Celem prezentacji jest przedstawienie sposobu tworzenia i zarządzania infrastrukturą sieciową w chmurze (AWS). Podczas prezentacji użytkownicy dowiedzą się z jakich komponentów składa się infrastruktura w chmurze, zapoznają się z tematyką VPC (Virtual Private Cloud), Security Group, Direct Connect, Avaibility Zone, Route53, Regions. Dodatkowo dowiedzą się jak należy projektować systemy aby były określane jako HA oraz w jaki sposób można tworzyć rozwiązania hybrydowe i połączyć chmurę z istniejącą infrastrukturą on-premise. Dodatkowo słuchacze zapoznają się ze sposobem zarządzania infrastrukturą sieciową jak kodem (tzw. IaC - Infrastructure as Code) – co pozwala w szybki sposób tworzyć i zarządzać całością infrastruktury sieciowej w chmurze.

1. Networking at AWS
Tomasz Stachlewski
Solutions Architect
stachlew@amazon.pl

2. What
to
Expect
from
the
Session?
Server
10.33.32.1
Server
10.120.2.3
Server
10.15.32.1
Server
10.43.2.1
Server
10.60.50.40
54.240.197.226
54.120.43.21

3. What
to
Expect
from
the
Session?
• Learn more about main core elements of the AWS global
infrastructure (Regions, AZs) – to be able to select proper location
where new systems could be deployed.
• Get familiar with basic of creating network topology in the Cloud
(creating subnets, routing tables, IP possibilities)
• Best practices of building HA systems in the Cloud
• Possibilities of connecting Cloud with On-Premise infrastructure

4. Today’s
discussion
on
AWS…
2
1
a.
b.
Global
Infrastructure
–
Where
to
host
my
Systems?
How
to
design
network
topology
in
the
Cloud?
c.
d.
Subnets,
IPs,
RouCng
Tables
etc.
High
Availability
Cloud
–
On-­‐Premise
integraCon
Best
PracCces

5. Where in the Cloud?

6. • The geographical region
where Amazon EC2 will
launch the instances that
you create
• Choose a region to optimize
latency, minimize costs, or
address regulatory
requirement
• 12 regions around the world
Regions

7. Availability Zone - AZ
• Distinct locations that are engineered to
be insulated from failures in other
Availability Zones
• Provide inexpensive, low latency network
connectivity to other Availability Zones in
the same Region
• Regions contain between 2 & 5 EC2
availability zones

8. Network Topology

9. Region: Frankfurt
Step: Choose Region
Availability Zone 1
Availability Zone 2

10. 10.0.0.0/16
Step: Choose IP range for the Cloud
• Consider future AWS region expansion
• Consider future connectivity to corporate networks
• Consider subnet design
• VPC can be /16 between and /28
• CIDR cannot be modified once created
• Overlapping IP spaces = future headache

11. >aws ec2 create-vpc --cidr-block 10.0.0.0/16

12. Region: Frankfurt
VPC – Virtual Private Cloud
Availability Zone 1
Availability Zone 2
VPC (10.0.0.0/16)
VPC:
• Virtual
network
topology
that
you
define
• Your
own
logically
isolated
secCon
of
AWS
• Complete
control
of
your
networking
environment
(IP
ranges,
subnets,
rouCng
tables,
gateways
etc.)
• Advanced
Security
Features

13. Step: Create subnets
• A place where servers will be hosted
• A part of VPC
• IP range from VPC range
• Belongs to single AZ
• Design for HA!
Server
Server
Server
Server

14. Choosing IP address ranges for your subnets
Availability Zone 1
Availability Zone 2
VPC (10.0.0.0/16)
10.0.1.0/24
10.0.2.0/24
Region: Frankfurt

15. >aws ec2 create-subnet --cidr-block 10.0.1.0/16

17. Multiple Subnets
Availability Zone 1
Availability Zone 2
VPC (10.0.0.0/16)
10.0.1.0/24
10.0.2.0/24
Region: Frankfurt
10.0.1.0/24
10.0.3.0/24
10.0.2.0/24
10.0.4.0/24
MulLple
Subnets:
• Isolated
spaces
• Public/private
subnets

18. Multiple Subnets
Availability Zone 1
Availability Zone 2
VPC (10.0.0.0/16)
Region: Frankfurt
WEB
Server
WEB
Server
APP
Server
APP
Server

19. Create a route to the Internet

20. Internet Gateway
Availability Zone 1
Region: Frankfurt
WEB
Server
APP
Server
Internet
Gateway
(IGW)
is
a
horizontally
scaled,
redundant,
and
highly
available
VPC
component
that
allows
communicaCon
between
instances
in
your
VPC
and
the
Internet.

