Exploring the fundamentals of AWS networking - SVC210 - Chicago AWS Summit

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T
Exploring the fundamentals of AWS
networking
Sid Chauhan
Solutions Architect
Amazon Web Services
S V C 2 1 0

S U M M I T

S U M M I T
NAT
InstanceB
10.1.1.11/24
Instance BNAT-GW
NAT-GW
0.0.0.0/0
AWS Region
Availability Zone 2Availability Zone 1
Private subnet
VGW
VPC
peering
VPC
Flow Logs
VPN
The
internet
Private subnet
Public subnet
InstanceA
Public subnet
Amazon S3
VPC CIDR 10.1.0.0/16
10.1.0.11/24
InstanceC
10.1.2.11/24
InstanceD
10.1.3.11/24
DXGW
+ Expand + IPv6
IGWVPCE
10.1.0.0/16 Local
0.0.0.0/0 IGW
S3.prefix.list VPCE-123
On premises VGW
VPC-B PCX-123
Destination Target
Intra or
inter
region
10.1.0.0/16 Local
On premises VGW
VPC-B PCX-123
Destination Target
AWS PrivateLink
service provider VPC
NLB
On premises
VPC-B
EIP - 10.1.0.11 : 54.23.12.43
EIP - 10.1.1.11 : 54.19.12.23
Amazon
DynamoDB
AWS Lambda
AWS Direct
Connect
Amazon SQS Amazon SNS
AWS IoT
Amazon
CloudWatch
AWS
PrivateLink
Transit GW
On premises
AWS PrivateLink-
enabled services
Other Routes TGW
Other Routes TGW
Amazon S3
AWS Global Accelerator

S U M M I T
That was the agenda
for this session

S U M M I T

S U M M I T
What is a VPC ?

S U M M I T
IP addressing Creating
subnets
Routing in a
VPC
Security
VPC concepts and fundamentals
DNS in-VPC
with Amazon
Route 53

S U M M I T
Choosing an
IP address range

S U M M I T
Choosing an IP address range for your VPC
172.31.0.0/16
Recommended: RFC1918
range
Avoid ranges that overlap with
other networks to which you might
connect

S U M M I T
Creating subnets in a VPC

S U M M I T
VPC subnets and Availability Zones
172.31.0.0/16
Availability Zone Availability Zone Availability Zone
VPC subnet VPC subnet VPC subnet
172.31.0.0/24 172.31.1.0/24 172.31.2.0/24
eu-west-1a eu-west-1b eu-west-1c

S U M M I T
IPv6 in your VPC
• Can have a dual-stack VPC by adding an IPv6 CIDR
• Fixed sizes for VPC and subnets:
• /56 VPC (4,722,366,482,869,645,213,696 addresses)
• /64 subnets (18,446,744,073,709,551,616 addresses)

S U M M I T
VPC subnets and Availability Zones
172.31.0.0/16
172.31.0.0/24 172.31.1.0/24 172.31.2.0/24
eu-west-1a eu-west-1b eu-west-1c
2600:1f16:14d:6300::/56
2600:1f16:14d:6300::/64 2600:1f16:14d:6301::/64 2600:1f16:14d:6302::/64
+ Expand

S U M M I T
Routing in a VPC

S U M M I T
Route tables
172.31.0.0/16
172.31.0.0/24 172.31.1.0/24 172.31.2.0/24

S U M M I T
Traffic destined for my VPC
stays in my VPC

S U M M I T
DNS in a VPC

S U M M I T
VPC DNS options
Use Amazon DNS server
Have EC2 auto-assign DNS
host names to instances

S U M M I T
Amazon Route 53 private hosted zones
Private Hosted Zoneexample.demohostedzone.org → 172.31.0.99

S U M M I T
Amazon Route 53 Resolver for hybrid clouds
Route 53 Resolver
endpoints
Conditional forwarding
rules

S U M M I T
Flow logsNetwork access
control list
Security groups
Network security

