Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Introduction to AWS VPC, Guidelines, and Best Practices

20,211 views

Published on

I crafted this presentation for the AWS Chicago Meetup. This deck covers the rationale, building blocks, guidelines, and several best practices for Amazon Web Services Virtual Private Cloud. I classify it as a somewhere between a 101 and 201 level presentation.

If you like the presentation, I would appreciate you clicking the Like button.

Published in: Technology
  • AWS VPC Tutorial for Beginners in English | Amazon Virtual Private Cloud https://youtu.be/rf9BYUfZE0w
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Wrote Cloud Design Fundamentals book with alot of Amazon AWS coverage, http://www.amazon.com/Cloud-Design-Fundamentals-Multilayered-Engineers/dp/1508470979/ref=sr_1_1/179-9314079-3914054?s=books&ie=UTF8&qid=1430589752&sr=1-1
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Introduction to AWS VPC, Guidelines, and Best Practices

  1. 1. Introduction to AWS VPC Gary Silverman Certified AWS Solution Architect AWS Chicago Meetup
  2. 2. Agenda 1. VPC Intro & Benefits 2. VPC Building Blocks 3. Reference Architecture 4. VPC Considerations & Best Practices 5. Wrap-up & Questions 2 But first a quick poll …
  3. 3. 1 VPC Intro & Benefits
  4. 4. What is Amazon’s VPC? Logically isolated network in the AWS Cloud that you control AWS Reference Model 10K Foot View “You are here” 4 Internet AWS VPC
  5. 5. 5 Why use VPC?  Control of network architecture  Topology & subnet architecture, IP address ranges, routing, & gateways  Further secure your resources  Egress sec groups, routing rules, & NACL’s  Evolving EC2 feature set  Multiple NIC’s  Modifiable security groups on instances  Static Private IP Address  T2 instances exclusively in VPC  Enables Hybrid Cloud architectures  Extend your on-prem network into the AWS cloud  Privately Internetwork with other organizations  VPC Peering  Lines of business, Partners, Communities  Intelligently address increasing Infrastructure demands  Environments, applications, and workloads Your workloads can be better integrated and secured using AWS VPC
  6. 6. Who can use VPC? You  >= 12/04/2013  EC2-VPC  < 03/18/2013  EC2-Classic & EC2-VPC  EC2 Classic in regions already launched  Otherwise, Default VPC in region  03/18/2013 < Account registered <= 12/14/2013  Depends: Might be EC2-VPC only. VPC Cost = $0  VPN $0.05/hr VPC Enabled Services EC2 (incl. Dedicated instances) AutoScaling Elastic Load Balancer RDS RedShift Elastic Map Reduce ElasticCache Elastic Beanstalk Data Pipeline 6
  7. 7. 2 VPC Building Blocks
  8. 8. VPC Topology    Subnet 1 Subnet 2 Subnet 3 Subnet 4 Availability Zone ‘A’ Availability Zone ‘B’ 8 us-west-2
  9. 9. 9 IP Address Blocks Shape private network Select VPC network size  CIDR/16 down to CIDR/28  Select IP prefix Partition network space  Subnet / instance ratio  AWS reserves 5 addr per subnet VPC VPC CIDR/16 ~65536 Addresses CIDR/28 ~16 Addresses VPC is a private network in AWS only CIDR = Classless Inter-domain Routing Coarse Grained Control Fine Grained Control
  10. 10. VPC Example: Topology + IP Address Blocks 158.16.45.12 Availability Zone ‘A’ Availability Zone ‘B’    10.0.0.0/24 10.0.1.0/24 us-west-2 10.0.0.0/16 10.0.2.0/24 10.0.3.0/24 10.0.0.5 10.0.1.2 10.0.2.52 10.0.3.101 10.0.sub.host 10.0.2.52 158.16.45.12 Instance Private IP Public IP 256 256 Network Subnets Addr per Subnet 10
  11. 11. Gateways VPN’s 11 VPC Access  Internet Gateway (IGW)  Ingress & egress internet access  Virtual Private Gateway (VPG)  AWS side of secure VPN connection  Customer Gateway (CG)  Customer side of VPN connection  Direct Connect  Dedicated & isolated bandwidth to AWS  No internet  HA connectivity supported  Hardware based VPN  On-prem device to AWS over internet  Major brands: Cisco, Juniper, & generic supported  HA connectivity supported (& recommended)
