利用AWS建立企業全球化網路

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
運用AWS建立企業全球化網路
Bruce Wang
Partner Solutions Architect
Amazon Web Services

What’s changed in the
last 12 months?

VPC endpoints
Interface VPC
endpoints
Gateway VPC
endpoints
VPC Endpoint
Services

Instance BNAT-GW
NAT-GW
0.0.0.0/0
AWS Region
Availability Zone 2Availability Zone 1
Private subnet
The
Internet
Private subnet
Public subnet
Instance A
Public subnet
Amazon S3
VPC CIDR 10.1.0.0/16
10.1.0.11/24
Instance C
10.1.2.11/24
Instance D
10.1.3.11/24
+ Expand + IPv6
IGWVPCE(s)
10.1.0.0/16 Local
0.0.0.0/0 IGW
S3.prefix.list VPCE-123
Destination Target
10.1.0.0/16 Local
DDB.prefix.list VPCE-123
Destination Target
EIP - 10.1.0.11 : 54.23.12.43
EIP - 10.1.1.11 : 54.19.12.23
Amazon
DynamoDB
VPCE =
VPC Endpoint
(Type: Gateway)
Gateway VPC endpoints

- Amazon API Gateway
- AWS CloudFormation
- Amazon CloudWatch
- Amazon CloudWatch Events
- Amazon CloudWatch Logs
- AWS CodeBuild
- AWS Config
- Amazon EC2 API
- Elastic Load Balancing API
- AWS Key Management
Service
- Amazon Kinesis Data Streams
- Amazon SageMaker Runtime
- AWS Secrets Manager
- AWS Security Token Service
- AWS Service Catalog
- Amazon SNS
- AWS Systems Manager
- Supported AWS marketplace
partner services
Before:
18 services supported over
AWS PrivateLink
NAT
Instance B
10.1.1.11/24
NAT-GW
AWS Region
Private subnet Private subnet
Public subnet
Instance A
Public subnet
VPC CIDR 10.1.0.0/16
10.1.0.11/24
Instance C
10.1.2.11/24
Instance D
10.1.3.11/24
+ Expand + IPv6
Availability Zone 2Availability Zone 1
Interface VPC endpoints
10.1.0.0/16 Local
Destination Target
10.1.0.0/16 Local
Destination Target
No additional
routing needed
41 services supported over
AWS PrivateLink
No additional
routing needed
here either…
You can add endpoint policies
to interface endpoints for
AWS services
After:

VPC Endpoint Services
Customer VPC
Service provider VPC
Application, e.g. SaaS
NLB
AWS
PrivateLink
Before:
Powered by AWS PrivateLink

VPC Endpoint Services
Customer VPC
Service provider VPC
Application, e.g. SaaS
NLB
AWS
PrivateLink
- Tagging for Endpoint Services
Powered by AWS PrivateLink
After:
- Reachable over intra and inter region VPC peering
VPC Peering
MyEndpoint

AWS Region 1 AWS Region 2
3.10.3.1253.10.3.125
Before:

AWS Global Accelerator
- Application endpoints in additional regions
After:
- Source IP preservation of client IP
AWS Region 1 AWS Region 2
3.10.3.1253.10.3.125
VPC VPC
Source IP of clients
preserved through to
destination
Application endpoints in
additional regions

AWS Global Accelerator
AWS Region 2
3.10.3.125
Global
Accelerator
Private subnet
- Application endpoints in additional regions
After:
- Source IP preservation of client IP
- Support for EC2 instance endpoints

On-premises
IPsec Tunnel 1 - Primary
IPsec Tunnel 2 - Secondary
Virtual private
gateway
VGW
IPsec tunnel over
the Internet
Customer
gateway
CGW
The Internet
AWS Site-to-Site VPN
Before:

On-premises
Virtual private
gateway
VGW
IPsec tunnel over
the Internet
Customer
gateway
CGW
The Internet
- AWS Site-to-Site VPN now supports certificate authentication
After:
2. Preshared key1. Preshared key
Previously:

