bandwidth, configuration, APIs, cost, and experience • VPN is attached to a TGW instead of a VGW • Same 1.25 gbps bandwidth per tunnel applies Encryption to the edge of many VPCs • Traffic is encrypted until it’s inside the VPC • Does not natively encrypt traffic between VPCs • Inter-region VPC peering does
  64. 64. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPN with Transit Gateway: Add more bandwidth VPN Route tables Route tables Transit Gateway Customer Gateway Support for spreading traffic across many tunnels • Equal Cost Multi-Path (ECMP) support with BGP multi- path • Tested up to 50 Gbps of traffic • Split traffic into smaller flows, multi-part uploads, etc. Check your on-premises configuration • Multi-path BGP • ECMP support, amount of equal paths, reverse-path forwarding/spoofing checks • Only supported with BGP, not static routing
  65. 65. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 100.64.0.0/16 Transit VPC Transit VPC 1.1 Transit Gateway VPC route domain 10.1.0.0/16 10.2.0.0/16 Transit route domain Spoke route table Transit VPC route table VPC A VPC B Active/passive VPN BGP advertisement Route Destination 10.2.0.0/16 Local 10.0.0.0/8 tgw-xxxxxxxxx Route Destination 100.64.0.0/16 Local 10.0.0.0/8 tgw-xxxxxxxxx 0.0.0.0/0 igw-xxxxxxxxx BGP prefix Next hop 10.0.0.0/8 Local IP 10.0.0.0/8 Transit VPC VPN 10.1.0.0/16 vpc-att-a 10.2.0.0/16 vpc-att-b
  66. 66. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Neat. But, why? ? ?
  67. 67. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Network Services Connectivity Multi-Region Options Account Strategy Shared ServicesSegmentation Model
  68. 68. Reference Network Architecture Account Account Account Account Development Account Account Account Account Testing Account Account Account Account Production Shared services Authentication, Monitoring VPN AWS Direct Connect * Route tables Route tables Transit Gateway Optional network services
  69. 69. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Do I need to put service each into their own VPC?
  70. 70. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 100.64.0.0/16 Outbound VPC SNAT SNAT Outbound services VPC Transit Gateway VPC route domain 10.1.0.0/16 10.2.0.0/16 Outbound route domain Spoke route table Outbound VPC route table VPC A VPC B ECMP VPN BGP advertisement Route Destination 10.2.0.0/16 Local 0.0.0.0/0 tgw-xxxxxxxxx Route Destination 100.64.0.0/16 Local 10.0.0.0/8 tgw-xxxxxxxxx 0.0.0.0/0 igw-xxxxxxxxx BGP prefix Next hop 0.0.0.0/0 Local IP 0.0.0.0/0 Outbound VPC VPN 10.1.0.0/16 vpc-att-a 10.2.0.0/16 vpc-att-b Apply SNAT outbound to the internet SNAT Use cases:
  71. 71. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPN service insertion design notes Instance must be able to support: • VPN to the Transit Gateway • BGP to the Transit Gateway (ECMP requirement) • Source NAT to the internet Performance • IPsec overhead • Compatible with auto-scaling architectures • No cumulative bandwidth limit High availability • BGP and VPN Dead Peer Detection handle failover • No API calls required for fault tolerance • Optionally place instances in Amazon EC2 automatic recovery Stateful services • Use Source NAT to guarantee the return flow to the same instance Horizontally scalable service pattern Preferred method if the service supports BGP, VPN and NAT.
  72. 72. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 100.64.0.0/16 Outbound VPC SNAT SNAT Outbound services VPC: Interface Transit Gateway VPC route domain 10.1.0.0/16 10.2.0.0/16 Outbound route domain Spoke route table Outbound VPC route table VPC A VPC B VPC Attachment route table, per AZ Route Destination 10.2.0.0/16 Local 0.0.0.0/0 tgw-xxxxxxxxx Route Destination 100.64.0.0/16 Local 10.0.0.0/8 tgw-xxxxxxxxx 0.0.0.0/0 igw-xxxxxxxxx Route Destination 0.0.0.0/0 eni-xxxxxxx 0.0.0.0/0 vpc-att-outbound 10.1.0.0/16 vpc-att-a 10.2.0.0/16 vpc-att-b Apply SNAT outbound to the internet SNAT
  73. 73. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Interface service insertion design notes Instance must be able to support: • Source NAT to the internet Performance • No overhead (8500 MTU) • Limited to one Transit Gateway attachment per Availability Zone, so one route table • Traffic is forwarded within the same Availability Zone if possible • Likely that traffic isn’t evenly distributed across instances High availability • There are no built-in health checks for the VPC routes, requires monitoring and management • Optionally place instances in Amazon EC2 automatic recovery Stateful services • Use Source NAT to guarantee the return flow to the same instance Simpler performance pattern Stay within the performance of a single service instance (worst-case scenario) and configure your own high availability checks.
