2. What to expect from this session
You will learn how to integrate variety of AWS networking
services to build a reliable and scalable architecture in three
common cloud access scenarios.
Access from internet
Access from other VPCs
Access from your on-premises
S U M M I T
4. Public subnet
Our starting point
AWS Cloud
Availability Zone 1
VPC
Instance
Internet
Gateway
Elastic IP
Route 53
DNS query
User
S U M M I T
5. Private
subnet
Private
subnet
Auto-Scaling and Load Balancing in VPC
VPC
AWS Cloud
Availability Zone 1
Instance
Internet
Gateway
Availability Zone 2
Instance
Application
Load Balancing
Route 53
DNS query (CNAME/ALIAS)
Auto-Scaling
UsersUser
S U M M I T
8. Private
subnet
Private
subnet
Secure your web applications
VPC
AWS Cloud
Availability Zone 1
Instance
Internet
Gateway
Availability Zone 2
Instance
Application
Load Balancing
Route 53
CloudFront
Edge Location
DNS query
Web Application
Firewall
Hackers
Users
SQL
Injection
WAF Managed Rule
Auto-scaling
S U M M I T
9. Private
subnet
Private
subnet
VPC
AWS Cloud
Availability Zone 1
Instance
Internet
Gateway
Availability Zone 2
Instance
Application
Load Balancing
Route 53
CloudFront
Edge Location
DNS query
Web Application
Firewall
DDoS
Users
Shield Advance
Auto-scaling
DDoS Mitigation
S U M M I T
10. Private
subnet
Private
subnet
I have a TCP service (non-http/s)
VPC
AWS Cloud
Availability Zone 1
Instance
Internet
Gateway
Availability Zone 2
Instance
Network
Load Balancing
Route 53
DNS query
Shield Advance
Global Accelerator
Auto-scaling
Users
Application
Load Balancing
CloudFront
Edge Location
Static anycast IP
TCP
S U M M I T
11. I run UDP based games
Public
subnet
Public
subnet
VPC
AWS Cloud
Availability Zone 1
Instance
Internet
Gateway
Availability Zone 2
Instance
Network
Load Balancing
Route 53
DNS query
Shield Advance
Global Accelerator
Auto-scaling
Users
Static anycast IP
EIP
EIP
UDP
S U M M I T
12. Local ISP Network A B C D E F
Access Application!
Accessing your application is not this straightforward!It can take many networks to reach the application
Paths to and from the application may differ
Each hop impacts performance and can introduce risk
Introducing AWS Global Accelerator
S U M M I T
13. Local ISP AWS Network
Accessing your web applications with
AWS Global Accelerator
Adding AWS Global Accelerator removes these inefficiencies
Leverages the Global AWS Network
Resulting in improved performance
S U M M I T
14. How fixed IP address helps
Migration between endpoint types
Whitelisting of IP addresses in security applications
Scaling of applications to new AWS Regions or AZs
Stack upgrades and performance testing
No client
facing
changes
S U M M I T
16. VPC to VPC
VPCVPC
Region
VPC Peering
VPCVPC
Region1
Inter-region
VPC Peering
Region2
Region1 Region2
vRouter w/ EIP vRouter w/ EIPVPN
Connection
Region1 Region2
vRouter w/ EIP VPN
Connection
VPN Gateway
S U M M I T
17. VPC to VPCs – VPC peering
Pros
• AWS managed service
• Easy to deploy
• Inter-region support
• Security groups across VPCs
• Private DNS name support
• Encryption (inter-region)
Cons
• Do not support transitive routing
• 125 peering connection per VPC
• Max. full-mesh VPCs: 14 ( limit of VPC
route table )
VPC Peering
PROD DEV TEST SEC
Shared
Services
X
S U M M I T
18. VPC to VPCs – Transit VPC
Pros
• Scalable for VPC expanding
• Central routing control
• East-west routing
• Automation with partners solution
• Cross account
• Encryption
Cons
• Bandwidth constrained
• Complex management
• Instance and licensing costs
Transit VPC
Virtual Private
Gateway
IPSec Tunnel
Software
Router/Firewall
I want to run full-mesh connectivity between all VPCs
AZ 1 AZ 2
VPC 1 VPC 10 VPC N VPC N+1
S U M M I T
19. VPC to VPCs – AWS PrivateLink
Benefits
• Highly scalable
• Support overlapping CIDRs
• Support all TCP based services
• All traffic is transmitted privately
• Three types of services accessible
over PrivateLink
AWS Services
Customer hosted internal services
3rd Party services (SaaS)
Network
Load Balancing
I need to solve the issue of IP overlap
Interface
endpoint
10.1.1.0/24 10.1.1.0/24 10.1.1.0/24 10.1.1.0/24
PrivateLink
endpoint service
AZ 1 AZ 2
10.1.1.0/24
Unidirectional
access only
S U M M I T
20. VPC to VPCs – AWS PrivateLink
Can I provide my services in different region?