On-premises
Virtual private
gateway
VGW
IPsec tunnel over
the Internet
Customer
gateway
CGW
The Internet
After:
1. Create certificate
2. Configure CGW
3. Use certificate on CGW

3. Use certificate on CGW
On-Premises
IPsec Tunnel 2- Secondary
Virtual private
gateway
VGW
IPSEC tunnel over
the Internet
Customer
gateway
CGW
The Internet
After:
1. Create certificate
2. Configure CGW

On-premises
Virtual private
gateway
VGW
IPsec tunnel over
the Internet
Customer
gateway
CGW
The Internet
After:
- AWS Site-to-Site VPN now supports IKEv2 (Feb 2019)

On-premises
Virtual private
gateway
VGW
IPsec tunnel over
the Internet
Customer
gateway
CGW
The Internet
After:
- AWS Site-to-Site VPN now supports IKEv2 (Feb. 2019)
- Configurability of security algorithms and timer settings

- Configurability of security algorithms and timer settings
On-Premises
IPsec Tunnel 2- Secondary
Virtual private
gateway
VGW
IPSEC tunnel over
the internet
Customer
gateway
CGW
The Internet
After:
- AWS Site-to-Site VPN now supports IKEv2 (Feb 2019)

High availability and improved performance of site-to-site VPN
New Feature
AWS Accelerated Site-to-Site VPN
General Availability
DRAFTNetworking

London Region
AWS TRANSIT GATEWAY
Cross Region Peering
Branch
Office
Branch
Office
Branch
Office
VPN connection
Internet
Internet
Internet
Traditional VPN Connections with TGW
Oregon Region

Accelerated
VPN
Accelerated
VPN
Accelerated
VPN
US East Region London Region
AWS TRANSIT GATEWAY
Cross Region Peering
Branch
Office
Branch
Office
Branch
Office
POP
POP
POP
AWS Accelerated Site-to-Site VPN

Before:
Attachment
to Amazon
VPC
TLS-based tunnel
over the Internet
User with Open
VPN Client
Client VPN
service
Client
The
Internet
On-premises
Amazon S3 Amazon
DynamoDB
Client VPN
- Client VPN support for CloudFormation
After:
- Client VPN support for split-tunneling
e.g. Traffic not destined for AWS
- Client VPN support for multi-factor authentication for
Active Directory
MFA
Split Tunnel

What is Amazon VPC Traffic Mirroring?
EC2
instance
Inbound packets
Outbound packets
Monitoring
instance
ENI-1 ENI-1
Internet gateway

SessionsTargets Filters
The destination for mirrored
traffic
A set of rules that define the
traffic that is copied in a traffic
mirror session
An entity that describes traffic
mirroring from a source to a
target using filters
VPC Traffic Mirroring: Three components

Network Load Balancers
Elastic network interfaces
The destination for mirrored traffic

EC2
instance
Inbound packets
Outbound packets
Monitoring
instance
ENI-1 ENI-1
Traffic mirroring filter
Inbound packets
Outbound packets X
IGW
Traffic mirroring: Traffic filtering

The destination for mirrored traffic
A traffic mirror session has three components:

Note: Production traffic has a higher priority
than mirrored traffic when there is traffic
congestion
and EC2 network performance

vs.VPC Flow Logs VPC Traffic Mirroring
- Real network packets with the
ability to truncate
- Destination: Another elastic network
interface or Network Load Balancer
- Logs of network flows
- Each record captures the network
flow for a specific 5-tuple, for a
specific capture window
- Destination: Amazon S3 or Amazon
CloudWatch Logs
- Real network packets

New Feature
Amazon VPC Ingress Routing
DRAFTNetworking
Route inbound and outbound traffic through a third party or AWS service
L E A R N M O R E NET203-L Leadership Session Networking

Amazon VPC Ingress Routing

AWS Transit Gateway
A W S D i r e c t C o n n e c t A m a z o n V P C r o u t i n g+

1
Transit
Gateway
1
On-premises
2
N
(5,000)
2
N
Transit VPC
ECMP
AWS Transit Gateway
AWS Direct Connect, Amazon VPC routing+
Before:

