Pitt Immersion Day Module 3 - networking in AWS

Networking in AWS

Agenda
• Amazon VPC – Virtual Private Cloud
• VPC Building Blocks
• VPC Security
• VPC Connectivity Options
• Connect your Data Center to AWS
• Traffic Distribution

© 2019, Amazon Web Services, Inc. or its Affiliates.© 2019, Amazon Web Services, Inc. or its Affiliates.
Amazon VPC

Amazon VPC - Virtual Private Cloud
Provision a logically isolated section of the AWS Cloud where you can launch
AWS resources in a virtual network that you define.
Bring your own network
Routing RulesNetworkTopology Security RulesSubnetsIP Addresses

Amazon Virtual Private Cloud (VPC)
VPC
Your Network goes here
AWS Cloud
Amazon EC2 AWS Lambda Amazon RDS Amazon Redshift Amazon Simple Storage
Service (S3)
Amazon
DynamoDB

VPC Building Blocks

How to segment my networks inside a VPC?
VPC Subnets
• You can add one or more subnets
in each Availability Zone
• AZs provides fault isolations
• Subnets are allocated as a subset
of the VPC CIDR range
VPC
Availability Zone A Availability Zone B
SubnetA2
SubnetA1
Subnet B2
Subnet B1
10.0.0.0/24
10.0.1.0/24
10.0.2.0/24
10.0.3.0/24
10.0.0.0/16

How to direct traffic out of my Subnets?
Subnets and Route Tables
• Each subnet can have a unique Route
Table
• Route Tables direct traffic out of the
VPC, towards:
• Internet Gateway
• Virtual Private Gateway
• VPC Endpoints
• Direct Connect
• VPC Peering
• AWS Transit Gateway
• Subnets are named “Public Subnets”
when have a route to an Internet
Gateway
Route table
VPC
Private subnet
Public subnet
VPC
Public subnet
Router
Route table
Internet gateway
Route table
Corporate data center

How to connect my VPC to the Internet?
Internet Gateway
• Horizontally scaled, redundant,
highly available VPC component
• Provides internet connectivity to
your VPC Subnets
• Must be referenced on the Route
Table
• Performs NAT between Public and
Private IP Addresses
VPC
Public subnet
Route table
Internet gateway
Private subnet
Route table
Internet
EC2
Instance
Private IP: 10.0.0.10
Public IP: 54.63.92.81
EC2
Instance

How does my instance get an IP address?
Elastic IP Address
• Static, Public IPv4 address,
associated with your AWS account
• Can be associated with an
instance or network interface
• Can be remapped to another
instance in your account
• Useful for redundancy when Load
Balancers are not an option
VPC
Public subnet
Internet gateway
Private subnet
Internet
EC2
Instance
Elastic IP: 54.63.92.81
EC2
Instance
EC2
Instance
Elastic IP: 54.63.92.81

Can I have outbound only Internet access?
NAT Gateway
• Enable outbound connectivity to the
internet
• No incoming connection - useful for
OS/packages updates, public web
services access
• Fully managed by AWS
• Highly available
• 5 Gbps bandwidth, scales up to 45
Gbps
• Supports TCP, UDP, and ICMP
protocols
• Network ACLs apply to NAT
gateway’s traffic
Public subnet
NAT gateway
VPC
Internet gateway
Private subnet
Internet
EC2
Instance
EC2
Instance
Route table

Can I have one account owning the VPC, and other using it?
Shared VPC
• VPC Owner can create and edit
VPC Components
• VPC Participants can launch
resources in their assigned
Subnets
• Each participant pays for their own
resources and data transfer costs
• Based on AWS Resource Access
Manager, under AWS
Organizations
VPC
Subnet Beta
Subnet Gama
EC2 Instance
EC2 Instance
Lambda function
AWS AccountAlpha
VPC Owner
Create/Modify/Delete:
Subnets
RouteTables
Network ACL
VPC Peering
VPC Endpoints
Internet Gateways
NAT Gateways
Virtual Private Gateways
TransitGateway attachment
AWS Account Beta
VPC Participant
AWS AccountGama
VPC Participant
Lambda function

VPC Security

Can I filter traffic reaching my instances?
Security Groups
• Virtual stateful firewall
• Inbound and Outbound customer defined
rules
• Instance/Interface level inspection
• Micro segmentation
• Mandatory, all instances have at
least one associated Security Group
• Can be cross-referenced
• Works across intra-regional VPC
Peering
• Only supports allow rules - implicit denies
all traffic
Elastic Load Balancing (ELB)
Security group “Web ELB”
Security group “DBTier”
MySQL DB
Amazon Aurora
VPC
“WebTier”
MySQL
(TCP 3306)
Security group “WebTier”
“Web ELB”
HTTP
(TCP 80)
HTTPS
(TCP 443)
Internet gateway
Amazon EC2
Web Server Web Server

