Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Networking and SecuritySecuring Your AWS Resourceswith Amazon’s Virtual Private CloudMark RylandSolutions ArchitectAWS Pub...
AgendaReview: EC2 standard networking• Power and limitsEC2 networking with Virtual Private Cloud• Key concepts• New capabi...
EC2 Standard NetworkingDistinct private/internal and public/external IPs• True 1:1 NAT (no port translation)• “Split-brain...
Internet          EC2 instances dynamically assigned private IP addresses          from the one large internal Amazon IP a...
23.20.151.66 23.20.146.1 23.20.103.11            72.43.2.77 23.19.11.5          72.43.22.45                               ...
Value and Limits of Standard Networking Security groups •   Ingress only •   Limited dynamism •   Different from subnet-ba...
Introducing AWS Virtual Private CloudUser-defined virtual IP networking for EC2Private or mixed private/public addressing ...
VPC Capabilities in a NutshellUser-defined address space up to /16Up to 20* user-defined subnets up to /16User-defined:• V...
Internet          VPC customers can launch instances in their own isolated network                                        ...
Internet    VPCcan assign your launch instances thetheir own isolated network    You customers can own IP range to in VPC ...
Internet  Instances can belong to different subnets.   VPC Subnet                                                   VPC Su...
Internet  Add access control lists to your subnets.   VPC Subnet                                                   VPC Sub...
InternetAdd a Virtual Private Gateway to your VPC to make it an extension of yourdatacenter. All traffic to and from the V...
Internet  Add an Internet Gateway to let instances talk directly to the Internet                                          ...
Enhanced Security CapabilitiesNetwork topology, routing, and subnet ACLsSecurity group enhancements• Egress control; dynam...
Common Use CasesMixing public and private resources• E.g., web-facing hosts with DMZ subnets, control plane subnetsWorkloa...
Rich Capabilities in VPCELB, AutoScaling, and CloudWatchRelational Database Service (MySQL engine, for now)Elastic MapRedu...
DirectConnect: Private X-Connect to AWS Dedicated bandwidth to AWS border network in 1gbps or 10gbps chunks Full access to...
Networking and SecuritySecuring Your AWS Resourceswith Amazon’s Virtual Private CloudQuestions and answers
Upcoming SlideShare
Loading in …5
×