S U M M I T
“MyWebServers” security group
“MyBackends” security group
Allow only “MyWebServers”
Security groups follow application structure
Web Web Web Web
App App App
IGW

S U M M I T
Security groups example: Web servers
Allow HTTP traffic
from anywhere

S U M M I T
Security groups example: Backends
Allow application traffic
from web servers only

S U M M I T
Network security
Flow logsNetwork access
control list
Security groups

S U M M I T
Security groups vs. NACLs
Security group Network ACL
Operates at instance level Operates at subnet level
Supports allow rules only Supports allow and deny rules
Is stateful: return traffic is automatically allowed
regardless of any rules
Is stateless: return traffic must be explicitly allowed
by rules
All rules evaluated before deciding whether to allow
traffic
Rules evaluated in order when deciding whether to
allow traffic
Applies only to instances explicitly associated with the
security group
Automatically applies to all instances launched into
associated subnets
Doesn’t filter traffic to or from link-local addresses (169.254.0.0/16) or AWS-reserved IPv4 addresses; these
are the first four IPv4 addresses of the subnet (including the Amazon VPC DNS server)

S U M M I T
VPC Flow Logs
AZ 2AZ 1
• Visibility
• Troubleshooting
• Analyze traffic
Amazon S3 Amazon CloudWatch Logs
VPC Flow Logs

S U M M I T
VPC Flow Logs: Setup
VPC traffic metadata
captured in Amazon S3
or Amazon CloudWatch Logs

S U M M I T
VPC Flow Logs format

S U M M I T
Internet
connectivity Connecting to other
VPCs
Connecting to your
on-premises network
Connecting your VPC
or not

S U M M I T
Internet connectivity or not

S U M M I T
NAT
InstanceB
10.1.1.11/24
Instance BNAT-GW
NAT-GW
0.0.0.0/0
AWS Region
Private subnet
The
internet
Private subnet
Public subnet
InstanceA
Public subnet
Amazon S3
VPC CIDR 10.1.0.0/16
10.1.0.11/24
InstanceC
10.1.2.11/24
InstanceD
10.1.3.11/24
+ Expand + IPv6
IGW
10.1.0.0/16 Local
0.0.0.0/0 IGW
Destination Target
10.1.0.0/16 Local
Destination Target
EIP - 10.1.0.11 : 54.23.12.43
EIP - 10.1.1.11 : 54.19.12.23
Let’s take a closer look
Amazon
DynamoDB
AWS Lambda Amazon SQS Amazon SNS
AWS IoT

S U M M I T
Connecting to other VPCs
VPC peering Transit Gateway

S U M M I T
VPC peering
• Full private IP connectivity between
two VPCs
• Can peer VPCs across regions
• VPCs can be in different accounts
• VPC CIDR ranges must not overlap
10.0.0.0/16
10.2.0.0/16
10.1.0.0/16
10.3.0.0/16

S U M M I T
Establish a VPC peering: Initiate request
Step 1
Initiate peering
request
172.31.0.0/16 10.55.0.0/16

S U M M I T
Establish a VPC peering: Accept request
Step 1
Initiate peering
request
Step 2
Accept peering
request
172.31.0.0/16 10.55.0.0/16

S U M M I T
Establish a VPC peering: Create routes
Step 1
Initiate peering
request
Step 2
Accept peering
request
Step 3, 4
172.31.0.0/16 10.55.0.0/16
Traffic destined for the peered VPC should go to the
peering, repeat for other VPC

S U M M I T
VPC peering Transit Gateway
and beyond…
Connecting to other VPCs

S U M M I T
VPN connectionCustomer
gateway
Amazon VPC Amazon VPC
AWS Direct Connect
gateway
VPC peering
VPC peering VPC peering
Amazon VPC Amazon VPCVPC peering
VPN
connection
VPN connection
VPC peering
Before Transit Gateway …

S U M M I T
Transit
Gateway
Amazon VPCAmazon VPC
Amazon VPCAmazon VPC
Customer
gateway
VPN
connection
AWS Direct
Connect Gateway
(NEW)
With Transit Gateway . . .

