Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
VPC - Flying Blind on a Rocket Cycle Matthew Boeckman - VP of DevOps at Craftsy.com @matthewboeckman http://enginerds.craf...
Who is Craftsy ● Instructor led training videos for passionate hobbyists ● #19 on Forbes’ Most Promising Companies 2014
VPC - Why VPC is mature network topology for AWS
VPC - Why Network ACL’s allow for true edge blocking
VPC - Why Instances can be members of multiple Security Groups SG membership can change post-instance launch
Site to Site VPN connectivity enables extension of your network to AWS VPC - Why
Three things Keep it simple Get there now Keep it simple
*disclaimer
Our stack in ec2-classic
What we hate about ec2-classic ● inflexible security groups ● per-IP maintenance of SG’s across regions ● ALLOW TCP 22 FRO...
Our stack in VPC
routing Private subnets can only route traffic destined for the internet to a NAT instance (eni-0…). Public subnets route ...
NAT instances HOW BIG?! ● we chose m1-medium… because…. it seems big enough? sure. ● failover
Site to Site VPN ● AWS docs on this are perfect - check if your firewall is on the supported list. If so, one click config...
Cross region VPN http://aws.amazon.com/articles/5472675506466066 http://fortycloud.com/interconnecting-two-aws-vpc-regions...
reservations! Instance reservations purchased in EC2 classic DO NOT MAGICALLY MOVE TO VPC Do. Not. Forget. This. Step.
seriously?
VPC - flying blind
netcat, tcpdump and patience
be the packet host a host b SG SG ACL ACL out out,in out,in out,in in out out,in out,in out,in in
LIMITS http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html
ACL’s ARE NOT STATEFUL ALLOW tcp 80 src 10.85.0.0/16 ALLOW tcp 443 src 10.85.1.0/24 ALLOW tcp established any DENY ALL
SNS, Redshift, Route53, RDS SNS - has no legs in VPC. Systems subscribing to SNS topics from private subnets need an HTTP ...
migration time best time - use AWS support or account teams - start with subnets and basic nat, vpn - dev environments, so...
cloned production
shut it down
thank you QUESTIONS! Matthew Boeckman @matthewboeckman http://enginerds.craftsy.com (deck will be there & slideshare)
Upcoming SlideShare
Loading in …5
×

AWS VPC Migration: Flying blind on a rocket cycle

2,768 views

Published on

The AWS Virtual Private Cloud platform provides a mature network topology for your ec2 resources. It enables you to restrict access to resources in much finer grained ways than possible in ec2. Additionally, VPC allows site to site VPN; allowing you to extend your non-ec2 networks to ec2. In this presentation, we explore an actual migration from ec2-classic to VPC, with lessons learned along the way.

Published in: Technology
no profile picture user

  • Be the first to comment

AWS VPC Migration: Flying blind on a rocket cycle

  1. 1. VPC - Flying Blind on a Rocket Cycle Matthew Boeckman - VP of DevOps at Craftsy.com @matthewboeckman http://enginerds.craftsy.com
  2. 2. Who is Craftsy ● Instructor led training videos for passionate hobbyists ● #19 on Forbes’ Most Promising Companies 2014
  3. 3. VPC - Why VPC is mature network topology for AWS
  4. 4. VPC - Why Network ACL’s allow for true edge blocking
  5. 5. VPC - Why Instances can be members of multiple Security Groups SG membership can change post-instance launch
  6. 6. Site to Site VPN connectivity enables extension of your network to AWS VPC - Why
  7. 7. Three things Keep it simple Get there now Keep it simple
  8. 8. *disclaimer
  9. 9. Our stack in ec2-classic
  10. 10. What we hate about ec2-classic ● inflexible security groups ● per-IP maintenance of SG’s across regions ● ALLOW TCP 22 FROM 0.0.0.0/0 ● no edge ● no edge ● no edge ● no edge
  11. 11. Our stack in VPC
  12. 12. routing Private subnets can only route traffic destined for the internet to a NAT instance (eni-0…). Public subnets route to the IGW. Routes can be automatically propagated from VPN connections.
  13. 13. NAT instances HOW BIG?! ● we chose m1-medium… because…. it seems big enough? sure. ● failover
  14. 14. Site to Site VPN ● AWS docs on this are perfect - check if your firewall is on the supported list. If so, one click configuration for your firewall ● A VPN connection - includes two tunnels, connected to two different IP’s at VPC. THESE UNDERGO MAINTENANCE - PRACTICE FAILOVER
  15. 15. Cross region VPN http://aws.amazon.com/articles/5472675506466066 http://fortycloud.com/interconnecting-two-aws-vpc-regions/ AWS has no product offering here. You can easily VPN two VPC’s in the same region but not, you know, in different regions.
  16. 16. reservations! Instance reservations purchased in EC2 classic DO NOT MAGICALLY MOVE TO VPC Do. Not. Forget. This. Step.
  17. 17. seriously?
  18. 18. VPC - flying blind
  19. 19. netcat, tcpdump and patience
  20. 20. be the packet host a host b SG SG ACL ACL out out,in out,in out,in in out out,in out,in out,in in
  21. 21. LIMITS http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html
  22. 22. ACL’s ARE NOT STATEFUL ALLOW tcp 80 src 10.85.0.0/16 ALLOW tcp 443 src 10.85.1.0/24 ALLOW tcp established any DENY ALL
  23. 23. SNS, Redshift, Route53, RDS SNS - has no legs in VPC. Systems subscribing to SNS topics from private subnets need an HTTP proxy in a public subnet for SNS to reach them. Redshift/RDS- has legs in VPC - migrate your redshift or rds instances to VPC (yay!) Route53 - no support for “views” in VPC.
  24. 24. migration time best time - use AWS support or account teams - start with subnets and basic nat, vpn - dev environments, soak - preprod, soak
  25. 25. cloned production
  26. 26. shut it down
  27. 27. thank you QUESTIONS! Matthew Boeckman @matthewboeckman http://enginerds.craftsy.com (deck will be there & slideshare)

×