Tuesday, 15 September Chris Swan presented at the Brighton AWS user group on general VPCs configuration with Q&A. A talk on VPC configuration by Chris Swan http://www.meetup.com/members/16255701 Chris has been using AWS since it first started and has vast knowledge of the problems and best practices of configuring a system on this platform. Starts 8:00pm, going down the pub, the Lanes Brewery after.

1. Chris Swan, CTO, @cpswan
AWS VPC

2. © 2015
Why VPCs?

3. © 2015
VPCs
Containment of traffic
Layer 3 construct (not a VLAN)
Control over IP addressing
RFC1918
Instance private IP sustained over start/stop
Something to connect into
VPNs
Direct connect
Amazon was filling up the original 10.0.0.0/8 in US-East-1?

4. © 2015
VPCs are Region bounded
Subnets are Availability Zone (AZ) bounded

5. © 2015
VPCs are a regional construct
US-East-1
My VPC
172.31.0.0/16

6. © 2015
Subnets fit into availability zones
US-East-1 US-East-1E
My VPC
172.31.0.0/16
My Pub-1E
172.31.5.0/24

7. © 2015
Public subnets attach to the Internet via a gateway
US-East-1 US-East-1E
My VPC
172.31.0.0/16
My Pub-1E
172.31.5.0/24
IGW

8. © 2015
Private subnets aren’t Internet attached
US-East-1 US-East-1E
My VPC
172.31.0.0/16
My Pub-1E
172.31.5.0/24
IGW
My Priv-1E
172.31.6.0/24

9. © 2015
Private subnets can route out via a NAT VM
US-East-1 US-East-1E
My VPC
172.31.0.0/16
My Pub-1E
172.31.5.0/24
IGW
My Priv-1E
172.31.6.0/24
NAT

10. © 2015
In region redundancy across AZs
US-East-1 US-East-1EUS-East-1A
My VPC
172.31.0.0/16
My Pub-1E
172.31.5.0/24
IGW
My Priv-1E
172.31.6.0/24
NAT
My Pub-1A
172.31.1.0/24
IGW
My Priv-1A
172.31.2.0/24
NAT

11. © 2015
VPC interconnectivity

12. © 2015
VPC VPN gateways
US-East-1 US-East-1EUS-East-1A
My VPC
172.31.0.0/16
My Pub-1E
172.31.5.0/24
IGW
My Priv-1E
172.31.6.0/24
NAT
My Pub-1A
172.31.1.0/24
IGW
My Priv-1A
172.31.2.0/24
NAT
VPNVPN

13. © 2015
3rd Party VPN gateways
(e.g. Cohesive Networks VNS3)
US-East-1 US-East-1EUS-East-1A
My VPC
172.31.0.0/16
My Pub-1E
172.31.5.0/24
IGW
My Priv-1E
172.31.6.0/24
VPN
My Pub-1A
172.31.1.0/24
IGW
My Priv-1A
172.31.2.0/24
VPN

14. © 2015
Direct connect
US-East-1 US-East-1EUS-East-1A
My VPC
172.31.0.0/16
My Priv-1E
172.31.6.0/24
My Priv-1A
172.31.2.0/24
DCDC

15. © 2015
Secured Direct connect
US-East-1 US-East-1EUS-East-1A
My VPC
172.31.0.0/16
My Priv-1E
172.31.6.0/24
My Priv-1A
172.31.2.0/24
DCDC
VPNVPN

16. © 2015
VPC peering
US-East-1
My VPC
172.31.0.0/16
My other VPC
172.30.0.0/16

17. © 2015
Addressing

18. © 2015
VPC addresses
Must be RFC 1918
10.0.0.0
172.16-31.0.0
192.168.0.0
(Bring your own IPs by using overlay networks like VNS3)
Can’t be larger than a /16
Beware of defaults

19. © 2015
Public IPs
Can be auto assigned
Subnet will default to enabled or disabled
Can be overridden when launching instances
Not persistent
Elastic IPs (EIPs)
Region (not VPC) bounded
Reassignable between instances
Persistent
No tagging or unique identifier 

20. © 2015
Security

21. © 2015
Security groups
Apply at the instance level
May reference other groups
Can have multiple groups per instance
Act as whitelists of what can get through
Rules evaluated in aggregate
VPC bounded
Stateful
May use IETF protocol numbers in addition to TCP and UDP
e.g. IPsec, GRE

22. © 2015
ACLs
Apply at the subnet level
Allow and deny (blacklist)
Rules processed in order
Stateless

23. © 2015
If you want to learn more
On Slideshare (not by me):
AWS Summit London 2014 | From One to Many - Evolving VPC Design (400)
http://is.gd/AWSVPC