20190130 AWS Shared VPCを前提としたネットワークとセキュリティの設計
•
12 likes•14,552 views
2019年1月30日 AWS Expert Online for JAWS-UG でのセッション内容です。 共有VPC (Shared VPC)と、同時に出たVPC関連の新機能によってセキュリティ面での省力化が可能になりました。「ベストプラクティス」を作っていきましょう。
Recommended
Recommended
More Related Content
More from Amazon Web Services Japan
More from Amazon Web Services Japan (20)
Recently uploaded
Recently uploaded (20)
20190130 AWS Shared VPCを前提としたネットワークとセキュリティの設計
- 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Yasuhiro Araki AWS Solution Architecture, Practice and Guide Lead, Japan. 2019/01/30
- 2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
- 3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 東京リージョン • • • 仮想プライベートクラウドサービス VPC ( 172.16.0.0/16) 既存システム プライベート サブネット パブリック サブネット インターネット VPN or 専用線 ネットワークを 要件に応じて設定 インターネット ゲートウェイ
- 4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • • • • • • • • • • • • •
- 5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • • • • • • • • • • • • •
- 6. Account Account Account Account Account Account Account Account Account Account Account Account VPN AWS Direct Connect * Account Account Account Account IAM, cross-account roles Route tables Route tables Transit Gateway Available Q1 2019
- 7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Account strategy VPN WAN AW S Direct Connect Transit VPC Network services Connectivity W AN Shared services Multi-region options Segmentation model
- 8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
- 9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • • • •
- 10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • • • • •
- 11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
- 13. Account Account
- 14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Account Account Account Account Resource share Resource share Inbound network ACL # Source Action 100 10.0.1.0/24 ALLOW 101 10.0.101.0/24 ALLOW 200 10.0.0.0/16 DENY 300 0.0.0.0/0 ALLOW
- 15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPC
- 16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • • • • •
- 17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
- 18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • • • • • • • • Security groups IAM
- 19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPC peering • 1vs1の関係 • 100 VPCまで • VPC間のSecurity groups • Inter-region peering Transit VPC • スポークの1つに配置 • 帯域の制限 • 制御が複雑 • インスタンスとライセンス費用 VPN WAN AW S Direct Connect Transit VPC Shared Services AWS Transit Gateway • 1vs1でも1vsNでもroute table次第 • スケーラブル • AZごとのエンドポイント費用 Account Account Account Account Development Account Account Account Account Testing Account Account Account Account Production Shared Services Ro ute Tab les Ro ute Tab les Transit Gateway AWS PrivateLink • 1 vs Nの関係 • スケーラブル • IPアドレス重複でもOK • NLBとエンドポイント費用
- 20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPC peering • 1vs1の関係 • 100 VPCまで • VPC間のSecurity groups • Inter-region peering Transit VPC • スポークの1つに配置 • 帯域の制限 • 制御が複雑 • インスタンスとライセンス費用 VPN WAN AW S Direct Connect Transit VPC Shared Services ✓ AWS Transit Gateway • 1vs1でも1vsNでもroute table次第 • スケーラブル • AZごとのエンドポイント費用 Account Account Account Account Development Account Account Account Account Testing Account Account Account Account Production Shared Services Ro ute Tab les Ro ute Tab les Transit Gateway ✓ AWS PrivateLink • 1 vs Nの関係 • スケーラブル • IPアドレス重複でもOK • NLBとエンドポイント費用
- 21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Transit Gateway Account Account Account Account Development Account Account Account Account Testing Account Account Account Account Production Shared Services Ro ute Tab les Ro ute Tab les Transit Gateway Scope Trust model Dependencies Scale Scope Trust model Dependencies Scale AWS PrivateLink • 1 vs Nの関係 • スケーラブル • IPアドレス重複で もOK • NLBとエンドポイ ント費用 • 1vs1でも1vsNでもroute table次第 • スケーラブル • AZごとのエンドポイント費 用
- 22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • • • •
- 23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. IAM Security groups Account Account Account Account Account Account Account Account VPC ACLs Route tables Network ACLs Separate VPCs
- 24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Account Account Account Account VPN AWS Direct Connect * Route tables Route tables Transit Gateway Transit Gateway Security services VPC Account Account Account Account Available Q1 2019
- 25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Transit Gateway Route Destination 10.1.0.0/16 vpc-att-1xxxxxxx 10.2.0.0/16 vpc-att-2xxxxxxx 10.3.0.0/16 vpc-att-3xxxxxxx 10.0.0.0/8 VPN Default routing domain
- 26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Transit Gateway Shared services VPN VPC Route Destination 10.1.0.0/16 vpc-att-1xxxx 10.2.0.0/16 vpc-att-2xxxx Route Destination 10.3.0.0/16 vpc-att-3xxxx 10.4.0.0/16 vpc-att-4xxxx Route Destination 10.0.0.0/8 VPN 10.4.0.0/16 vpc-att-4xxxx VPCs attach to a route table with routes to shared resources Shared resources attach to a route table with routes to all resources Shared service VPN VPC
- 27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
- 28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • • • Account strategy VPN WAN AW S Direct Connect Transit VPC Network services Connectivity W AN Shared services Multi-region options Segmentation model
- 29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
- 30. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.