Can I filter traffic on a subnet level?
Network Access Control List
• Inbound and Outbound
• Subnet level inspection
• Optional level of security
• By default, allows all traffic
• Stateless
• IP and TCP/UDP port based
• Supports allow and deny rules
• Implicit deny
Private subnet
Public subnet
MySQL DB
Amazon Aurora
Amazon EC2
Network
access control
list
NACL “External Access”
Network
access control
list
NACL “DatabaseAccess”
0.0.0.0/0
HTTPS
(TCP 443)
10.0.0.0/16
MySQL
(TCP 3306)
Other IPs
Other Ports

VPC Connectivity Options

How to connect directly to other VPCs?
VPC Peering
• Scalable and highly available
• Inter-account peering
• Same or different AWS Regions
• Bi-directional traffic
• Remote Security groups can be
referenced for same-region VPC
peers
• Routing policy within Route Tables
• Not all subnets need to
connect to each other
• No transitive routing, requires full-
mesh to interconnect multiple VPCs
• No support for overlapping IP
addresses
VPC
Public subnet
Private subnet
EC2
Instance
EC2
Instance
Route table
VPC Peering
VPC
Public subnet
Private subnet
EC2
Instance
EC2
Instance
Route table
Route table Route table

How to connect multiple VPCs together?
AWS Transit Gateway
• Connect thousands of VPC across
accounts
• Connect your VPCs and on-
premises through a single gateway
• Centralize VPN and AWS Direct
Connect connections
• Control segmentations and data
flow with Routing Tables
• Hub and Spoke design
• Up to 50 Gbps per VPC connection
(burst)
AWSTransitGateway
VPC VPC VPC
…
Routing DomainA
Route table
Routing Domain B
Route table
AWS Cloud
Shared ServicesVPCVPC

Public subnet
How to connect privately to public AWS Services?
VPC Endpoints
• Connect your VPC to:
• Supported AWS services
• VPC endpoint services
powered by PrivateLink
• Doesn’t require public IPs or
Internet connectivity
• Traffic does not leave the AWS
network.
• Horizontally scaled, redundant,
and highly available
• Robust access control
VPC Endpoint
VPC
Internet gateway
Private subnet
EC2
Instance
EC2
Instance
VPC Endpoint
VPC
Service
Amazon
VPC PrivateLink
Network Load Balancer
(NLB)
VPC Endpoint
Amazon
Simple Storage Service (S3)
AWS
Key Management Service

Connect Your Data Center to
AWS

How to connect my Datacenter to AWS over the Internet?
AWS Virtual Private Network
• One VGW (Virtual Private
Gateway) per VPC
• Redundant IPSec VPN Tunnels
• Terminating in different AZs
• IPSec
• AES 256-bit encryption
• SHA-2 hashing
• Scalable
• BGP or Static Routing
VPC
Corporate
data center
VGW (Virtual Private Gateway)
Customer
gateway
VPN Connection
Availability Zone 1 Availability Zone 2
Internet
AWS Cloud

How to connect my Datacenter to AWS over dedicated circuits?
AWS Direct Connect
• Dedicated network connection
from your premises to AWS
• Dedicated Connection (1/10 Gbps,
Multiple VIFs)
• AWS Partner Hosted Connection
(50 Mbps to 10 Gbps, Single VIF)
• Consistent Network Performance
• More consistent network
experience
• Reduced egress data charges
• Connect to 90+ Direct Connection
Locations across the globe
Corporate
data center
Customer
gateway
AWS Direct Connect
Direct Connect
Location
AWS DX Device
AWS Cloud

How to add redundancy to my dedicated circuits?
AWS Direct Connect
• For redundancy, DX can be
deployed with single or multiple:
• Circuits
• Providers
• Customer Gateways
• Direct Connect Locations
• Customer data centers
• BGP Routing for redundancy
• AWS VPN can also be used as
backup path
Corporate
data center
Customer
gateway
AWS Direct Connect
Direct Connect
Location
AWS DX Device
AWS Cloud
AWS DX Device
Direct Connect
Location
AWS DX Device AWS DX Device
Corporate
data center
Customer
gateway