  74. 74. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Edge services VPC: Ingress 100.64.0.0/16 Edge VPC Transit Gateway VPC route domain 10.1.0.0/16 Edge route domain Spoke route table Edge VPC route table VPC A ECMP VPN Route Destination 10.1.0.0/16 Local 100.64.0.0/16 tgw-xxxxxxxxx Route Destination 100.64.0.0/16 Local 10.0.0.0/8 tgw-xxxxxxxxx 0.0.0.0/0 igw-xxxxxxxxx BGP prefix Next hop 100.64.0.0/16 Local IP 100.64.0.0/16 Edge VPC VPN 10.1.0.0/16 vpc-att-a SNAT SNAT SNAT Use cases: Optional ELB
  75. 75. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Edge services VPC: SD-WAN 100.64.0.0/16 Edge VPC Transit Gateway VPC route domain 10.1.0.0/16 Edge route domain Spoke route table Edge VPC route table VPC A ECMP VPN Route Destination 10.1.0.0/16 Local 0.0.0.0/0 tgw-xxxxxxxxx Route Destination 100.64.0.0/16 Local 10.0.0.0/8 tgw-xxxxxxxxx 0.0.0.0/0 igw-xxxxxxxxx BGP prefix Next hop Many prefixes Local IP Many Prefixes Edge VPC VPN 10.1.0.0/16 vpc-att-a SNAT SNAT SNAT Use cases: Tunnels Data Center, Branches, Clients, etc. Only stateful services require NAT Can be a summary or default route in each VPC and BGP
  76. 76. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Reminder: Existing network services or DMZs may be convenient, but they may also be the problem. Remember to evaluate operational processes, alternatives, and automation
  77. 77. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ECMP VPN SNAT SNAT SNAT VPC to VPC service insertion 100.64.0.0/16 Inline VPC Transit Gateway VPC route domain 10.1.0.0/16 10.2.0.0/16 Inline route domain Spoke route table Inline VPC route table VPC A VPC B BGP advertisement Route Destination 10.2.0.0/16 Local 10.0.0.0/8 tgw-xxxxxxxxx 100.64.0.0/16 tgw-xxxxxxxxx Route Destination 100.64.0.0/16 Local 10.0.0.0/8 tgw-xxxxxxxxx 0.0.0.0/0 igw-xxxxxxxxx BGP prefix Next hop 0.0.0.0/0 Local IP 0.0.0.0/0 Inline VPC VPN 10.1.0.0/16 vpc-att-a 10.2.0.0/16 vpc-att-b Apply SNAT between VPCs for flow affinity Use cases: VPCs will traffic as originated from the inline VPC CIDR
  78. 78. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ECMP VPN VPC to on-premises service insertion 100.64.0.0/16 Inline VPC Transit Gateway VPC/VPN route domain 10.1.0.0/16 Inline route domain Spoke route table Inline VPC route table VPC A BGP advertisement Route Destination 10.2.0.0/16 Local On-premises tgw-xxxxxxxxx 100.64.0.0/16 tgw-xxxxxxxxx Route Destination 100.64.0.0/16 Local 10.0.0.0/8 tgw-xxxxxxxxx On-premises tgw-xxxxxxxxx 0.0.0.0/0 igw-xxxxxxxxx BGP prefix Next hop 0.0.0.0/0 Local IP 0.0.0.0/0 Inspection VPC VPN 10.1.0.0/16 vpc-att-a On-premises On-premises VPN SNAT SNAT SNAT Apply SNAT between VPCs for flow affinity VPCs will see traffic sourced from the inline VPC CIDR range due to SNAT On-premises BGP advertisement BGP prefix Next hop On-premises Local IP This forces VPC-to-VPC and between on-premises and VPCs through the inline VPC Using an edge services model with VPN terminated on the firewalls may be simpler
  79. 79. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Transit Gateway launch partners O E I M O E I M O E I M O E I M O E I MO E I MO E I M O E I M O E I M
  80. 80. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Orchestration: Dev & prod isolated transit network AVX Edge VPC AWS Direct Connect / Internet Spoke Spoke Spoke Spoke VGW Routing domain: Dev Routing domain: Prod Routing domain: Shared services Routing domain: Edge On Prem 1 On Prem 2 AVX Controller Shared Service VPC Transit Gateway
  81. 81. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security VPC Check Point Auto-Scaling integration Transit Gateway VPC route domain Default route domain ECMP VPN 0.0.0.0/0 Check Point VPN ASG BGP Internet Use cases: Hybrid cloud secured connectivity Granular inter-VPC security inspection Internet bound traffic inspection
  82. 82. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Xero TPZ est. 2015 Explicit proxy Threat Protection Zone (TPZ) VPC 172.16.0.0/23 pcx-xxxxx 0.0.0.0/0 igw-xxxxx Spoke route table Egress route to the Internet Static routing Proxy Cluster Internal External 10.1.0.0/16 pcx-xxxxx Internal routes for transit VPC A 10.2.0.0/16 pcx-xxxxxVPC B ProxyUrl": "http://proxy.internal:8080 Security inspection services
  83. 83. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Xero TPZ future state TPZ Egress Transit Gateway Security inspection services Dynamic routing Security inspection services TPZ ingress
  84. 84. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Region AWS Region Network Services Connectivity Multi-Region Options Account Strategy Shared ServicesSegmentation Model
  85. 85. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Inter-region VPC peering AWS Region AWS Region VPC peering
  86. 86. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multiple Regions WAN On-premises AWS Direct Connect location Private virtual interface (VIF) Customer router AWS router Customer router AWS router AWS Region AWS Direct Connect location 2 Direct Connect gateway Account AWS Region
  87. 87. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Transit Gateway in multiple Regions Transit VPC VPN 10.1.0.0/16 10.2.0.0/16 VPC A VPC B AWS Transit Gateway 10.1.0.0/16 10.2.0.0/16 VPC A VPC B AWS Transit Gateway VPN AWS Region AWS Region VPC Peering Transit Gateway inter-region support coming soon!
  88. 88. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  89. 89. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Takeaways We have tools and architectures that horizontally scale to many VPCs There’s wiggle room for your specific use cases Use services in combination to meet scale and security requirements
  90. 90. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Advice • Networking changes fast, no more crystal balls • Start simple! Stay simple. Reduce complexity to smaller scopes • Segment and modify as needed • Experiment and test
  91. 91. Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Nick Matthews @nickpowpow
  92. 92. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

×