Service provider
Inter-region
VPC Peering
Service VPC
Network
Load Balancing
10.1.1.0/24 10.1.1.0/24 10.1.1.0/24 10.1.1.0/24
PrivateLink
endpoint service
10.1.1.0/24
Region 1 Region 2Region 3
Inter-region
VPC Peering
Service
consumer
Interface
endpoint
Network
Load Balancing
PrivateLink
endpoint service
Service provider
Region 1
S U M M I T
21. VPCs to VPCs – before AWS re:Invent 2018
Transit VPC
Virtual Private
Gateway
IPSec Tunnel
Software
Router/Firewall
AZ 1 AZ 2
VPC 1 VPC 10 VPC N VPC N+1
Performance constrained
Complex management
Instance and licensing costs
S U M M I T
22. AWS Transit Gateway
AWS Transit Gateway radically evolved and simplified cloud networking. Using Transit
Gateway, we reduced the time to interconnect new VPCs and on-premise networks
from weeks to minutes while attaining consistent and more reliable network
performance!
Khoder Shamy, Director, Cloud Platform and Infrastructure, Fuze
“
”
S U M M I T
23. VPCs to VPCs – after AWS re:Invent 2018
Benefits
• Highly scalable ~ 5000 attachments
• High performance ~50Gbps per VPC
• Many-to-many or one-to-many
• Routing domain segmentation
• Site-to-site VPN with ECMP
• Direct Connect Gateway support
Routing domain
AWS Transit Gateway
Transit
Gateway
EN
I
EN
I
AZ 1 AZ 2
10.1.0.0/16
EN
I
EN
I
AZ 1 AZ 2
10.2.0.0/16
EN
I
EN
I
AZ 1 AZ 2
10.3.0.0/16
EN
I
EN
I
AZ 1 AZ 2
Shared services
10.4.0.0/16
VPC
Attachment
VPC Route Table
Route Destination
10.4.0.0/16 Local
10.0.0.0/8 tgw-xxxxxxxxx
VPC Route Table
Route Destination
10.3.0.0/16 Local
10.0.0.0/8 tgw-xxxxxxxxx
Transit Gateway Route Table
Route Destination
10.1.0.0/16 vpc-att-1xxxxxxx
10.2.0.0/16 vpc-att-2xxxxxxx
10.3.0.0/16 vpc-att-3xxxxxxx
10.4.0.0/16 vpc-att-4xxxxxxx
S U M M I T
24. VPCs to VPCs – VPC Segmentation
AWS Transit Gateway
Transit
Gateway
EN
I
EN
I
AZ 1 AZ 2
10.1.0.0/16
EN
I
EN
I
AZ 1 AZ 2
10.2.0.0/16
EN
I
EN
I
AZ 1 AZ 2
10.3.0.0/16
EN
I
EN
I
AZ 1 AZ 2
Shared services
10.4.0.0/16
VPC
Attachment
VPC Route Table
Route Destination
10.4.0.0/16 Local
10.0.0.0/8 tgw-xxxxxxxxx
VPC Route Table
Route Destination
10.3.0.0/16 Local
10.0.0.0/8 tgw-xxxxxxxxx
Transit Gateway Route Table
Route Destination
10.4.0.0/16 vpc-att-4xxxxxxx
VPC
Shared services
Transit Gateway Route Table
Route Destination
10.1.0.0/16 vpc-att-1xxxxxxx
10.2.0.0/16 vpc-att-2xxxxxxx
10.3.0.0/16 vpc-att-3xxxxxxx
10.4.0.0/16 vpc-att-4xxxxxxx
VPC Route Table
Route Destination
10.1.0.0/16 Local
10.0.0.0/8 tgw-xxxxxxxxx
No route entry for 10.2.0.0/16
S U M M I T
26. Virtual Private Gateway
Pros
• Cost effective
• Easy install, minutes to set up
• Support static routing and BGP
• VPN Gateway is managed
service
Cons
• Bandwidth constrained (up to 1.25G)
• Hard to manage
• Repeat for every VPC
• No ECMP support
Corporate data
center
Customer
Gateway
VPN
Gateway
Corporate data
center
Customer
Gateway VPN
Gateway2 VPN Connections
4 VPN tunnels
Create two customer gateways
for high availability
1 VPN Connection
2 VPN tunnels
The VPN tunnels are active/standby by default,
you configure BGP attributes for active/active.
