This document discusses network designs for a project called "Project Unicorn" that has three main requirements: 1) PCI compliance for secure apps, 2) high availability for customer-facing apps, and 3) connectivity across AWS regions and third parties. It proposes solutions to each requirement, including a quickstart VPC design for PCI compliance, an always-available design using Route53 and Direct Connect, and a transit VPC to connect disparate VPCs globally. Key components and considerations are outlined for each proposed solution.

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
David Murray – Solutions Architect
September 2016
VPC Design for Enterprise
Connectivity

2. Monday Morning….. Project Unicorn

3. Business
RiskSecurity Others
Infrastructure Architects
Developers

4. Project Unicorn’s Requirements
• Security Team –
• Applications need to all follow PCI DSS compliance
• Risk Team –
• Customer facing apps need to be 24x7
• Expansion Team –
• Apps needs to be able to communicate across AWS regions
and third parties.

5. Requirement # 1 – PCI Compliance
• Needs to follow strict standards (PCI DSS etc)
• Need secure development areas to test code
• Needs to be able to be automated

6. NAT
Potential Use for
security
appliances for
monitoring,
logging
Bastion
Solution # 1 – PCI DSS – Quickstart
VPC NAT
gateway
Auto Scaling
ELB
MySQL DB
Instance
VPC NAT
gateway
Auto ScalingELBELB
MySQL DB
Instance
ELB
AP=SOUTHEAST-­2A
AP=SOUTHEAST-­2B
IGW
VPC NAT
gateway
Auto Scaling
ELB
MySQL DB
Instance
VPC NAT
gateway
Auto ScalingELBELB
MySQL DB
Instance
ELB
AP=SOUTHEAST-­2A
AP=SOUTHEAST-­2B
AlarmAWS
CloudTrail
AWS
Config
Amazon
Glacier
Amazon
S3

7. Solution # 1 – PCI DSS – Quickstart
AP=SOUTHEAST-­2B
IGW
Amazon
Glacier
Amazon
S3
VPC NAT
gateway
Auto Scaling
ELB
MySQL DB
Instance
VPC NAT
gateway
Auto ScalingELBELB
MySQL DB
Instance
ELB
AP=SOUTHEAST-­2A
VPC NAT
gateway
Auto Scaling
ELB
MySQL DB
Instance
VPC NAT
gateway
Auto ScalingELBELB
MySQL DB
Instance
ELB
AP=SOUTHEAST-­2A
AP=SOUTHEAST-­2B
AlarmAWS
CloudTrail
AWS
Config
Potential Use for
security
appliances for
monitoring,
logging
NAT
Bastion

8. Solution # 1 – PCI DSS – Components
• Secure Management VPC
• Managed NAT
• Bastion Hosts
• VPC Peering
• Production VPC
• DMZ
• Proxies
• Managed NAT
• AWS ELB
• AWS IGW
• AWS VPC Endpoints

9. Solution # 1 – PCI DSS – Components
• Automation
• AWS Cloudformation
• Supporting Structure
• Logs – Amazon S3
• Audit –AWS CloudTrail & AWS Config
• Monitoring –Amazon Cloudwatch Alarms

10. Solution # 1 – PCI DSS – Considerations
• Authentication
• Authenticating and authorisation to Bastion Hosts
• See IAM presentation later!!
• Log Collation
• Collating all of the logs in a single platform and make the
alerting meaningful to the threat

11. Requirement # 2 – 24 X 7 Availability
• Needs to withstand Third Party Provider Failures
• Needs to withstand AWS AZ Outages
• Needs to withstand Application Failures

12. Solution # 2 – Always Available
www.example.com
Route53 CloudFront
S3 – Static Website
ap-­southeast-­2
WAF
50%
50%
50%

13. Solution # 2 – Always Available
Private VIF
Private VIF
ap-­southeast-­2
Public VIF
Public VIF
Customer DC
Service Provider
Network
SQS WORKSPACES
SNS
Customer Gateway
Customer GatewayDx POP
Dx POP
VPN Backup Via
Internet
Our VGW’s are
also used as VPN
connection points!

14. Solution # 2 – Components
• Front End
• AWS Route 53
• AWS WAF
• Amazon Cloudfront
• AWS ELB
• Back End
• AWS Direct Connect
• VPN

15. Solution # 2 – Considerations
• BGP Design
• Designing for multipath
• State-­full Firewalls
• Asymmetric routing
• Timers for VPN Activation
• R53 Health Checks
• Making sure they are relevant to the application

16. Requirement # 3 – Connectivity
• Need to connect applications in disparate VPC’s
• Need to be able to connect VPC’s globally
• Need to be able to connect to off cloud locations across
multiple providers
• Needs to be managed by a small team

17. Solution # 3 – Transit VPC
Spoke
VPC A
Spoke
VPC B
Spoke
VPC ‘n’
VPN
gateway
AZ A AZ B
Transit VPC
Corporate
Data Centre
Other Network Providers
Lambda

18. Solution # 3 – Automation
VGW Poller Cisco
Configurator
Amazon S3
Bucket
A B
C
AZ 1
CSR 1
Elastic IP
CSR 2
Elastic IP
AZ 2
Transit VPC
IGW
Endpoints
1
2 3
4
5
AWS LAMBDA
AWS LAMBDA

19. All of This in One Command
aws cloudformation create-stack
solutionsreference/transit-vpc/latest/transit-
vpc-primary-account.template

20. Solution # 3 – Components
• VPN
• VPN Router
• Routing Protocols
• AWS Lambda
• Amazon Cloudwatch Events
• AWS KMS
• Amazon S3

21. Solution # 3 – Considerations
• Cost
• Licensing plus data charges
• Limits
• Bandwidth and VPN
• Complexity
• Routing protocol management

22. Quick Tips
1. Design supporting services common across ALL VPC’s
• Authentication, Monitoring, Audit, Security, Bastions
2. Architect for availability
3. Architect for connectivity

23. Quick Tips
• VPC Design Infrastructure – Patterns not Snowflakes
• Find a secure pattern that meets the business requirements
and use this for all VPC implementations
• VPC Design Connectivity – Match the Business Needs
• Design redundancy based on the SLA required by the
applications
• Design VPC connectivity based on how the business needs
to consume AWS

24. Quick Tips
• BGP
• Understand failover scenarios and how to design timers to
match the business uptime SLA
• Firewall Design
• Understand how to design firewall clusters that share state to
avoid asymmetric routing issues on redundant direct connects
• Automate
• Automate everything from creation to self healing!

25. Wrap Ups
• PCI DSS Quick start
• Build the security services once
• Highly Available
• Design connectivity for highly available apps
• Transit VPC
• Connect global regions and 3rd parties to central transit VPC

26. Thank You!