Amazon Virtual Private Cloud (Amazon VPC) enables you to have complete control over your AWS virtual networking environment. In this session, we will work through the process and features involved to build an advanced hybrid and connected architecture exploring the new capabilities including VPC Shared Subnets, AWS Transit Gateway, Route 53 Resolver and AWS Global Accelerator. We dive into how they work and how you might use them.

2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Networking – Advanced
Concepts and New Capabilities
Steve Seymour
Principal Solutions Architect
Amazon Web Services
N E T 4 0 1

3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Agenda
Account
Strategy
VPN
WAN
AWS Direct
Connect
Transit VPC
Network
Services
Connectivity
WAN
Shared
Services
Multi-Region
Options
VGW
VGW
VGW
VGW
VGW
VGW
VGW
VGW

4. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Automation of infrastructure
AWS Direct Connect and VPN standards
Subnet and routing standards
AWS Identity and Access Management
Strict security groups and routing
Identifying resources with tags
S m a l l e r V P C s o r a c c o u n t sL a r g e r V P C s o r a c c o u n t s
Account and VPC segmentation
Infrastructure and
NetworkingPolicy and IAM

6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Segmentation: Decision inputs
Relationship between accounts, VPCs, and tenants?
• Do accounts and tenants trust each other?
• Is the current network segmentation intentional or a side effect?
Who owns security and networking?
• Each team or a centralized team?
Compliance and governance requirements?
• Can they be scoped to an account or a VPC level

7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Baseline security
IAM
Security groups
Segmentation options: Layers
VPC VPC
Application Application
Application Application
VPC
Application
Application
Inside the account
At the VPC
ACLs
Network security
Route tables
Network ACLs
Separate VPCs
VPC

8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
both?
Provide granular account control
with centralized infrastructure

9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
VPC sharing
Easily share VPC networks between AWS accounts, providing
central oversight and control for networking engineers

10. S U M M I T
VPC Sharing and Resource Access Manager
Share subnets between accounts in an AWS Organization
VPC
Account
Account
Account
Account
172.16.0.0
172.16.1.0
172.16.2.0
172.16.0.0
172.16.1.0
172.16.2.0
Resource Share
• Public subnets
• Private subnets
Resource Share
• Private subnets
Infrastructure
account

11. S U M M I T
VPC Sharing and Resource Access Manager
Account owners only see subnets and their resources
Account
Account

12. S U M M I T
VPC Sharing and Resource Access Manager
Account owners only see subnets and their resources
Account
Account

13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Segmentation in a Shared VPC with network ACLs
VPC
Account
Account
Account
Account
Public subnet
Private subnet Private subnet
Resource share
• Public subnets
• Private subnets
Resource share
• Public subnets
• Private subnets
Public subnet
10.0.1.0/24 10.0.2.0/24
10.0.101.0/24 10.0.102.0/24
Inbound network ACL
# Source Action
100 10.0.1.0/24 ALLOW
101 10.0.101.0/24 ALLOW
200 10.0.0.0/16 DENY
300 0.0.0.0/0 ALLOW
Mimic behavior of a single VPC:

14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
VPC Sharing benefits
Less unused resources
• Higher density subnets, add up
to 5 additional CIDRs
• More efficient use of VPN and
AWS Direct Connect
Separation of duties
• Infrastructure strictly controls
routing, IP addresses, and VPC
structure
• Developers own their resources,
accounts, and security groups
Decouple accounts and networks
• Account protection and billing
without additional infrastructure
• Many accounts with fewer
networks
• Avoid VPC peering charges

15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Segmentation considerations: Where to start
Separate VPCs
• Often the best security decision is the simplest.
Separate VPCs are simple.
• Use separate VPCs for strong network segmentation
and resource isolation
• Transit Gateway removes the scaling issues with many VPCs
(peering, VPN, routes)
Transit Gateway route tables define multi-VPC policy
• Consider isolating environments (dev and prod) and allow access to
shared resources

16. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Shared services connectivity options
AWS Transit Gateway
• Many-to-many or one-to-many
with route tables
• Highly scalable
• Priced Hourly per Attachment
and data processing
VPC
Account Account
Account Account
Development
VPC
Account Account
Account Account
Testing
VPC
Account Account
Account Account
Production
VPC
Shared Services
Route
Tables
Route
Tables
Transit Gateway
AWS PrivateLink
• One-to-many connectivity
• Highly scalable
• Supports overlapping CIDRs
• Uses Elastic Load Balancing
• Load balancing and hourly
endpoint costs

18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
What is the AWS
Transit Gateway?