S U M M I T
27. AWS Direct Connect
Pros
• Consistent networking performance
• LAG support(1Gbps * 4)
• Lower data transfer charges
• BGP routing policy (AS path, BGP
communities)
Cons
• Lead time could take weeks
• Local loop monthly charges
• Single region only
AWS DX Router
Local loop
VGW
associated
Private VIF 1
VPN
Gateway
10.1.0.0/16
Corporate data
center
Customer
Router
172.16.0.0/16
172.16.0.0/16
10.1.0.0/16
AWS DX Router
Private VIF 2
AS prepend
S U M M I T
28. AWS Direct Connect + VPN backup
AWS DX Router
Local loop
VGW
associated
Private VIF 1 VPN
Gateway
10.1.0.0/16
Corporate data center
Customer
Router
172.16.0.0/16
172.16.0.0/16
AWS DX Router
Private VIF 2
1 Connection
2 VPN tunnels
172.16.0.0/16 AS prepend
AWS routing preference
• 1st – local route to the VPC
• 2nd – longest prefix match
• 3rd – static route preferred over
dynamic
• 4th – dynamic routes
• prefer DX BGP routes
• VPN static routes
• BGP routes from VPN
172.16.0.0/16
S U M M I T
29. Before Direct Connect Gateway
Access multiple VPCs in different regions
VGW
Region1
One VIF per VPC
Hard to manage
Multiple BGP sessions
Max. of 50 VIFs per DX
AWS DX Router
VGW
associatedCorporate data
center
Customer
Router
172.16.0.0/16
VGW
Region2
AWS DX Router
VGW
associated
VGW
Region3
AWS DX Router
VGW
associated
S U M M I T
30. After Direct Connect Gateway
Access multiple VPCs in different regions
Region1
DX Gateway disallowed path
• Private VIF to Private VIF
• VGW to VGW
• Private VIF to VPN
AWS DX Router
VGW
associatedCorporate data
center
Customer
Router
172.16.0.0/16
Region2
AWS DX Router
VGW
associated
Region3
AWS DX Router
VGW
associated
Private VIF
Direct Connect
Gateway
10.1.0.0/16
10.2.0.0/16
10.3.0.0/16
10.1.0.0/16
10.2.0.0/16
10.3.0.0/16
172.16.0.0/16
VGW
associated
VGW
associated
VGW
associated
DX Gateway limits
• 200 DX Gateways per account
• 30 VIF attachments per DXG
• 10 VGW associations per DXG
S U M M I T
31. Direct Connect Gateway with TGW
Transit
Gateway
EN
I
EN
I
AZ 1 AZ 2
10.1.0.0/16
EN
I
EN
I
AZ 1 AZ 2
10.2.0.0/16
EN
I
EN
I
AZ 1 AZ 2
10.3.0.0/16
EN
I
EN
I
AZ 1 AZ 2
Shared services
10.4.0.0/16
VPC
Attachment
VPC Route Table
Route Destination
10.3.0.0/16 Local
10.0.0.0/8 tgw-xxxxxxxxx
172.16.0.0/16 tgw-xxxxxxxxx
Transit Gateway Route Table
Route Destination
10.4.0.0/16 vpc-att-4xxxxxxx
172.16.0.0/16 dxg-att-5xxxxxxx
VPC
Shared services
Transit Gateway Route Table
Route Destination
10.1.0.0/16 vpc-att-1xxxxxxx
10.2.0.0/16 vpc-att-2xxxxxxx
10.3.0.0/16 vpc-att-3xxxxxxx
10.4.0.0/16 vpc-att-4xxxxxxx
172.16.0.0/16 dxg-att-5xxxxxxx
Corporate data
center
Customer Router
172.16.0.0/16
DX location
