Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Chris Swan's VPC presentation from the Brighton AWS user group

342 views

Published on

Tuesday, 15 September Chris Swan presented at the Brighton AWS user group on general VPCs configuration with Q&A.

A talk on VPC configuration by Chris Swan
http://www.meetup.com/members/16255701

Chris has been using AWS since it first started and has vast knowledge of the problems and best practices of configuring a system on this platform.

Starts 8:00pm, going down the pub, the Lanes Brewery after.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Chris Swan's VPC presentation from the Brighton AWS user group

  1. 1. Chris Swan, CTO, @cpswan AWS VPC
  2. 2. © 2015 Why VPCs?
  3. 3. © 2015 VPCs Containment of traffic Layer 3 construct (not a VLAN) Control over IP addressing RFC1918 Instance private IP sustained over start/stop Something to connect into VPNs Direct connect Amazon was filling up the original 10.0.0.0/8 in US-East-1?
  4. 4. © 2015 VPCs are Region bounded Subnets are Availability Zone (AZ) bounded
  5. 5. © 2015 VPCs are a regional construct US-East-1 My VPC 172.31.0.0/16
  6. 6. © 2015 Subnets fit into availability zones US-East-1 US-East-1E My VPC 172.31.0.0/16 My Pub-1E 172.31.5.0/24
  7. 7. © 2015 Public subnets attach to the Internet via a gateway US-East-1 US-East-1E My VPC 172.31.0.0/16 My Pub-1E 172.31.5.0/24 IGW
  8. 8. © 2015 Private subnets aren’t Internet attached US-East-1 US-East-1E My VPC 172.31.0.0/16 My Pub-1E 172.31.5.0/24 IGW My Priv-1E 172.31.6.0/24
  9. 9. © 2015 Private subnets can route out via a NAT VM US-East-1 US-East-1E My VPC 172.31.0.0/16 My Pub-1E 172.31.5.0/24 IGW My Priv-1E 172.31.6.0/24 NAT
  10. 10. © 2015 In region redundancy across AZs US-East-1 US-East-1EUS-East-1A My VPC 172.31.0.0/16 My Pub-1E 172.31.5.0/24 IGW My Priv-1E 172.31.6.0/24 NAT My Pub-1A 172.31.1.0/24 IGW My Priv-1A 172.31.2.0/24 NAT
  11. 11. © 2015 VPC interconnectivity
  12. 12. © 2015 VPC VPN gateways US-East-1 US-East-1EUS-East-1A My VPC 172.31.0.0/16 My Pub-1E 172.31.5.0/24 IGW My Priv-1E 172.31.6.0/24 NAT My Pub-1A 172.31.1.0/24 IGW My Priv-1A 172.31.2.0/24 NAT VPNVPN
  13. 13. © 2015 3rd Party VPN gateways (e.g. Cohesive Networks VNS3) US-East-1 US-East-1EUS-East-1A My VPC 172.31.0.0/16 My Pub-1E 172.31.5.0/24 IGW My Priv-1E 172.31.6.0/24 VPN My Pub-1A 172.31.1.0/24 IGW My Priv-1A 172.31.2.0/24 VPN
  14. 14. © 2015 Direct connect US-East-1 US-East-1EUS-East-1A My VPC 172.31.0.0/16 My Priv-1E 172.31.6.0/24 My Priv-1A 172.31.2.0/24 DCDC
  15. 15. © 2015 Secured Direct connect US-East-1 US-East-1EUS-East-1A My VPC 172.31.0.0/16 My Priv-1E 172.31.6.0/24 My Priv-1A 172.31.2.0/24 DCDC VPNVPN
  16. 16. © 2015 VPC peering US-East-1 My VPC 172.31.0.0/16 My other VPC 172.30.0.0/16
  17. 17. © 2015 Addressing
  18. 18. © 2015 VPC addresses Must be RFC 1918 10.0.0.0 172.16-31.0.0 192.168.0.0 (Bring your own IPs by using overlay networks like VNS3) Can’t be larger than a /16 Beware of defaults
  19. 19. © 2015 Public IPs Can be auto assigned Subnet will default to enabled or disabled Can be overridden when launching instances Not persistent Elastic IPs (EIPs) Region (not VPC) bounded Reassignable between instances Persistent No tagging or unique identifier 
  20. 20. © 2015 Security
  21. 21. © 2015 Security groups Apply at the instance level May reference other groups Can have multiple groups per instance Act as whitelists of what can get through Rules evaluated in aggregate VPC bounded Stateful May use IETF protocol numbers in addition to TCP and UDP e.g. IPsec, GRE
  22. 22. © 2015 ACLs Apply at the subnet level Allow and deny (blacklist) Rules processed in order Stateless
  23. 23. © 2015 If you want to learn more On Slideshare (not by me): AWS Summit London 2014 | From One to Many - Evolving VPC Design (400) http://is.gd/AWSVPC

×