19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Quick comparison: Transit Gateway and Transit VPC
VPN
WAN
AWS Direct
Connect
Transit VPC
Transit VPC Transit Gateway

20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
VPC Transit Gateway
AWS Transit Gateway radically evolved and simplified cloud networking. Using Transit Gateway,
we reduced the time to interconnect new VPCs and on-premise networks from weeks to
minutes while attaining consistent and more reliable network performance!
Khoder Shamy, Director, Cloud Platform and Infrastructure, Fuze
“
”

21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Introducing: Transit Gateway
AWS Region
Transit Gateway
ENIs
VPN
Routing domain
Routing domain
AWS Direct
Connect *
Regional service
Scalable
Flexible routing
VPC VPC VPC VPC
Available Q1 2019

22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Flat: Transit Gateway route domains (route tables)
Transit Gateway
VPC VPC VPC VPC
Route Destination
10.1.0.0/16 vpc-att-1xxxxxxx
10.2.0.0/16 vpc-att-2xxxxxxx
10.3.0.0/16 vpc-att-3xxxxxxx
10.4.0.0/16 vpc-att-4xxxxxxx
Default
routing domain
Route Destination
10.1.0.0/16 Local
10.0.0.0/8 tgw-xxxxxxxxx
Per VPC

23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Flat: Transit Gateway route domains (route tables)
Transit Gateway
VPC VPC VPC VPC
Route Destination
10.1.0.0/16 vpc-att-1xxxxxxx
10.2.0.0/16 vpc-att-2xxxxxxx
10.3.0.0/16 vpc-att-3xxxxxxx
10.4.0.0/16 vpc-att-4xxxxxxx
Default
routing domain
Route Destination
10.1.0.0/16 Local
10.0.0.0/8 tgw-xxxxxxxxx
Per VPC

24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Isolated: Transit Gateway route domains
Transit Gateway
VPC VPC VPC VPC
Route Destination
0.0.0.0/0 VPN
Routing domain
for VPN
Route Destination
10.1.0.0/16 Local
0.0.0.0/0 tgw-xxxxxxxxx
Per VPC
VPN
Routing domain for VPCs
Route Destination
10.1.0.0/16 vpc-att-1xxxx
10.2.0.0/16 vpc-att-2xxxx
Route Destination
10.3.0.0/16 vpc-att-3xxxx
10.4.0.0/16 vpc-att-4xxxx

25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Isolated: Transit Gateway route domains
Transit Gateway
VPC VPC VPC VPC
Route Destination
0.0.0.0/0 VPN
Route Destination
10.1.0.0/16 Local
0.0.0.0/0 tgw-xxxxxxxxx
Per VPC
VPN
Route Destination
10.1.0.0/16 vpc-att-1xxxx
10.2.0.0/16 vpc-att-2xxxx
Route Destination
10.3.0.0/16 vpc-att-3xxxx
10.4.0.0/16 vpc-att-4xxxx
Associate
go
Propagate routes
can reach
Routing domain
for VPN
Routing domain for VPCs

26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Isolated: Transit Gateway route domains
Transit Gateway
VPC VPC VPC VPC
Route Destination
0.0.0.0/0 VPN
Route Destination
10.1.0.0/16 Local
0.0.0.0/0 tgw-xxxxxxxxx
Per VPC
VPN
Route Destination
10.1.0.0/16 vpc-att-1xxxx
10.2.0.0/16 vpc-att-2xxxx
Route Destination
10.3.0.0/16 vpc-att-3xxxx
10.4.0.0/16 vpc-att-4xxxx
Routing domain
for VPN
Routing domain for VPCs

27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Isolated: Transit Gateway route domains
Transit Gateway
VPC VPC VPC
Shared
services
VPN
VPC
Route Destination
10.1.0.0/16 vpc-att-1xxxx
10.2.0.0/16 vpc-att-2xxxx
Route Destination
10.3.0.0/16 vpc-att-3xxxx
10.4.0.0/16 vpc-att-4xxxx
Route Destination
10.0.0.0/8 VPN
10.4.0.0/16 vpc-att-4xxxx
VPC
VPCs associate to a route table
with routes to shared resources
Shared resources attach to a
route table with routes to all
resources