21. Traffic
desCned
for
my
VPC
stays
in
my
VPC
RouLng
Tables:
• Route
tables
contain
rules
for
which
packets
go
where
• Your
VPC
has
a
default
route
table
• …
but
you
can
assign
different
route
tables
to
different
subnets
Routing Table

22. Everything
that
isn't
desCned
for
the
VPC:
Send
to
the
Internet
through
“Internet
Gateway”
Routing Table

23. Routing Tables
Availability Zone 1
Region: Frankfurt
WEB
Server
APP
Server

24. What about Public IPs?

25. IPs
Availability Zone 1
Region: Frankfurt
WEB
Server
10.0.1.23
54.34.12.4
Private
IP
address
(manual
or
automaCc
assigned)
Public
IP
address
–
assigned
from
Amazon
IP
pool.

26. IPs
Availability Zone 1
Region: Frankfurt
WEB
Server
WEB
Server
10.0.1.23
54.34.12.4

27. IPs
Availability Zone 1
Region: Frankfurt
WEB
Server
WEB
Server
10.0.1.23
87.43.12.32
Private
IP
address
is
sCll
this
same.
Public
IP
address
has
changed.

28. IPs
Availability Zone 1
Region: Frankfurt
WEB
Server
WEB
Server
10.0.1.23
ElasLc
IP
(EIP)
Assigned
to
specific
user.
Can
be
moved
between
different
servers.
154.32.23.6
54.34.132.3
87.43.12.32
43.32.43.1
55.45.34.12
43.143.23.5
User
ElasCc
IP
Pool:

29. IPs
Availability Zone 1
Region: Frankfurt
WEB
Server
WEB
Server
10.0.1.23
ElasLc
IP
(EIP)
Assigned
to
specific
user.
Can
be
moved
between
different
servers.
154.32.23.6
54.34.132.3
87.43.12.32
43.32.43.1
55.45.34.12
43.143.23.5
User
ElasCc
IP
Pool:

30. Authorizing traffic:
Network ACLs security groups

31. Network ACLs = stateless firewall rules
• Network
ACLs
are
opConal
virtual
firewalls
that
control
traffic
in
and
out
of
a
subnet
• Network
ACLs
allow
all
incoming/outgoing
traffic
by
default
and
use
stateless
rules
to
allow
or
deny
traffic

32. Network ACLs
Server
Server
Server
SSH
SMTP
HTTP

33. Security Groups = stateful firewall rules
• Security
Groups
are
required
virtual
firewalls
that
control
traffic
for
one
or
more
instances
• You
define
only
ALLOW
rules

34. Security Groups
Server
Server
SSH
HTTP
HTTP
SSH

35. Security Groups
WEB
Server
WEB
Server
WEB
Server
APP
Server
APP
Server
APP
Server
Allow
traffic
on
port
80
from
Internet
Allow
traffic
on
port
2543
from
“WEB”
subnet

36. Security Groups

37. Security Groups

38. VPC Flow Logs:
What’s going on inside my VPC?

39. See all of the traffic at your instances
• Visibility into effects of
Security Group rules
• Troubleshooting
network connectivity
• Ability to analyze traffic

41. Connecting
OnPremise with Cloud

42. Extend your own network into Cloud
Server
Server
Server
Server
Internet

43. Extend your own network into Cloud
Server
Server
Server
Server
VPN
Direct
Connect

44. VPN: What you need to know
Server
Server
Server
Server
Customer
Gateway
Virtual
Gateway
aws ec2 create-vpn-gateway --type ipsec.1
aws ec2 attach-vpn-gateway --vpn vgw-f9da06e7 --vpc vpc-c15180a4
aws ec2 create-customer-gateway --type ipsec.1 --public 54.64.1.2 --bgp 6500
aws ec2 create-vpn-connection --vpn vgw-f9da06e7 --cust cgw-f4d905ea --t ipsec.1

45. DATA
CENTER
Direct Connect

46. • Both allow secure connections
between your network and your VPC
• VPN is a pair of IPSec tunnels over
the Internet
• Direct Connect is a dedicated line with
lower per-GB data transfer rates
• For highest availability: Use both
VPN vs. Direct Connect

47. Remote connectivity best practices
Corporate Data Center
Availability Zone
Availability Zone
Each
VPN
connecCon
consists
of
2
IPSec
tunnels.
Use
Border
Gateway
Protocol
(BGP)
for
failure
recovery.

48. Remote connectivity best practices
Corporate Data Center
Availability Zone
Availability Zone
BGP
A
pair
of
VPN
connecCons
(4
IPSec
tunnels
total)
protects
against
failure
of
your
customer
gateway
BGP

49. Remote connectivity best practices
Corporate
Data
Center
Availability Zone
Availability Zone
BGP
Redundant
AWS
Direct
Connect
connecCons
with
VPN
backup

50. Let’s replicate!

51. VPC
Availability Zone 1
Availability Zone 2
VPC (10.0.0.0/16)
NAT
Security
SYSTEM
X
DEVELOPMENT

52. SYSTEM
X
DEVELOPMENT
SYSTEM
X
PRODUCTION
SYSTEM
X
UAT
SYSTEM
X
TEST

53. SYSTEM
X
SYSTEM
B
SYSTEM
D
SYSTEM
C

54. SYSTEM
X
SYSTEM
X
Disaster
Recovery

55. CloudFormation Templates
Familiar JSON Format
ReusableManage Relationships
Automate Generation Avoid Collisions
Provide Feedback
Write & GoLook Up Resources