Transit
VIF
VPC Route Table
Route Destination
10.3.0.0/16 Local
10.0.0.0/8 tgw-xxxxxxxxx
172.16.0.0/16 tgw-xxxxxxxxx
VPC Route Table
Route Destination
10.3.0.0/16 Local
10.0.0.0/8 tgw-xxxxxxxxx
172.16.0.0/16 tgw-xxxxxxxxx
DX Gateway
S U M M I T
32. Site–to-site VPN with TGW
Transit
Gateway
EN
I
EN
I
AZ 1 AZ 2
10.1.0.0/16
EN
I
EN
I
AZ 1 AZ 2
10.2.0.0/16
EN
I
EN
I
AZ 1 AZ 2
10.3.0.0/16
EN
I
EN
I
AZ 1 AZ 2
Shared services
10.4.0.0/16
VPC
Attachment
VPC
Shared services
Corporate data
center
Customer Router
172.16.0.0/16
DX location
Transit
VIF
DX Gateway
Benefits
• Consolidate VPN at the Transit
Gateway (TGW)
• ECMP support with BGP multi-
path (1.25 * 8 = 10Gbps)
• 50Gbps throughput
• Support full-mesh between all
attached networks (on-
premises behind DX, on-
premises behind VPN and
VPC)
Branch
office
172.17.0.0/16
Customer
Router
S U M M I T
34. Access your cloud workloads from anywhere
OpenVPN Tunnel
AWS AD
Client VPN
Endpoints
Transit
Gateway
EN
I
EN
I
AZ 1 AZ 2
10.1.0.0/16
EN
I
EN
I
AZ 1 AZ 2
10.2.0.0/16
EN
I
EN
I
AZ 1 AZ 2
10.3.0.0/16
AZ 1 AZ 2
Shared services
10.4.0.0/16
VPC
Attachment
VPC
Shared services
Corporate data
center
Customer Router
172.16.0.0/16
DX location
Transit
VIF
DX Gateway
Branch
office
172.17.0.0/16
Customer
Router
AWS AD
VPN ENI VPN ENI TGW-RT Shared service
Route Destination
10.1.0.0/16 vpc-att-1xxxxxxx
10.2.0.0/16 vpc-att-2xxxxxxx
10.3.0.0/16 vpc-att-3xxxxxxx
10.4.0.0/16 vpc-att-4xxxxxxx
172.16.0.0/16 dxg-att-5xxxxxxx
VPC Route Table
Route Destination
10.3.0.0/16 Local
10.0.0.0/8 tgw-xxxxxxxxx
172.16.0.0/16 tgw-xxxxxxxxx
TGW-RT VPC
Route Destination
10.4.0.0/16 vpc-att-4xxxxxxx
172.16.0.0/16 dxg-att-5xxxxxxx
SSH 10.1.0.1
S U M M I T
35. Hybrid DNS architecture
OpenVPN Tunnel
AWS AD
Client VPN
Endpoints
Transit
Gateway
EN
I
EN
I
AZ 1 AZ 2
10.1.0.0/16
AZ 1 AZ 2
Shared services
10.4.0.0/16
VPC
Shared services
Corporate data center
Router
172.16.0.0/16
DX location
Transit
VIF
DX Gateway
AWS AD
VPN
ENI
VPN
ENI
access
ssh.abc.com
Route 53
Private Hosted Zone
ssh.abc.com - 10.1.0.1
Inbound Resolver
10.4.1.2/10.4.2.2
Outbound Resolve
10.4.1.3/10.4.2.3
Outbound rule
example.com 172.16.1.2
DNS
Resolver
DNS
Resolver
DNS 172.16.1.2
DNS query
ssh.abc.com
Inbound Resolver
10.4.1.2/10.4.2.2
Private
Hosted Zone
DNS reply
10.1.0.1
www.example.com
172.16.1.10
Outbound Resolver
10.4.1.3/10.4.2.3
DNS query
www.example.com
DNS 172.16.1.2
DNS reply
172.16.1.10
S U M M I T
36. Route 53 Resolver
Managed DNS resolver
service from Route 53
Enables hybrid DNS
resolution over Direct
Connect and VPN
Create conditional
forwarding rules to
re-direct query traffic
S U M M I T