28. S U M M I T
Reference Network
Architecture
VPC
Account Account
Account Account
VPC
Account Account
Account Account
VPC
Account Account
Account Account
VPC
VPC
VPC
VPC
VPN
AWS Direct
Connect *
Account Account Account Account IAM, cross-account roles
Route
tables
Route
tables
Transit Gateway
Available Q1 2019

29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
VPN with Transit Gateway
VPN
Route
tables
Route
tables
Transit Gateway
Customer Gateway
Consolidate VPN at the Transit Gateway (TGW)
• VPN acts similar to the Virtual Private Gateway (VGW)
• Bandwidth, configuration, APIs, cost, and experience
• VPN is attached to a TGW instead of a VGW
• Same 1.25 gbps bandwidth per tunnel applies
Encryption to the edge of many VPCs
• Traffic is encrypted until it’s inside the VPC
• Does not natively encrypt traffic between VPCs
• Inter-region VPC peering does

30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
VPN with Transit Gateway: Add more bandwidth
VPN
Route
tables
Route
tables
Transit Gateway
Customer Gateway
Support for spreading traffic across many tunnels
• Equal Cost Multi-Path (ECMP) support with BGP multi-
path
• Tested up to 50 Gbps of traffic
• Split traffic into smaller flows, multi-part uploads, etc.
Check your on-premises configuration
• Multi-path BGP
• ECMP support, amount of equal paths, reverse-path
forwarding/spoofing checks
• Only supported with BGP, not static routing

31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Using Transit Gateway and PrivateLink
AWS Transit Gateway
• Many-to-Many or one-to-many
with route tables
• Highly scalable
• Hourly per AZ endpoint costs
VPC
Account Account
Account Account
Development
VPC
Account Account
Account Account
Testing
VPC
Account Account
Account Account
Production
VPC
Shared Services
Route
Tables
Route
Tables
Transit Gateway
Scope
Trust model
Dependencies
Scale
Scope
Trust model
Dependencies
Scale
AWS PrivateLink
• One-to-many connectivity
• Highly scalable
• Supports overlapping CIDRs
• Uses Elastic Load Balancing
• Load balancing and hourly
endpoint costs

32. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Amazon Global Network
• Redundant 100 GbE network
• Private network capacity between
all AWS region, except China
Global Network
AWS Global Infrastructure
• 20 Regions with 60 Availability Zones
• 4 Regions coming soon: Bahrain,
Cape Town, Hong Kong SAR,
and second USA GovCloud
160 Points of Presence (PoPs)
• 149 Edge Locations
• 11 Regional Edge Caches

34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Why we have a backbone network?

35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Multiple services traverse the backbone

36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Introducing AWS Global Accelerator
1

37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Local ISP Network A B C D E F
Access Application!
Accessing your application is not this straightforward!It can take many networks to reach the application
Paths to and from the application may differ
Each hop impacts performance and can introduce risk
Introducing AWS Global Accelerator

38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Local ISP AWS Network
Accessing your web applications with
AWS Global Accelerator
Adding AWS Global Accelerator removes these inefficiencies
Leverages the Global AWS Network
Resulting in improved performance

39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
VPCVPC
AWS Region 1 AWS Region 2
3.10.3.1253.10.3.125

40. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

41. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Connecting to on-premises
Virtual Private Gateway VPN AWS Direct Connect
VGW
VGW
VPN
VGW
VGW
WAN
• Per VPC
• 1.25 Gbps bandwidth
• Encrypted in transit
• Per VPC (50 per port)
• Multiple VPCs with Direct
Connect gateway
• No bandwidth restraint
AWS Transit Gateway VPN
VPN
• Multiple VPCs
• Add VPN connection as needed
• 1.25 Gbps per tunnel
• Roadmap: AWS Direct Connect
Amazon EC2 Customer VPN
VPN
• Per VPC or multiple (Transit VPC)
• Bandwidths vary by instance type
• AWS Marketplace options
• Scalability is generally limited by
management complexity

42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Connecting to On-premises at Scale
Virtual Private Gateway VPN AWS Direct Connect
VPN
VGW
VGW
WAN
• Per VPC
• 1.25 gbps per tunnel
• Encrypted in transit
• Per VPC (50 per port)
• Multiple VPCs with Direct
Connect gateway
• No bandwidth restraint
AWS Transit Gateway VPN
VPN
• Multiple VPCs
• Add VPN connection as needed
• 1.25 gbps per tunnel
• Roadmap: AWS Direct Connect
Amazon EC2 Customer VPN
VPN
• Per VPC or multiple (Transit VPC)
• Bandwidths vary by instance type
• AWS Marketplace options
• Scalability is generally limited by
management complexity

43. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Private connectivity with AWS Direct Connect
Dedicated private connection
from on-premised to AWS
Consistent network
performance
Reduced bandwidth costs
Compatible with all
AWS services

44. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Direct Connect to Many VPCs
AWS Region
VGW
VGW
10.1.0.0/16
WAN
On-premises
AWS Direct Connect
location
Private virtual interface (VIF)
Customer
router
AWS
router
Customer
router
AWS
router
VGW
VGW
10.2.0.0/16
Up to 50 VIFs per port
AWS Direct Connect
location 2

45. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Direct Connect: Link Aggregation
AWS Region
VGW
VGW
10.1.0.0/16
WAN
On-premises
Link aggregation
(LAG)
Private virtual interface (VIF)
Customer
router
AWS
router
Customer
router
AWS
router
VGW
VGW
10.2.0.0/16
Up to 4 ports in a LAG,
each with 50 VIFs
AWS Direct Connect
location 2

46. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Direct Connect gateway
AWS Region
VGW
VGW
10.1.0.0/16
WAN
On-premises
AWS Direct Connect
location
Private virtual
interface (VIF)
Customer
router
AWS
router
Customer
router
AWS
router
VGW
VGW
10.2.0.0/16
Up to 10 VGWs per
direct connect gateway
AWS Direct Connect
location 2
Direct
connect
gateway
Account

47. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Direct Connect and Transit Gateway
Use Direct Connect in parallel Use VPN over a Direct Connect
public virtual interface (VIF)
VPC
Account Account
Account Account
VPC
Account Account
Account Account
VPC
Account Account
Account Account
VPC
VPN
AWS Direct
Connect
Route
Tables
Route
Tables
Transit Gateway
Private virtual
interfaces
VPN
AWS Direct
Connect
Route
Tables
Route
Tables
Transit Gateway
Public virtual
interface
AWS Region
Receive AWS
public IP addresses
Native Direct Connect support
planned for Q1 2019

48. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

49. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Route 53 Resolver
Managed DNS Resolver
service from Route 53
Create conditional
forwarding rules to re-direct
query traffic
Enables hybrid connectivity
over AWS Direct Connect
and Managed VPN

50. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Enabling Hybrid Cloud
VPC
Data Center

51. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Enabling Hybrid Cloud
VPC
Data Center
X

52. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Enabling Hybrid Cloud
VPC
Data Center
X

53. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Enabling Hybrid Cloud
VPC
Data Center

54. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Enabling Hybrid Cloud
VPC
Data Center

55. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Enabling Hybrid Cloud
VPC
Data Center
VPC
VPC

56. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Enabling Hybrid Cloud
VPC
Data Center
VPC
VPC

57. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Enabling Hybrid Cloud
VPC
Data Center
VPC
VPC

58. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Route 53 Resolver

59. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Benefit to you: Reduced Complexity

60. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Benefit to you: Availability
• Use AWS high availability architecture
• Create additional redundancy by provisioning more ENIs in different
AZs
VPC

61. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Benefit to you: Cross Account Rules Sharing
VPC
VPC
VPC

62. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Benefit to you: Cross Account Rules Sharing
VPC
VPC
VPC

63. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Client VPN
Support for OpenVPN clients
Available in 4 regions at
launch; others coming soon
Connected users charged
per user per hour

64. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Attachment
to Amazon
VPC
TLS based tunnel
over the internet
User with Open
VPN Client
VPC
Client VPN
Endpoint
Client
The
InternetAmazon
DynamoDB
Amazon S3
On-Premises
VPC

65. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

66. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Private connectivity with Inter-region Peering
Private connectivity for two
or more VPCs between regions
Highly available, no single
point of failure
All traffic stays on the AWS
global backbone network
All traffic encrypted and
anonymized

67. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

68. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Takeaways
We have tools and architectures that horizontally scale to many VPCs
There’s wiggle room for your specific use cases
Use services in combination to meet scale and security requirements

69. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Advice
• Networking changes fast, no more crystal balls
• Start simple! Stay simple. Reduce complexity to smaller scopes
• Segment and modify as needed
• Experiment and test

70. Thank you!
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Please provide your feedback!
Steve Seymour
Principal Solutions Architect
Amazon Web Services