S U M M I T
B Local
0.0.0.0/0
Destination Target
A B
TGW
C
TGW
1 2
3 4
TGW route table (s)
VPC A : Attachment 1
VPC B : Attachment 2
VPC C : Attachment 3
On prem : VPN 4
RT1
RT2
On premises
With Transit Gateway . . .

S U M M I T
Attachment
The connection from an
Amazon VPC, VPN, and Dx GW
to a TGW
Association
The route table used to route
packets coming from an
attachment
Propagation
The route table where the
attachment’s routes are installed

S U M M I T
Llama
TGW
X
Y
TGW route table (s)
Associations
RT1
Z
Propagations
Pegasus from Y
Llama from X
Pegasus from Y
Llama from X
10.1.0.0/16
Pegasus
10.2.0.0/16
Barry
10.3.0.0/16
Barry from Z Barry from Z
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
10.3.0.0/16 via Z
10.1.0.0/16 Local
0.0.0.0/0 TGW
Destination Target
10.1.0.0/16 Local
0.0.0.0/0 IGW
Destination Target
10.0.0.0/8 TGW

S U M M I T
Llama
TGW
X
Y
TGW route table (s)
Associations
RT1
Z
Propagations
Pegasus from Y
Llama from X
Pegasus from Y
Llama from X
10.1.0.0/16
Pegasus
10.2.0.0/16
Barry
10.3.0.0/16
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
10.3.0.0/16 via Z
10.8.0.0/16 10.9.0.0/16
10.8.0.0/16 via X
10.9.0.0/16 via X

S U M M I T
Llama
TGW
X
Y
TGW route table (s)
Associations
RT1
Z
Propagations
Pegasus from Y
Llama from X
Pegasus from Y
Llama from X
10.1.0.0/16
Pegasus
10.2.0.0/16
Barry
10.3.0.0/16
Routes
10.2.0.0/16 via Y
10.1.0.0/16 via X
10.3.0.0/16 via Z
10.8.0.0/16 10.9.0.0/16
10.8.0.0/16 via X
10.9.0.0/16 via X
Propagation turned off, you can still statically
configure routes

S U M M I T
After: AWS Transit Gateway (TGW) – The console

S U M M I T
Unicorn TGW
This TGW is `Awesome
After: AWS Transit Gateway (TGW) – The console

S U M M I T
TGWs per account / TGW
attachments per Amazon VPC
5
Maximum burstable
bandwidth per attachment
50 Gbps

S U M M I T
Maximum bandwidth per VPN
connection
1.25 Gbps
*With ECMP, you can distribute traffic over multiple tunnels,
e.g., 8 tunnels = 10 Gbps
*

S U M M I T
Routes per TGW
10,000
Number of TGW attachments per
region per account
5,000
!!!

S U M M I T
Cross-region connectivity?
TGW is a region-level construct today

S U M M I T
TGW detailed instructions:
https://amzn.to/2SkI4zV

S U M M I T
Connecting to
on-premises networks:
AWS VPN AWS Direct Connect

S U M M I T
On premises
IPsec tunnel 1 - primary
IPsec tunnel 2- secondary
Virtual private
gateway
VGW
IPsec tunnel over
the internet
Customer gateway
CGW
The internet

S U M M I T
On premises
IPsec tunnel 1 - primary
IPsec tunnel 2- secondary
IPsec tunnel over
the internet
The internet
Transit GW
Customer gateway
CGW

S U M M I T
Migrate site-to-site VPN to Transit Gateway
https://amzn.to/2vwPcj7
NEW

S U M M I T
Attachment
to Amazon
VPC
TLS-based tunnel
over the internet
User with
OpenVPN client
Client VPN
endpoint
Client
The
internet
On premises
Amazon S3 Amazon
DynamoDB