56. “Resources”:
{
}
"Resources"
:
{
}

57. "VPC"
:
{
"Type"
:
"AWS::EC2::VPC",
"ProperLes"
:
{
"CidrBlock"
:
"10.0.0.0/16”
}
}
"Resources"
:
{
"VPC"
:
{
"Type"
:
"AWS::EC2::VPC",
"ProperLes"
:
{
"CidrBlock"
:
"10.0.0.0/16”
}
},
}

58. "Subnet"
:
{
"Type"
:
"AWS::EC2::Subnet",
"ProperLes"
:
{
"VpcId"
:
{
"Ref"
:
"VPC"
},
"CidrBlock"
:
"10.0.0.0/24”
}
}
"Resources"
:
{
"VPC"
:
{
"Type"
:
"AWS::EC2::VPC",
"ProperCes"
:
{
"CidrBlock"
:
"10.0.0.0/16”
}
},
"Subnet"
:
{
"Type"
:
"AWS::EC2::Subnet",
"ProperLes"
:
{
"VpcId"
:
{
"Ref"
:
"VPC"
},
"CidrBlock"
:
"10.0.0.0/24”
}
}
}

59. "InternetGateway"
:
{
"Type"
:
"AWS::EC2::InternetGateway”,
},
"Resources"
:
{
"VPC"
:
{
"Type"
:
"AWS::EC2::VPC",
"ProperCes"
:
{
"CidrBlock"
:
"10.0.0.0/16”
}
},
"Subnet"
:
{
"Type"
:
"AWS::EC2::Subnet",
"ProperCes"
:
{
"VpcId"
:
{
"Ref"
:
"VPC"
},
"CidrBlock"
:
"10.0.0.0/24”
}
},
"InternetGateway"
:
{
"Type"
:
"AWS::EC2::InternetGateway”,
},
}

60. "RouteTable"
:
{
"Type"
:
"AWS::EC2::RouteTable",
"ProperLes"
:
{
"VpcId"
:
{"Ref"
:
"VPC”}
}
},
"Resources"
:
{
"VPC"
:
{
"Type"
:
"AWS::EC2::VPC",
"ProperCes"
:
{
"CidrBlock"
:
"10.0.0.0/16”
}
},
"Subnet"
:
{
"Type"
:
"AWS::EC2::Subnet",
"ProperCes"
:
{
"VpcId"
:
{
"Ref"
:
"VPC"
},
"CidrBlock"
:
"10.0.0.0/24”
}
},
"InternetGateway"
:
{
"Type"
:
"AWS::EC2::InternetGateway”,
},
"RouteTable"
:
{
"Type"
:
"AWS::EC2::RouteTable",
"ProperLes"
:
{
"VpcId"
:
{"Ref"
:
"VPC”}
}
},
}

61. "Route"
:
{
"Type"
:
"AWS::EC2::Route",
"DependsOn"
:
"AdachGateway",
"ProperLes"
:
{
"RouteTableId"
:
{
"Ref"
:
"RouteTable"
},
"DesLnaLonCidrBlock"
:
"0.0.0.0/0",
"GatewayId"
:
{
"Ref"
:
"InternetGateway"
}
}
},
"Resources"
:
{
"VPC"
:
{
"Type"
:
"AWS::EC2::VPC",
"ProperCes"
:
{
"CidrBlock"
:
"10.0.0.0/16”
}
},
"Subnet"
:
{
"Type"
:
"AWS::EC2::Subnet",
"ProperCes"
:
{
"VpcId"
:
{
"Ref"
:
"VPC"
},
"CidrBlock"
:
"10.0.0.0/24”
}
},
"InternetGateway"
:
{
"Type"
:
"AWS::EC2::InternetGateway”,
},
"RouteTable"
:
{
"Type"
:
"AWS::EC2::RouteTable",
"ProperCes"
:
{
"VpcId"
:
{"Ref"
:
"VPC”}
}
},
"Route"
:
{
"Type"
:
"AWS::EC2::Route",
"DependsOn"
:
"AdachGateway",
"ProperLes"
:
{
"RouteTableId"
:
{
"Ref"
:
"RouteTable"
},
"DesLnaLonCidrBlock"
:
"0.0.0.0/0",
"GatewayId"
:
{
"Ref"
:
"InternetGateway"
}
}
},
}

62. Template CloudFormation Stack
JSON formatted file
Parameter definition
Resource creation
Configuration actions
Configured AWS services
Comprehensive service support
Service event aware
Customisable
Framework
Stack creation
Stack updates
Error detection and rollback
CloudFormation – Components & Technology

63. VPC Peering:
Getting between VPCs without the
Internet

64. Shared services VPC using VPC peering
VPC 1
10.0.0.0/16
VPC 2
10.2.0.0/16
VPC 3
172.2.0.0/16
VPC X
10.2.0.0/16
VPC 4
192.168.0.0/16
• Common/core services
– Authentication/directory
– Monitoring
– Logging
– Administration
– Scanning

65. Dziękuję