Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

PrivateLink for Partners: Connectivity, Scale, Security (GPSTEC306) - AWS re:Invent 2018

521 views

Published on

In this session, we review how technology and consulting partners can utilize AWS PrivateLink, a networking service that allows for a service behind a load balancer to be privately placed into other VPCs as well as on-premises. You can use PrivateLink to help scale a SaaS service, simplify microservices, simplify the network connectivity of managed service providers, and create a more secure environment for partner products inside customer VPCs. In this session, we focus on the design and service architecture requirements as well as the business considerations for implementing PrivateLink for your product or service. We also hear from APN Partner, Snowflake, and its customer, ARC, about how they deployed PrivateLink.

  • Be the first to comment

PrivateLink for Partners: Connectivity, Scale, Security (GPSTEC306) - AWS re:Invent 2018

  1. 1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Laura Caicedo Partner Solutions Architect AWS G P S T E C 3 0 6 Nick Matthews Principal Solutions Architect AWS PrivateLink for Partners: Connectivity, Scale, Security Laura Caicedo Partner Solutions Architect AWS Nick Matthews Principal Solutions Architect AWS Jonathan Sander Security Field CTO Snowflake Computing Paul Barber Managing Director, Product Architecture Airlines Reporting Corporate (ARC)
  2. 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda • What is PrivateLink • Benefits • Architecture • Deployment types • Architecture design options • Snowflake use case
  3. 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  4. 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Problem … $
  5. 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. IGW EIP or Public DNS Sharing a service without AWS PrivateLink
  6. 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Route table maintenance Sharing a service without AWS PrivateLink: Peering 10.10.0.0/16 -> pcx-xxxxxx 172.31.0.0/16 -> pcx-xxxxxx
  7. 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Sharing a service without AWS PrivateLink: Peering 10.10.0.0/16 -> pcx-xxxxxx 192.168.0.0/16 -> pcx-xxxxxx 10.10.0.0/16 -> pcx-xxxxxx ???
  8. 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC Endpoint Private IP 10.10.1.6 NLB Endpoint Service Sharing a service with AWS PrivateLink
  9. 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  10. 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Benefits of AWS PrivateLink Secure your traffic Simplify network management Accelerate hybrid cloud migration Scalability
  11. 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Endpoint Service Service name: com.amazonaws… One-way access Security group for the endpoint Private IP Support for overlapping addresses PrivateLink benefits: Security and management NLB VPC Endpoint Private IP
  12. 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. PrivateLink benefits: Scalability & hybrid cloud Share to thousands of VPCs Grow your business Hybrid cloud adoption Endpoint Service Service name: com.amazonaws… NLB VPC Endpoint VPC Endpoint
  13. 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  14. 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Network load balancer • Connection-based load balancing • Built-in health checks • High throughput • Low latency • Preserve source IP address • Static IP and elastic IP support • Load balancing using IP addresses as targets • Fully fault-tolerant AZ-3AZ-2 AWS Region Elastic load balancing AZ-1 Web Web Web Web Web Web
  15. 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. NLB Endpoint Service Service name: com.amazonaws… vpce-svc-02d91882a635HAPPY • Whitelist principals • Accept endpoint connections • Notifications Set up PrivateLink for providers
  16. 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  17. 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Virtual networking card • Has a private IP in the address range of your subnet • Can be owned by you or managed by an AWS service • Apply security groups to an elastic network interface Elastic network interfaces
  18. 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Accessing AWS services from your VPC Gateway VPC endpoints for AWS Interface VPC endpoints for AWS
  19. 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon S3 and your VPC Amazon S3 bucket Internet VPC Endpoint Route S3-bound traffic to the VPC endpoint • No IGW • No NAT • No public IPs • Robust access control • Free