S U M M I T
Customer or
partner cage
Service provider
network
AWS Direct Connect: What’s that?
AWS Region
On premises
AWS Direct Connect location
AWS cage
Cross connect
10.0.0.0/16
192.168.0.0/16
Private VIF
Public VIF
VGW

S U M M I T
Customer or
partner cage
Service provider
network
AWS Direct Connect: What’s that?
AWS Region
On premises
AWS cage
Cross connect
10.0.0.0/16
192.168.0.0/16
Private VIF
Public VIF
10.2.0.0/16
VGW
VGW
Private VIF

S U M M I T
Customer or
partner cage
Service provider
network
AWS Direct Connect gateway
AWS Region
On premises
AWS cage
Cross connect
10.0.0.0/16
192.168.0.0/16
Private VIF
10.2.0.0/16
VGW
VGW
One private VIF → many VPCs
AWS Direct
Connect gateway

S U M M I T
Customer or
partner cage
Service provider
network
AWS Region 1
On premises
AWS cage
Cross Connect
10.0.0.0/16
192.168.0.0/16
Private VIF
10.2.0.0/16
VGW
VGW
One private VIF → many VPCs across regions
AWS Region 2
AWS Direct
Connect gateway

S U M M I T
Customer or
partner cage
Service provider
network
AWS Account 1
On premises
AWS cage
Cross connect
10.0.0.0/16
192.168.0.0/16
Private VIF
10.2.0.0/16
VGW
VGW
One private VIF → many VPCs across accounts
AWS Account 2
AWS Direct
Connect gateway
Multi-account DX gateway
New

S U M M I T
Customer or
partner cage
Service provider
network
AWS Account 1
On premises
AWS cage
Cross connect
10.0.0.0/16
192.168.0.0/16
Transit VIF
10.2.0.0/16
One transit VIF → many VPCs
AWS Account 2
AWS Direct
Connect gateway
Transit VIF with DX gateway
New
AWS Transit
Gateway

S U M M I T
Transit Gateway with AWS Direct Connect
https://amzn.to/2VDnnEt
New

S U M M I T
New partner connection speeds
1, 2, 5, or 10 Gbps of capacity
https://amzn.to/2YtGNue
Also new

S U M M I T
VPC sharing VPC endpoints and
AWS PrivateLink
…more AWS networking
AWS Global
Accelerator

S U M M I T
Amazon VPC sharing
Before

S U M M I T
Llama
10.3.0.0/16
Pegasus
10.2.0.0/16
Barry
10.1.0.0/16
Iguana
10.6.0.0/16
Steve
10.5.0.0/16
Sue
10.4.0.0/16
AWS Lambda Amazon EC2
Amazon RedshiftAmazon RDS
Amazon EC2
Amazon EC2
Prod 1Dev
Test
Prod2
Prod 3 Prod 4

S U M M I T
Amazon VPC sharing
After

S U M M I T
AWS Lambda Amazon EC2
Amazon RedshiftAmazon RDS
Amazon EC2
Amazon EC2
Prod 1Dev
Test
Prod2
Prod 3 Prod 4
Owner
Participant
Owner
Participant Participant
Participant
Llama
10.3.0.0/16
Pegasus
10.2.0.0/16
Barry
10.1.0.0/16
Iguana
10.6.0.0/16
Steve
10.5.0.0/16
Sue
10.4.0.0/16

S U M M I T
Responsible for creating, managing, and
deleting all VPC-level entities.
Amazon VPC owners cannot modify or
delete participant resources.
Amazon VPC owner
Responsible for the creation, management, and
deletion of their resources, including Amazon
Elastic Compute Cloud (Amazon EC2) instances,
Amazon Relational Database Service (Amazon
RDS) databases, and load balancers.
However, they cannot modify any Amazon VPC-
level entities, including route tables, network
ACLs, or subnets (or view/modify resources
belonging to other participants).
Amazon VPC participant

S U M M I T
Why use Amazon VPC sharing?
Preserve IP space
Use fewer IPv4 CIDRs
Interconnectivity
No VPC peering required
Billing and security
Continue to enjoy segregation with multiple accounts
Separation of duties
A central team can create and
manage your Amazon VPC
Same AZ cost for data transfer is nil!

