Using Virtual Private Cloud (vpc)

4,254 views

Published on

From the APAC Webinar 201 Series

Published in: Technology
1 Comment
21 Likes
Statistics
Notes
No Downloads
Views
Total views
4,254
On SlideShare
0
From Embeds
0
Number of Embeds
236
Actions
Shares
0
Downloads
0
Comments
1
Likes
21
Embeds 0
No embeds

No notes for slide
  • Are you currently using AWS Services?
  • Short on power
  • Short on space
  • Need more processing capacity
  • Have some new ideas you want to try
  • Are you currently using AWS VPCWhat are you using or planning on using AWS VPC Services For?Public Facing ApplicationInternal Facing ApplicationBoth
  • “User-defined” is important because it can be a private OR a public address space. If public, must be routed to/from customer gateway / VPN tunnel.
  • “User-defined” is important because it can be a private OR a public address space. If public, must be routed to/from customer gateway / VPN tunnel.
  • 65,536Slide 18: Should be 65,536 IP addresses (256 X 256) We reserve the first 4 and last 1 in each range.
  • Each instance that you launch into a default VPC receives both a public IP address and a private IP address. Each instance also receives both public and private DNS hostnames.A default VPC is like any other VPC; you can add subnets, modify the main route table, add additional route tables, associate additional security groups, update the rules of the default security group, and add VPN connections. You can also create additional VPCs.A default subnet is like any other subnet; you can add custom route tables and set network ACLs. You can also specify a default subnet when you launch an EC2 instance.Default SubnetsThe CIDR block for a default VPC is always 172.31.0.0/16. This provides up to 65,536 private IP addresses. The netmask for a default subnet is always /20, which provides up to 4,096 addresses per subnet, a few of which are reserved for our use.By default, a default subnet is a public subnet, because the main route table sends the subnet's traffic that is destined for the Internet to the Internet gateway. You can make a default subnet a private subnet by removing the route from the destination 0.0.0.0/0 to the Internet gateway. However, if you do this, any EC2 instance running in that subnet can't access the Internet or other AWS products, such as Amazon Simple Storage Service (Amazon S3)
  • Using Virtual Private Cloud (vpc)