Securing your AWS Resources with Amazon VPC - AWS Summit 2012 - NYC

5,245 views

Published on

Published in: Technology

Securing your AWS Resources with Amazon VPC - AWS Summit 2012 - NYC

  1. 1. Networking and SecuritySecuring Your AWS Resourceswith Amazon’s Virtual Private CloudMark RylandSolutions ArchitectAWS Public Sector team
  2. 2. AgendaReview: EC2 standard networking• Power and limitsEC2 networking with Virtual Private Cloud• Key concepts• New capabilities• Common use casesDirectConnect and VPC
  3. 3. EC2 Standard NetworkingDistinct private/internal and public/external IPs• True 1:1 NAT (no port translation)• “Split-brained” DNSSecurity groups control ingressElastic IPs: fixed public IPs
  4. 4. Internet EC2 instances dynamically assigned private IP addresses from the one large internal Amazon IP address range 10.134.2.3 10.1.2.3 10.218.5.17 10.27.45.16 10.243.3.5 10.8.55.5 10.141.9.810.99.42.97 10.155.6.7 10.131.7.28 10.6.78.201Zone 1a10.16.22.33 Availability Availability Zone 1b Customer 1 Customer 2 Customer 3
  5. 5. 23.20.151.66 23.20.146.1 23.20.103.11 72.43.2.77 23.19.11.5 72.43.22.45 Internet 72.43.22.5 23.20.148.59 72.44.32.9 72.44.21.7 23.19.10.51 72.43.1.7 EC2 instances dynamically assigned public IP addresses on border network from Amazon’s public IP address blocks 10.134.2.3 10.1.2.3 10.218.5.17 10.27.45.16 10.243.3.5 10.8.55.5 10.141.9.810.99.42.97 10.155.6.7 10.131.7.28 10.6.78.201Zone 1a10.16.22.33 Availability Availability Zone 1b Customer 1 Customer 2 Customer 3
  6. 6. Value and Limits of Standard Networking Security groups • Ingress only • Limited dynamism • Different from subnet-based controls • Mental model issue No private networking, DMZs, or NAT/PAT No consistent / “fixed” IP addrs for instances
  7. 7. Introducing AWS Virtual Private CloudUser-defined virtual IP networking for EC2Private or mixed private/public addressing andingress/egressRe-use of proven and well-understoodnetworking concepts and technologies
  8. 8. VPC Capabilities in a NutshellUser-defined address space up to /16Up to 20* user-defined subnets up to /16User-defined:• Virtual routing, DHCP servers, and NAT instances• Internet gateways, private, customer gateways, and VPN tunnelsPrivate IPs stable once assignedElastic Network Interfaces
  9. 9. Internet VPC customers can launch instances in their own isolated network 10.134.2.3 10.1.2.3 10.218.5.17 10.27.45.16 10.243.3.5 10.8.55.5 10.141.9.810.99.42.97 10.155.6.7 10.131.7.28 10.6.78.201Zone 1a10.16.22.33 Availability Availability Zone 1b Customer 1 Customer 2 Customer 3 VPC Customer
  10. 10. Internet VPCcan assign your launch instances thetheir own isolated network You customers can own IP range to in VPC network 10.0.1.5 10.0.1.6 10.0.0.510.0.0.6 10.0.1.8 10.0.3.5 10.0.1.25 10.0.3.17 Availability Zone 1a Availability Zone 1b VPC Customer
  11. 11. Internet Instances can belong to different subnets. VPC Subnet VPC Subnet 10.0.0.5 10.0.1.5 10.0.1.6 VPC Subnet10.0.0.6 10.0.1.8 10.0.3.5 10.0.1.25 10.0.3.17 Availability Zone 1a Availability Zone 1b VPC Customer
  12. 12. Internet Add access control lists to your subnets. VPC Subnet VPC Subnet 10.0.0.5 10.0.1.5 10.0.1.6 VPC Subnet10.0.0.6 10.0.1.8 10.0.3.5 10.0.1.25 10.0.3.17 Availability Zone 1a Availability Zone 1b VPC Customer
  13. 13. InternetAdd a Virtual Private Gateway to your VPC to make it an extension of yourdatacenter. All traffic to and from the VPC traverses the VPN Connection. VPC Subnet VPC Subnet 10.0.0.5 10.0.1.5 10.0.1.6 VPC Subnet 10.0.0.6 10.0.1.8 10.0.3.5 10.0.1.25 10.0.3.17 Availability Zone 1a Virtual Private GatewayZone 1b Availability VPN Connection Customer Gateway Customer Data Center
  14. 14. Internet Add an Internet Gateway to let instances talk directly to the Internet Internet Gateway VPC Subnet VPC Subnet 10.0.0.5 10.0.1.5 10.0.1.6 VPC Subnet10.0.0.6 10.0.1.8 10.0.3.5 10.0.1.25 10.0.3.17 Availability Zone 1a Virtual Private GatewayZone 1a Availability VPN Connection Customer Gateway Customer Data Center
  15. 15. Enhanced Security CapabilitiesNetwork topology, routing, and subnet ACLsSecurity group enhancements• Egress control; dynamic (re)assignment; richer protocol supportMultiple network interfaces per instanceCompletely private networking via VPNSupport for dedicated instances
  16. 16. Common Use CasesMixing public and private resources• E.g., web-facing hosts with DMZ subnets, control plane subnetsWorkloads that expect fixed IPs and/or multiple NICsAWS cloud as private extension of on-premises network• Accessible from on-premises hosts• No change to addressing• No change to Internet threat/risk posture
  17. 17. Rich Capabilities in VPCELB, AutoScaling, and CloudWatchRelational Database Service (MySQL engine, for now)Elastic MapReduceCloudFormationAnd many others, with more to come…“Blackbox” services with public endpoints reachable viaInternet gateway (or VPN)
  18. 18. DirectConnect: Private X-Connect to AWS Dedicated bandwidth to AWS border network in 1gbps or 10gbps chunks Full access to public endpoints, EC2 standard, VPCs • VLAN tagging maps to public side or VPCs Benefits: • Faster / more consistent throughput • Increased isolation and control Great companion technology to VPC
  19. 19. Networking and SecuritySecuring Your AWS Resourceswith Amazon’s Virtual Private CloudQuestions and answers

×