  12. 12. VPC Gateways & Hardware VPN  IGW  Internet access  Access to regional AWS Services (e.g. S3, DynamoDB)  Virtual Private Gateway & Customer Gateway  Redundant Connections for High availability  IPSec secure tunnel 12 Internet On-prem VPN Internet DynamoDB
  13. 13. AWS Direct Connect  Private connectivity between your site & VPC (e.g. not over Internet)  Secure IPSec connection  QOS: 1 Gbps or 10 Gbps fiber cross connect  Consistent Network Performance  Highly Available, redundant connectivity Customer Network AWS Direct Connect Location Customer WAN 13 Internet
  14. 14. Routing Traffic Determines where network traffic is directed  Route tables  Main  Custom  Optionally contain Gateways targets  Route table association  Main the default  1 to N relationship  Subnet associations  Public Subnet  Routes through IGW  Private Subnet  Does not route through IGW  NATs may be used 14 NAT Public Subnet Private Subnet 2 Customer 10.0.0.0/16 Private Subnet 1 Custom Route Table
  15. 15. 15 VPC Peering Inter-VPC Routing 18.52.0.0/16 PCX-1 172.16.0.0/16 10.0.0.0/16  Features  Topology flexibility  Same or another AWS Account  Additional dimension of isolation  Considerations  Single Region only  No overlapping network addresses  No transitive peering property
  16. 16. VPC Network Controls  VPC Security Groups  Resource level traffic firewall (instance, ELB, etc.)  Ingress & Egress  Stateful  Return traffic always allowed  Network Access Control Lists  Source and Protocol filtering  Subnet level traffic firewall  Separate Inbound & Outbound rule set  Stateless  Traffic strictly filtered 16 Web (HTTP) Security Group Firewall Load Balancer Security Group Firewall Security Group Firewall DB Server 3306 Web Server Web Server NACL (3306, 49152-65535) VPC Security Group NACL Ruleset
  17. 17. VPC Network Control Example  Tiered Security Groups  Restrict ingress Source IP to ELB_SG for Web Tier  NACL Rules  Block all inbound traffic to Private Subnet except 3306 or 22  Block all outbound traffic from Private Subnet except 80, 443, & 49152+ 17 Public Subnet Private Subnet Port 3306 packets Availability Zone ‘A’ Port: 80 Port: 80 Port 23 packets NACL: Source IP: 10.0.12.0/24 IN=3306, 22 OUT=80, 443, 49152-65535 ELB_SG Port: 23 WebApp_SG 10.0.12.0/24 DB_SG
  18. 18. 3 Reference Architecture
  19. 19. Reference Architecture: HA Web App with VPN 19 Availability Zone ‘B’ DB Tier NACL: Source IP: 10.0.[2|12].0/24 IN=3306, 22 OUT=80, 443, 3306, 49152-65535 us-west-2 10.0.0.0/16 10.0.12.0/24 Web/App Tier 10.0.13.0/24 NAT ELB Tier 10.0.11.0/24 Availability Zone ‘A’ DB Tier 10.0.2.0/24 Web/App Tier 10.0.3.0/24 NAT ELB Tier 10.0.1.0/24 On-prem
  20. 20. 4 Considerations & Best Practices
  21. 21. VPC Considerations Topic Tradeoff Consideration Environments Segregate at VPC or subnet level? Hybrid Cloud Private or Internet based VPN connectivity? Network Topology Subnets with large # instances / NAT bottlenecks Network Auditing Control, monitor, filter outbound traffic ? 21
  22. 22. Best Practice  Use VPC!  Plan your Network  Subnet strategy, avoid overlapping CIDR blocks  Reserve address space (subnets and instance addresses) across AZ’s for future expansion  Control your Network  Align subnets to Tiers (e.g. DMZ/proxy, ELB, Web/App, DB)  Leverage appropriate control per tier (subnet tiering, NACLs, etc…)  Everything in private subnets by default  Only ELB or Filter/monitoring solutions in Public Subnets  Secure IGW usage  Don’t add IGW to main routing table  Minimize use of IGW enabled Custom route table(s)  Minimize subnet size holding NAT or internet facing proxy services (e.g. Squid)  Use IAM for Access Control  Supplement with AWS Marketplace Solutions 22
  23. 23. 5 Wrap-up & Questions
  24. 24. Gary Silverman Gary.Mail.Mba@gmail.com @Tdream linkedIn.com/in/garysilvermanmba Thank You! 24

×