S U M M I T
Amazon VPC sharing details:
https://amzn.to/2Aovw2Z

S U M M I T
VPC endpoints
Interface VPC
endpoints
Gateway VPC
endpoints
AWS PrivateLink

S U M M I T
NAT
InstanceB
10.1.1.11/24
Instance BNAT-GW
NAT-GW
0.0.0.0/0
AWS Region
Private subnet
The
internet
Private subnet
Public subnet
InstanceA
Public subnet
Amazon S3
VPC CIDR 10.1.0.0/16
10.1.0.11/24
InstanceC
10.1.2.11/24
InstanceD
10.1.3.11/24
+ Expand + IPv6
IGWVPCE
10.1.0.0/16 Local
0.0.0.0/0 IGW
Destination Target
10.1.0.0/16 Local
DDB.prefix.list VPCE-123
Destination Target
EIP - 10.1.0.11 : 54.23.12.43
EIP - 10.1.1.11 : 54.19.12.23
Amazon
DynamoDB
VPCE =
Virtual private endpoint
(Type: Gateway)

S U M M I T
Amazon API Gateway
AWS CloudFormation
Amazon CloudWatch
Amazon CloudWatch Events
Amazon CloudWatch Logs
AWS CodeBuild
AWS Config
Amazon EC2 API
Elastic Load Balancing API
AWS Key Management Service
Amazon Kinesis Data Streams
Amazon SageMaker Runtime
AWS Secrets Manager
AWS Security Token Service
AWS Service Catalog
Amazon SNS
AWS Systems Manager
NAT
InstanceB
10.1.1.11/24
NAT-GW
AWS Region
Private subnet Private subnet
Public subnet
InstanceA
Public subnet
VPC CIDR 10.1.0.0/16
10.1.0.11/24
InstanceC
10.1.2.11/24
InstanceD
10.1.3.11/24
+ Expand + IPv6
22+ services now
supported over AWS
PrivateLink
ec2.eu-west-1.amazonaws.com
ENI1: 10.1.0.15
ENI2: 10.1.1.23
ec2.eu-west-1.amazonaws.com
ENI1: 10.1.0.15
ENI2: 10.1.1.23
AWS PrivateLink can
reach public services,
privately from your VPC
No routes needed!
(almost)
10.1.0.0/16 Local
Destination Target
10.1.0.0/16 Local
Destination Target
+ More

S U M M I T
VPC endpoints
Type: Gateway
Type: Interface

S U M M I T
And now AWS PrivateLink
for service providers
Customer VPC
Service provider VPC
Application, e.g., SaaS
NLB
AWS
PrivateLink
VPC endpoint: vpce-2222.foo.amazon.com

S U M M I T

S U M M I T
Before

S U M M I T
AWS Region 1 AWS Region 2

S U M M I T
After

S U M M I T
AWS Region 1 AWS Region 2
3.10.3.1253.10.3.125

S U M M I T
Client stateAWS global network Static anycast IPs
Applications can keep state, with
connections routed to the same
endpoint, after initial connection
Traffic routed through Global
Accelerator traverses AWS global
network (instead of the public
internet)
Global Accelerator uses static IP
addresses as a fixed entry point to
your applications, which are anycast
from AWS edge locations

S U M M I T
https://amzn.to/2FI3y89

S U M M I T
Awesome:
Networking study guide
https://amzn.to/2U9TczL

Exploring the fundamentals of AWS networking - SVC210 - Chicago AWS Summit

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Exploring the fundamentals of AWS networking - SVC210 - Chicago AWS Summit

Similar to Exploring the fundamentals of AWS networking - SVC210 - Chicago AWS Summit (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Exploring the fundamentals of AWS networking - SVC210 - Chicago AWS Summit