    1. 1. APAC Webinar Series | AWS 201Using Virtual Private Cloud VPC Joseph Ziegler Technical Evangelistzieglerj@amazon.com @jiyosub
    2. 2. Before we Start
    3. 3. What if you could extend into the cloud easily and securely?
    4. 4. You Can! Corporate Amazon VPCData Center
    5. 5. Agenda• What is Virtual Private Cloud (VPC)• Common VPC Patterns• Case Study• Demos• VPC by Default
    6. 6. 2 Questions
    7. 7. What is VPC?
    8. 8. Making the Connection…
    9. 9. Introducing AWS Virtual Private CloudUser-defined virtual IP networking for EC2Private or mixed private/public addressing andsecured ingress/egressRe-use of proven and well-understoodnetworking concepts and technologies
    10. 10. Benefits of Using VPCAssign static private IP addresses to your instances that persist acrossstarts and stopsAssign multiple IP addresses to your instancesDefine network interfaces, and attach one or more network interfaces toyour instancesChange security group membership for your instances while theyre runningControl the outbound traffic from your instances (egress filtering) in additionto controlling the inbound traffic to them (ingress filtering)Add an additional layer of access control to your instances in the form ofnetwork access control lists (ACL)Run your instances on single-tenant hardware
    11. 11. Corporate Data Center Availability Zone 1 DirectConnect Location 10G Private Subnet Router Customer VPN Gateway Gateway (BGP/NoBGP) CorporateHeadquarters Public Subnet Internet Gateway Amazon VPC Availability Zone 2Branch Offices S3 SQS/SNS/SES SWF Elastic SimpleDB DynamoD New Enterprise IT Beanstalk AWS Region B Network Architecture
    12. 12. VPC Capabilities in a NutshellUser-defined address space up to /16• 65,536 addressesUp to 200 user-defined subnets up to /16User-defined:• Virtual routing, DHCP servers, and NAT instances• Internet gateways, ACLs, ingress/egress security groups and VPN tunnelsPrivate IPs stable once assignedElastic Network Interfaces
    13. 13. Internet VPC customers can launch instances in their own isolated network 10.134.2.3 10.1.2.3 10.218.5.17 10.27.45.16 10.243.3.5 10.8.55.5 10.141.9.810.99.42.97 10.155.6.7 10.16.22.33 10.131.7.28 10.6.78.201 Availability Zone a Availability Zone b Customer 1 Customer 2 Customer 3 VPC Customer
    14. 14. Internet VPCcan assign your launch instances thetheir own isolated network You customers can own IP range to in VPC network 10.0.1.6 10.0.0.5 10.0.1.510.0.0.6 10.0.1.8 10.0.3.5 10.0.1.25 10.0.3.17 Availability Zone a Availability Zone b VPC Customer
    15. 15. Rich Capabilities in VPCElastic Load Balancer, AutoScaling, CloudWatch, AlarmsRelational Database ServiceElastic MapReduceCloudFormationCluster ComputeElastiCacheElastic BeanstalkAnd more
    16. 16. VPN Connectivity OptionsHardware VPN - $0.05 per VPN ConnectionHour• $36 per month• Cisco, Juniper, Yamaha, Astaro, Fortinet, Vyatta, etc (even Windows 2008 R2 instance) InternetNow supports both BPG & static-routingSetup via the consoleRuns two VPN tunnels by default from yourrouter to cater for routine maintenanceUp to 10 VPNs per VPC
    17. 17. DirectConnect: Private X-Connect to AWS Dedicated bandwidth to AWS border network in 1Gbps or 10Gbps chunks Full access to public endpoints, EC2 Internet standard & VPCs • VLAN tagging maps to public side or VPCs Benefits: • Faster / more consistent throughput • Increased isolation and control Great companion technology to VPC
    18. 18. Dedicated InstancesOption to ensure physical hosts are notshared with other customers Single Tenant Compute Instance$10/hr flat fee per Region + small hourlychargeCan identify specific Instances asdedicatedOptionally configure entire VPC asdedicated
    19. 19. Common VPC Patterns
    20. 20. Models of Data Centre Extension Isolated project Expand existing systems into the cloud – no public exposure Expose systems to the public - hosted in the cloud Branch office access
    21. 21. Isolated Project Dev/Test Corporate Proof of Concept Users “Fail Fast” projects Time bound/ephemeral No need for internal system access of Router & Firewall resources AWS
    22. 22. Extending Existing Systems Into The Cloud• Leverage additional processing nodes Corporate data centre Corporate Users• Host entire stack in the cloud with secure LAN/WAN access. – E.g. Sharepoint, CMS, CRM, etc Router & Firewall• Dev/Test VPN Connection• Disaster Recovery• Big Data analysis• Use existing management tools AWS• No Internet access to systems
    23. 23. Expanding Systems Into The Cloud,with Public Internet Access• Enable access by Corporate data centre Corporate Users customers/partners to systems• Enable internal systems to be Router & Firewall involved and accessed by applications VPN Connection Customers/ Partners• Secure segregation of components and network access AWS
    24. 24. Branch Office Access • Enabling remote users & Branch Office Users offices to have secure Router & Firewall access to resources • Centralised systems with VPN Connection minimal infrastructure AWS VPN Connection VPN Connection Router & Firewall Router & Firewall Branch Office Users Branch Office Users
    25. 25. Case Study
    26. 26. 15 Daily Newspapers 50 Web Sites 62 MM unique users per monthOver 1 Billion page views per month
    27. 27. NYTimes EC2 Expansion (April 2011) Amazon EC2 Courtesy NYTimes
    28. 28. NYTimes EC2 Expansion (April 2011) Amazon EC2 Courtesy NYTimes
    29. 29. Demos & Examples
    30. 30. Example: SharePoint with On-Premises Active Directory
    31. 31. Extra Good Technical Stuff!Elastic Network Interfaces• Maintain the state of a network interface separately from the lifecycle of an instance• Enable same instance to be part of multiple subnets• Static MAC address, etc• Up to 8 ENIs depending on instance sizeMulti-IP• Relies on ENI• Up to 30 addresses per ENI• Private & Public addressesDHCP Option Sets• Specify your own domain name for instances• Specify your own DNS & NTPAnd lots more!!
    32. 32. VPC by Default
    33. 33. VPC Platforms EC2-ClassicNondefault VPC Default VPC
    34. 34. Existing Customers
    35. 35. New Customers
    36. 36. Characteristic EC2-Classic Default VPC Nondefault VPCPublic IP address Your instance receives a Your instance launched in a default Your instance doesnt receive a public IP address. subnet receives a public IP public IP address. address.Private IP address Your instance receives a Your instance receives a static Your instance receives a static private IP address from the private IP address from the address private IP address from the EC2-Classic, default VPC range of your default VPC. address range of your VPC. range each time its started.Multiple IP You can assign a single IP You can assign multiple IP You can assign multiple IPaddresses address to your instance. addresses to your instance. addresses to your instance.Elastic IP address An EIP is disassociated An EIP remains associated with An EIP remains associated with from your instance when your instance when you stop it. your instance when you stop it. you stop it.DNS hostnames DNS hostnames are DNS hostnames are enabled by DNS hostnames are disabled by enabled by default. default. default.Security group A security group can A security group can reference A security group can reference reference security groups security groups for your VPC only. security groups for your VPC only. that belong to other AWS accounts.Security group You must terminate your You can change the security group You can change the security groupassociation instance to change its of your running instance. of your running instance. security group.Security group rules You can add rules for You can add rules for inbound and You can add rules for inbound and inbound traffic only. outbound traffic. outbound traffic.Tenancy Your instance runs on You can run your instance on You can run your instance on shared hardware. shared hardware or single-tenant shared hardware or single-tenant hardware. hardware.
    37. 37. Default VPC• Create a default subnet in each Availability Zone.• Create an Internet gateway and connect it to your default VPC.• Create a main route table for your default VPC with a rule that sends all traffic destined for the Internet to the Internet gateway.• Create a default security group and associate it with your default VPC.• Create a default network access control list (ACL) and associate it with your default VPC.• Associate the default DHCP options set for your AWS account with your default VPC.
    38. 38. Next Steps• http://aws.amazon.com/vpc/• http://aws.amazon.com/free/• http://docs.aws.amazon.com/ AmazonVPC/latest/UserGuide/
    39. 39. AWS Summits Sydney | April 24 Mumbai | June 25 Delhi | June 27 Bangalore | July 5 Singapore | July 18http://amzn.to/UIdArf
    40. 40. AWS Summits Canberra | May 23 Auckland | May 30http://amzn.to/ZWjox2
    41. 41. SurveyPlease fill out the survey at the end for $25 USD in AWS Credits
    42. 42. Thank youaws.amazon.com/vpc Joseph Ziegler Technical Evangelist zieglerj@amazon.com @jiyosub

    ×