1
Transit
Gateway
1
On-premises
2
N
(5,000)
2
N
AWS Transit Gateway
AWS Direct Connect Amazon VPC routing+
After:
Customer or
partner cage
AWS Direct Connect location
AWS cage
On-Premises
AWS Direct
Connect Gateway
Transit virtual interface
Transit VPC
ECMP

Customer or
partner cage
Service provider
network
AWS Region
On-premises
AWS cage
Cross connect
10.0.0.0/16
192.168.0.0/16Private VIF
Public VIF
VGW
AWS Direct Connect
A quick detour

Customer or
partner cage
Service provider
network
AWS Region
AWS cage
Cross connect
10.0.0.0/16
Private VIF
Public VIF
10.2.0.0/16
VGW
VGW
Private VIF
On-premises
192.168.0.0/16
AWS Direct Connect
A quick detour

Customer or
partner cage
Service provider
network
AWS Region
AWS cage
Cross connect
10.0.0.0/16
Private VIF
10.2.0.0/16
VGW
VGW
AWS Direct
Connect
Gateway
On-premises
192.168.0.0/16
AWS Direct Connect
A quick detour

Customer or
partner cage
Service provider
network
AWS Region 1
AWS cage
Cross connect
10.0.0.0/16
Private VIF
10.2.0.0/16
VGW
VGW
AWS Region 2
AWS Direct
Connect
Gateway
On-premises
192.168.0.0/16
AWS Direct Connect
A quick detour

Customer or
partner cage
Service provider
network
AWS Account 1
AWS cage
Cross connect
10.0.0.0/16
10.2.0.0/16
VGW
VGW
AWS Account 2
AWS Direct
Connect
Gateway
Multi-account DX gateway
NEW
On-premises
192.168.0.0/16
AWS Direct Connect
A quick detour
Private VIF

Customer or
partner cage
Service provider
network
AWS Account 1
On-premises
AWS cage
Cross connect
10.0.0.0/16
192.168.0.0/16
Transit VIF
10.2.0.0/16
AWS Account 2
AWS Direct
Connect
Gateway
Transit VIF with DX gateway
NEW
AWS Direct Connect
A quick detour
AWS Transit
Gateway
Up to 3x TGWs

Existing Service
DRAFTNetworking
Scale connectivity across thousands
of Amazon VPCs, AWS accounts,
and on-premises networks
Amazon VPCAmazon VPC
Amazon VPCAmazon VPC
Customer
gateway
VPN
connection
AWS Direct
Connect Gateway
AWS Transit Gateway

New Feature
Transit Gateway Multicast
DRAFTNetworking
Build and deploy multicast applications in the cloud

Multicast on AWS Transit Gateway
Transit Gateway
VPC route domain
10.1.0.0/16 10.2.0.0/16
VPC A VPC B
10.1.0.0/16 vpc-att-a
10.2.0.0/16 vpc-att-b
Use cases:
Multicast
domain
Group
Multicast
domain
GroupGroup

New Feature
AWS Transit Gateway Inter-Region Peering
DRAFTNetworking
AWS TRANSIT
GATEWAY
Inter-Region Peering
Build global networks by connecting transit gateways across multiple AWS Regions

AWS Transit Gateway Cross-Region Peering
Full mesh network across multiple
regions with static peering
Private and performant connectivity
across the AWS Global Network
All traffic across Transit Gateway Cross-
Region peering is encrypted
Horizontally scalable

AWS Transit Gateway Network Manager
Introducing General Availability
DRAFTNetworking
Get visibility into network changes, events, and health telemetry in a
centralized dashboard

Global network connectivity
Leverage the AWS Global Network
Combine AWS Global Accelerator with
VPN
Lower latency, less jitter, consistent
connectivity
Ideal for branch connectivity

Thank you!
Bruce Wang
ykwang@amazon.com

利用AWS建立企業全球化網路

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (19)

Semelhante a 利用AWS建立企業全球化網路

Semelhante a 利用AWS建立企業全球化網路 (20)

Mais de Amazon Web Services

Mais de Amazon Web Services (20)

利用AWS建立企業全球化網路