  20. 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Interface VPC endpoints
  21. 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Interface VPC endpoints
  22. 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Interface endpoint service available • Amazon API Gateway • AWS CloudFormation • Amazon CloudWatch • Amazon CloudWatch Events • Amazon CloudWatch Logs • AWS CodeBuild • AWS Config • Amazon EC2 API • Elastic Load Balancing API • AWS Key Management Service • Amazon Kinesis Data Streams • Amazon SageMaker Runtime • AWS Secrets Manager • AWS Security Token Service • AWS Service Catalog • Amazon SNS • AWS Systems Manager • Endpoint services hosted by other AWS accounts • Supported AWS Marketplace partner services https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html
  23. 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. vpce-svc- 0..635HAPPY Setting up PrivateLink for consumers VPC Endpoint vpce-….ec2.eu-west-1.vpce.amazonaws.com vpce-…eu-west-1a.ec2.eu-west-1.vpce.amazonaws.com vpce-…eu-west-1b.ec2.eu-west-1.vpce.amazonaws.com SaaS Service • Endpoint DNS names are created: • 1 regional FQDN for the endpoint • 1 or more zonal FQDNs for each Availability Zone Security groups CNAME api.example.com --> ALIAS vpce-xxxx.vpce- svc-xxxx.eu-west- 1.vpce.amazonaws.com VPC Endpoint • Notifications • If PrivateDNS enable:
  24. 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Packet walkthrough (1/2) – DNS 1. If Private DNS is enabled, requests endpoint resolution from Route 53—private hosted zone 2. Consumer forwards to the local IP 10.0.1.6 from source IP 10.0.1.8 3. Traffic is sent to the service endpoint Client looks for service api.example.com (Alias) Amazon Route 53 Private hosted zone 10.10.1.8 ENI’s endpoint forwards traffic to the provider 10.10.1.6 SaaS consumer account
  25. 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Packet walkthrough (2/2) – NAT 4. NLB does source NAT 1. Source 10.0.1.8 translated to Source 172.31.1.60 5. App replies to 172.31.1.60 6. NLB changes the source back to 10.10.1.6 Source NAT SaaS consumer account Amazon Route 53 Private hosted zone 10.10.1.810.10.1.6 I am receiving traffic from 172.31.1.60
  26. 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  27. 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. PrivateLink deployment types SaaS • Silo • Bridge • Pool Within an organization • Marketplace offers • Internal environments • Managed service providers
  28. 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. NLB Endpoint Service Service name: com.amazonaws… VPC Endpoint Private IP - 10.10.1.6 SaaS deployment types: Silo • Expose custom addresses to customers • Expose only what’s needed • Provider management can be shared • Onboarding • Management • Operations • Billing NLB Endpoint Service Service name: com.amazonaws… VPC Endpoint Private IP - 10.10.2.6
  29. 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. SaaS deployment types: Pool • Elasticity and agility of a shared infrastructure footprint • Custom addresses per customer with one set of infrastructure • Management, deployment, and operation are easier • One or more load balancer per shared service • API • Front-end • Resource NLB Endpoint Service Service name: com.amazonaws… VPC Endpoint Private IP - 10.10.1.6 VPC Endpoint Private IP - 10.10.2.6 VPC Endpoint Private IP - 10.10.1.6
  30. 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. NLB Endpoint Service Service name: com.amazonaws… SaaS deployment types: Bridge • Hybrid between pool and silo • Different service names NLB Endpoint Service Service name: com.amazonaws… VPC Endpoint Private IP - 10.10.1.6 VPC Endpoint Private IP - 10.10.2.6 VPC Endpoint Private IP - 10.10.1.6
  31. 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS SaaS Marketplace • Easily create secure endpoints • No public IP address • Curated SaaS products • Discoverability of the services when customers purchase SaaS on AWS Marketplace
  32. 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Marketplace: DNS Vanity vpce-svc-1a2b3c4d.us-east-1.vpce.amazonaws.com Service Base DNS Name Service ID Region Sub Domain vpce-12345.vpce-svc-1a2b3c4d.us-east-1.vpce.amazonaws.com Endpoints DNS Name on Client Side VPC Endpoint ID vpce-67890.vpce-svc-1a2b3c4d.us-west-1.vpce.amazonaws.com us-east-1.vpce.myexample.com Service Vanity DNS Name Region Sub Domain vpce-12345.us-east-1.vpce.myexample.com Endpoints DNS Name on Client Side VPC Endpoint ID vpce-67890.us-west-1.vpce.myexample.com