How to access my VPCs or AWS Public Services over my DX?
AWS Direct Connect
• VIF: Virtual Interface
• Private VIFs
• Access to private VPC IP
address
• Public VIFs
• Access to AWS Public IP
address space and
services
VPC 1A
Corporate
data center
Customer
gateway
AWS Direct Connect
Amazon Simple Storage
Service (S3)
AWS Cloud
Public
Virtual Interface
Private
Virtual Interface
VPC 1B
Private
Virtual Interface
PublicAWS Services
AWS DX Device
Direct Connect
Location
Virtual Private
Gateways

How to connect to multiple AWS Regions/Accounts over DX?
AWS Direct Connect Gateway
• Global resource
• Connect to multiple VPCs
• VPCs can be on same or different
• Regions
• Accounts (same Payer ID)
• Enables traffic flow from the VPC to
the DX connection
• For VPC to VPC Traffic,
consider using AWS Transit
Gateway
VPC 1A
Corporate
data center
Customer
gateway
AWS Cloud
Private
Virtual Interface
VPC 1B
Private
Virtual Interface
Region 1
VPC 2A
Private
Virtual Interface
Region 2
AWS Direct Connect
Gateway
AWS DX Device
Direct Connect
Location

How to connect at scale across accounts/Regions?
AWS DX Gateway +
AWS Transit Gateway
• Transit VIF
• Connects to an AWS
Transit Gateway
• Simplify your network architecture
and management overhead
• Create a hub-and-spoke model
that spans multiple
• VPCs
• Regions
• AWS accounts
VPC 1A
Corporate
data center
Customer
gateway
AWS DX Device
AWS Cloud
VPC 1B
Region 1
VPC 2A
Region 2
Direct Connect
Location
AWSTransitGateway
AWS Direct Connect
Gateway

Traffic Distribution

How to scale my app horizontally inside my VPC?
Elastic Load Balancing
• Distributes incoming application or
network traffic across multiple
targets
• EC2 instances
• Containers
• IP address
• Multiple Availability Zones
• Scales automatically
• Auto Scaling Groups can add or
remove instances as required
• Automatically register to the
Load Balancer
VPC
Internet gateway
EC2
Instance
EC2
Instance
EC2
Instance
Auto ScalingGroup
EC2
Instance
EC2
Instance
EC2
Instance
EC2
Instance
Auto ScalingGroup
EC2
Instance

Elastic Load Balancing
Features Comparison
Feature Application Load Balancer Network Load Balancer
Protocols HTTP, HTTPS TCP
Platforms VPC VPC
Health checks √ √
CloudWatch metrics √ √
Logging √ √
Path-Based Routing √
Host-Based Routing √
Native HTTP/2 √
Configurable idle connection timeout √
SSL offloading √
Server Name Indication (SNI) √
Sticky sessions √
Back-end server encryption √
Static IP √
Elastic IP address √
Preserve Source IP address √

How to solve my Domain Names to IP Address?
Amazon Route 53
• AWS DNS service
• Domain Registration
• Domain name resolution
• 100% availability SLA
• Health Checks
• DNS Failover
• Latency Based Routing
• Geo Based Routing
• Weighted Round Robin
• Private DNS for VPC
Amazon Route 53
Region us-east-1
(N.Virginia)
Region us-west-2
(Oregon)
Web Service
Elastic Load Balancer
Web Service
Web Service
Main
Site
Healthy
DNS Resolution Request
A/B
Testing
AppVersion A
95%Traffic
AppVersion B
5%Traffic
App DR
Yes No

Can I improve availability and performance of my global
services?
AWS Global Accelerator
• Uses AWS Global Network from
Edge to Region
• Client traffic ingresses via closes
available Edge location
• Route client to closest healthy
endpoint
• No DNS switchover required, same
IP address globally
• Static IP Anycast
AWS Cloud
Users in US Users in Europe
Region us-east-1 (N.Virginia) Region eu-west-1 (Ireland)
Edge location
Service
Service
Edge location Edge location
Edge location
AWS Global Accelerator
www.example.com
IP: 198.51.100.2
www.example.com
IP: 198.51.100.2
Redundant path

Questions?

Pitt Immersion Day Module 3 - networking in AWS

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Pitt Immersion Day Module 3 - networking in AWS

Similar to Pitt Immersion Day Module 3 - networking in AWS (20)

More from EagleDream Technologies

More from EagleDream Technologies (10)

Recently uploaded

Recently uploaded (20)

Pitt Immersion Day Module 3 - networking in AWS

Editor's Notes