  33. 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Internal environments NLB Endpoint Service Service name: com.amazonaws… VPC Endpoint Private IP - 10.10.1.6 VPC Endpoint Private IP – 172.31.1.6
  34. 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  35. 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Reference architecture NLB Dedicated On-premises Endpoint VPCProvider SaaS VPC Customer VPC AWS Direct Connect Location (Anywhere) Direct Connect Gateway Service Customer chosen Availability Zones CIDR: Defined by customer On-premises Service NLB placed in every Availability Zone A api.example.com 10.x.x.x 10.x.x.y api.example.com CIDR: Provider chosen range Customer chosen Availability Zones Route 53 Private Hosted Zone CNAME api.example.com --> ALIAS vpce-xxxx.vpce-svc- xxxx.us-east-2.vpce.amazonaws.com WANVPC Endpoint VPC Endpoint VPC Endpoint VPC Endpoint DNS Server Forward api.example.com to AWS DNS OR Customer Gateway VPN
  36. 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Connectivity options from on-premises Load Balancer Endpoint Service Service name: com.amazonaws… VPC Endpoint Private IP - 10.10.1.6
  37. 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  38. 38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Source IP address visibility: proxy protocol The Proxy Protocol header includes private IP of the consumer and the ID of the endpoint. Type-Length-Value (TLV) vector: I am receiving traffic from 172.31.1.60, Proxy Protocol Header has source IP 10.0.1.8 Source IP 10.0.1.8 Proxy Protocol V2 Field Length (in octets) Description Type 1 PP2_TYPE_AWS (0xEA) Length 2 The length of value (0x01) Placeholder 1 PP2_SUBTYPE_AW S_VPCE_ID SaaS consumer account 172.31.1.60 VPC Endpoint
  39. 39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Application Cross-region peering us-east-1 eu-west-1 PrivateLink and cross-region peering : IP load balancing How do you handle global connectivity? • AWS PrivateLink now supports access over Inter-Region VPC Peering IP as a target VPC Endpoint VPC Endpoint
  40. 40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. PrivateLink and cross-region peering: Remote endpoints NLB VPC Endpoint Cross-region Peering us-east-1 eu-west-1 VPC Endpoint
  41. 41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. SSL offloading
  42. 42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Resource-based PrivateLink • Can it be load balanced? • Database • Logging service • Enterprise application Solutions • Use one NLB per resource • Use a single NLB using different listening ports • 10.1.1.100:8081 • 10.1.1.100:8082
  43. 43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Services that initiate new connections to clients Provider services that need to initiate connections or have bidirectional connections • Use VPC peering or a two-way PrivateLink design VPC Endpoint VPC Endpoint
  44. 44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  45. 45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Snowflake: The data warehouse built for the cloud
  46. 46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  47. 47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS VPN Connection Give your VPN authorized access to services on AWS AWS Direct Connect Give your on-premises resource access to services on AWS How Snowflake integrates with PrivateLink Each customer is uniquely configured with an NLB in their region PrivateLink is often a piece of a larger private comms requirement VPC endpoint Create an interface VPC endpoint Network load balancer Connect the endpoint to the network load balancer of the service of your choice JDBC/ODBC, programs, snowsql Customer Other systems on customer resources Amazon EC2 Instance
  48. 48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  49. 49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Some quick background … $88.5 billion in ticket transactions 287 million passenger trips World’s most comprehensive air ticket transaction data www.arccorp.com
  50. 50. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. An easy choice … Data security is always top of mind. No negative impact in how our products perform. Implemented in a day.
  51. 51. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Sharing is simple …
  52. 52. Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Laura Caicedo, lauracai@amazon.com Nick Matthews, nickmatt@amazon.com
  53. 53. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

×